[j-nsp] M7i w/ASM for cflowd / fw

Rutger Bevaart rutger.bevaart at illian.net
Wed Apr 13 09:18:03 EDT 2005 

On Wed, April 13, 2005 15:03, Alexandre Snarskii said:
> On Wed, Apr 13, 2005 at 01:33:20PM +0200, Rutger Bevaart wrote:
>>
>> hello list,
>>
>> I am slightly confused as to the features offered by the ASM. Ideally I
>> would like to use an M7i as a ASBR, collecting data to cflowd for DDOS
>> and
>> traffic analysis and protecting the infrastructure using firewall rules
>> to
>> block outside access to the control-plane of the AS infrastructure (not
>> just this router, but all loopbacks and interfaces of all routers witin
>> the AS).
>>
>> Now, from the Juniper docs I understand that in order to use JFlow I
>> need
>> to add an ASM to the config (additional $10K) which includes the JFlow
>> license (foregoing the NAT/FW) thing. Can I export cflowd compatible
>> data
>> just using 'accounting' or does that also use/require the ASM?
>

ok. using sampled netflow is sufficient, but this uses the fxp1 interface
right? so it could theoretically impact my BGP neighbor sessions (~50
sessions) that frequently use that interface. are there any limiting
functions available to restrict the netflow sampling clogging up the RE
interface to the PFE?


> You can export netflow data from juniper even not equipped with ASM.
> But under realistic traffic load (more than 7kpps) you can use only
> 'sampled'
> netflow, due to some internal limitations. See
> http://www.juniper.net/techpubs/software/junos/junos64/swconfig64-services/html/flow-monitoring-config3.html
> for flow sampling configuration.
>
> As for me - sampled netflow is good enough for your purposes.
>
>> Can control-plane protection be implemented on just the RE, or is the
>> ASM
>> mandatory for that? Suppose I want to ACL telnet/ssh access to a couple
>> of
>> subnets internal to the AS for all external IP's, could that be done
>> using
>> a simple RE solution or is the ASM required for that?
>
> We using simple filter on interface lo0 for that purpose.
> Anyway, you may telnet only to lo0/lo0.* address, not to interface
> addresses..
>

but that would then only protect that specific router. say i'd like to do
an ACL (Cisco style) such as "access-list 100 deny ip any <aggregate of
infra>". This would deny all traffic having a destionation IP address
belonging to any router in my network (assuming they are summarized into 1
route). Can that be (efficiently) done without an ASM?

thx.

>> Coming from another vendor's view of the world it is sometimes
>> difficult!
>>
>> Thanks for any replies,
>> Rutger
>>
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> http://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list