[c-nsp] CSCuy29638 - MPLS (for IPv4) Brokenness Fixed - ASR920

Saku Ytti saku at ytti.fi
Sun Aug 7 18:10:14 EDT 2016


On 7 August 2016 at 20:10, Adam Vitkovsky <Adam.Vitkovsky at gamma.co.uk> wrote:

> If the policer is tight you should be fine, but still one needs to consider
> who can talk NTP to his box (iACL).

The policer is there to stop volumetric dos, but it would not help in
this wedged interface case, or any security issue at all.
But I fully agree iACL is must also.

> Good point, yeah there's always the collateral damage problem.

That particular issue can and should be solved, and for example
Juniper has solved it (well actually it's pretty much carbon copy from
unisphere guys). Essentially lo0 is used to determine what to punt,
then ddos-protection is used to limit its rate. You can limit on many
level, aggregate, ifd, ifl, sub (session). Usually IFL is more than
sufficient, if one IFL is misbehaving, BGP in that IFL gets its own
policer, automatically, and all other BGP sessions are safe.
You could today do this manually as well, as JunOS finally got PPS
policers, but you probably don't want to configure lo0 filter manually
with unique policer for every eBGP.

> Are you sure about this?
> I would have thought that CP traffic injected to the wire is bypassing all
> the QOS but not the received CP traffic.

Yeah, but only because that dog bit me. I was getting ICMPv6 from
customer, causing all other IPv6 customers sharing same NPU to be
down. Initial reaction (after even finding out what is the problem,
which requires stopping the NPU for capture), was to policer this
customer' ICMPv6, did nothing, ACL fixed it. Subsequence TAC case
confirmed it is expected, MQC will not see punted traffic.

-- 
  ++ytti


More information about the cisco-nsp mailing list