Re: [j-nsp] prefix-limit effectiveness
A follow up from months ago- despite the fact that I was rejecting all of the routes from my upstream peer on this router, and limiting the total to 5000, it was still crowding out memory, and not all of the routes from OSPF neighbors were making it into the routing table. Even though these routes were 'hidden' they were still taking up space (which is to be expected.) The "keep none" command in this particular peer configuration is what did the trick- it actually removes the routes, not just positing them as 'hidden' which then cleared up space in the router, and all of my OSPF routes finally had room to populate within the 5000 prefix limit. Just thought I'd drop this nugget here in case anyone runs into the same issue. Thanks, Dan -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Dan Farrell Sent: Monday, February 09, 2009 11:33 AM To: Richard A Steenbergen Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] prefix-limit effectiveness Thanks for the information... I will let you know how it goes (though it seems you already know hehehe, since this was your baby.) Thanks, Dan -Original Message- From: Richard A Steenbergen [mailto:r...@e-gerbil.net] Sent: Thursday, February 05, 2009 7:04 PM To: Dan Farrell Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] prefix-limit effectiveness On Thu, Feb 05, 2009 at 02:05:14PM -0800, Dan Farrell wrote: > > > Then I limit the number of prefixes it will even look at to 5000 - > > import default-route; > family inet { > unicast { > prefix-limit { > maximum 5000; ... > This is effective- I have only the default to use from my upstream. > But I keep generating tons of log messages because I keep getting (and > rejecting) tons of routes. Without asking the upstream to not > advertise the full route table, is there something I can do on my end > to limit the syslog messages I keep getting? > > Feb 5 19:00:43 nap-r2-edge-2 rpd[82464]: RPD_RT_PREFIX_LIMIT_REACHED: > Number of prefixes (4000) in table inet.0 still exceeds or equals configured > maximum (4000) Well technically speaking you can always filter by regexp anything that you send to system, but what you really want is accepted-prefix-limit instead of prefix-limit above. Prefix-limit is applied to all routes received by the router, even if they are rejected by your import policy. Basically this protects router DRAM from something going wild and sending you a billion routes, but is less useful as a policy protection, or in your case to limit the number of routes being installed to FIB. Accepted-prefix-limit is a relatively new feature added in 9.2 (and pardon me while I do a little dance about it, but this is one of my feature requests which I've been asking for for 6 years and it just finally got implemented! :P) which limits the number of routes AFTER your import policy has been applied. In the example above, even though you are receiving a full table, you are rejecting all but 1 route in policy, so the value that would be evaluated yb accepted-prefix-limit is 1. -- Richard A Steenbergenhttp://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] prefix-limit effectiveness
Thanks for the information... I will let you know how it goes (though it seems you already know hehehe, since this was your baby.) Thanks, Dan -Original Message- From: Richard A Steenbergen [mailto:r...@e-gerbil.net] Sent: Thursday, February 05, 2009 7:04 PM To: Dan Farrell Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] prefix-limit effectiveness On Thu, Feb 05, 2009 at 02:05:14PM -0800, Dan Farrell wrote: > > > Then I limit the number of prefixes it will even look at to 5000 - > > import default-route; > family inet { > unicast { > prefix-limit { > maximum 5000; ... > This is effective- I have only the default to use from my upstream. > But I keep generating tons of log messages because I keep getting (and > rejecting) tons of routes. Without asking the upstream to not > advertise the full route table, is there something I can do on my end > to limit the syslog messages I keep getting? > > Feb 5 19:00:43 nap-r2-edge-2 rpd[82464]: RPD_RT_PREFIX_LIMIT_REACHED: > Number of prefixes (4000) in table inet.0 still exceeds or equals configured > maximum (4000) Well technically speaking you can always filter by regexp anything that you send to system, but what you really want is accepted-prefix-limit instead of prefix-limit above. Prefix-limit is applied to all routes received by the router, even if they are rejected by your import policy. Basically this protects router DRAM from something going wild and sending you a billion routes, but is less useful as a policy protection, or in your case to limit the number of routes being installed to FIB. Accepted-prefix-limit is a relatively new feature added in 9.2 (and pardon me while I do a little dance about it, but this is one of my feature requests which I've been asking for for 6 years and it just finally got implemented! :P) which limits the number of routes AFTER your import policy has been applied. In the example above, even though you are receiving a full table, you are rejecting all but 1 route in policy, so the value that would be evaluated yb accepted-prefix-limit is 1. -- Richard A Steenbergenhttp://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) __ Information from ESET NOD32 Antivirus, version of virus signature database 3831 (20090205) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 3838 (20090209) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] prefix-limit effectiveness
On Thu, Feb 05, 2009 at 02:05:14PM -0800, Dan Farrell wrote: > > > Then I limit the number of prefixes it will even look at to 5000 - > > import default-route; > family inet { > unicast { > prefix-limit { > maximum 5000; ... > This is effective- I have only the default to use from my upstream. > But I keep generating tons of log messages because I keep getting (and > rejecting) tons of routes. Without asking the upstream to not > advertise the full route table, is there something I can do on my end > to limit the syslog messages I keep getting? > > Feb 5 19:00:43 nap-r2-edge-2 rpd[82464]: RPD_RT_PREFIX_LIMIT_REACHED: > Number of prefixes (4000) in table inet.0 still exceeds or equals configured > maximum (4000) Well technically speaking you can always filter by regexp anything that you send to system, but what you really want is accepted-prefix-limit instead of prefix-limit above. Prefix-limit is applied to all routes received by the router, even if they are rejected by your import policy. Basically this protects router DRAM from something going wild and sending you a billion routes, but is less useful as a policy protection, or in your case to limit the number of routes being installed to FIB. Accepted-prefix-limit is a relatively new feature added in 9.2 (and pardon me while I do a little dance about it, but this is one of my feature requests which I've been asking for for 6 years and it just finally got implemented! :P) which limits the number of routes AFTER your import policy has been applied. In the example above, even though you are receiving a full table, you are rejecting all but 1 route in policy, so the value that would be evaluated yb accepted-prefix-limit is 1. -- Richard A Steenbergenhttp://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp