On Wed, Jan 5, 2011 at 7:51 PM, Richard A Steenbergen <r...@e-gerbil.net> wrote: > On Wed, Jan 05, 2011 at 05:46:36PM -0600, John Kristoff wrote: >> Friends and colleagues, >> >> At NANOG 48 I talked about a community flow-spec service we were >> looking at trying to make work. This is the idea of using IETF RFC >> 5575 to pass around flow-based rules, in this case, primarily for >> dropping unwanted packets.
<snip> > As a word of warning to anyone who wants to deploy this on their Juniper > routers (what other router vendors support it? :P), there are some > pretty serious performance considerations of which you should be aware. > > For example, we discovered that on MX routers (with classic I-chip DPCs, > the performance should be somewhat better for Trio cards but we haven't > fully tested the exact numbers yet), installing as few as a dozen > flowspec routes can create firewall filters that use enough SRAM 'as few as a dozen' - of things like: (forgive the hackery into cisco-ese) deny ip 127.0.0.0 0.255.255.255 any permit ip any any or with port/protocol/flags/sizes/etc ? (can you provide some examples of your dozen-or-so - give folk a starting point in their testing) -chris
