[j-nsp] Modern BGP peering border router and DDoS recommendationswith Juniper?

sthaug at nethelp.no sthaug at nethelp.no
Fri Jun 10 16:05:53 EDT 2005 

> > I'm trying to get a handle on the Juniper platform needed to withstand a
> >
> > 1) small
> > 2) medium
> > 3) large-scale (NxGbps rate)
> >
> > DDoS attack
> 
> Most of the M-series routers stand up very well against even a large attack
> because of the hardware-based packet forwarding.

Agreed, the M series (and T series) work very well here.

> I believe the J-series 
> routers do at least some software-based forwarding, but I don't have any 
> direct experience with them or their ability to handle attacks without 
> folding.

The J series do software based forwarding - however, as far as I know
the CPU is powerful enough to do line rate with minimum sized packets
(which is *not* the case for a 7200, see below). Certainly the J series
CPUs are significantly more powerful than the CPU of the NPE-G1.

> > What Juniper router would be comparable to:
> >
> > Cisco 7200?
> 
> These are my personal opinions - I speak for no one else.
> 
> J6300, M7i, M10i

Agreed that these are in many ways comparable - however, when it comes
to handling DoS attacks, M7i and M10i are significantly superior to the
7200 due to hardware based forwarding.

An example: We tested 7206VXR/NPE-G1 some months ago with a Spirent
Smartbits. We were able to get 630k pps of 64 byte packets through the
onboard GigE ports. This is only about one STM-1 worth of minimum sized
packets. With more normal sized packets, of course, the NPE-G1 can do
significantly more than one STM-1.

> > Cisco 7304?
> 
> Same as the 7200.

The 7304/NSE-100 (hardware based forwarding) is different from the 7304/
NPE-G100 (software based forwarding) in the face of DoS attacks.

> > (for example, something like: "You can't take full routes from your BGP
> > peers without at least M7/M10/M20 etc... and X level of memory")
> 
> M7i/M10i can handle full BGP routes.  To be safe you probably want to put 
> 512 or 768 MB of RAM on the routing engine.

We have quite a few M7i in production, all of them with 768 MB and full
routes.

Steinar Haug, Nethelp consulting, sthaug at nethelp.no

More information about the juniper-nsp mailing list