[j-nsp] Massive ICMP test. Could it generate problems?

Gary Tate gtate at juniper.net
Tue Dec 9 11:47:14 EST 2003


On Dec 9, 2003, at 8:24 AM, mark at glassbil.net wrote:

> Ok,
>
> This was what i have been told.
>
> But doens´t every "ping" from a Juniper cause a CPU interrupt? And this
> will force it to respond and hence occupy cpu time? So in theory you 
> could
> disturb the Juniper (depending on CPU load) if you generate to mutch
> traffic troght the RE/CPU or is this controlled by limiting the 
> process of
> ICMP?
>
Indeed this will cause some CPU time usage but very small. Processes on 
the RE are tightly controlled and ping will not overrun any essential 
processes on the CPU.

> My worry is that if several people is logged in to the M160 doing 
> massive
> ping tests at the same time it will cause problems with the Juniper.
>
This will not cause a problem.
Pings are limited to 50 pps and the ping process takes very little CPU.

> Best Regards
> Mark
>
>
>
>> Traffic sourced from the RE (Routing Engine) is sent via the control
>> plain on an internal FastEthernet connection to the PFE (Packet
>> Forwarding Engine - Internet Processor) and then forwarded via the
>> forwarding plane.
>>
>> Running ping tests from the the RE (Routing Engine) will not disturb
>> the other control traffic as this is prioritized and limited.  Routing
>> control traffic etc takes precedence over ICPM ping traffic sourced
>> from the RE.
>>
>> There are queues and limiting of traffic types between the RE  and the
>> PFE in both directions to protect the RE from being overrun by traffic
>> in the event of DOS attacks etc.
>>
>> Additional filters and policers can be added between the RE and the 
>> PFE
>> to further protect the system.
>>
>> There is a publicly available document about security which has a
>> section detailing "Applying Firewall Filers to the Routing Engine" as
>> well as other useful security advise at the following location:
>>
>> http://www.juniper.net/solutions/literature/app_note/350013.pdf
>>
>> Additional information can be obtained through the Juniper JTAC.
>> Thanks
>> Gary
>>
>> On Dec 9, 2003, at 5:56 AM, mark at glassbil.net wrote:
>>
>>> Hi,
>>>
>>> Still rather new to Juniper and only have a basic knowledge
>>> over how it works. But i have heard that when im doing massive
>>> ping test from a Juniper i could disturb "live" traffic. I can´t
>>> really find a simple answer to what or how this is.
>>>
>>> Question:
>>> Could a massive ping test from a Juniper (M160 in this case) cause
>>> disturbance in the orignal traffic flow / processes in a M160?
>>>
>>> Say you have 4 sessions and running 4 x rapid ping with 5000 bytes.
>>> Could this overload the RE? Or the bus?
>>>
>>> Thanx for any replys.
>>>
>>> //Mark
>>>
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> http://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>
>>
>




More information about the juniper-nsp mailing list