[j-nsp] Modern BGP peering border router and DDoS recommendationswith Juniper?

Saku Ytti saku+juniper-nsp at ytti.fi
Sun Jun 12 08:24:51 EDT 2005


On (2005-06-10 22:05 +0200), sthaug at nethelp.no wrote:

> The J series do software based forwarding - however, as far as I know
> the CPU is powerful enough to do line rate with minimum sized packets
> (which is *not* the case for a 7200, see below). Certainly the J series
> CPUs are significantly more powerful than the CPU of the NPE-G1.

 Yes this is what I'd also want to believe, but documents don't agree with:
http://www.juniper.net/techpubs/software/jseries/junos70/jseries-user-guide-70/jN10A42.html

 So in paper ISR series (1800,2800,3800) are cheaper, more features and lot
more throughput. I'd love to see real world measurements, I _hope_
these given numbers are worst case scenarios with all imaginable features
turned on, with huge ACL's etc.
 Needless to say that NPE-G1 is more powerful than SIR series.

> An example: We tested 7206VXR/NPE-G1 some months ago with a Spirent
> Smartbits. We were able to get 630k pps of 64 byte packets through the
> onboard GigE ports. This is only about one STM-1 worth of minimum sized
> packets. With more normal sized packets, of course, the NPE-G1 can do
> significantly more than one STM-1.

 No question about it that M7i/M10i kills NPE-G1 in lookup speed, 40M 
vs. 1M and that NPE-G1 will not handle even unidirectional wire rate 1G
DoS.
 I still think your reports are quite misleading, comparing 640kpps
to STM-1. While we'd need to remember that gige per direction is at max only
1.4Mpps and that ethernet overhead compared to eg. HDLC/POS is huge. 
 Just curious how did you manage to get only 630kpps? NPE-G1 should 
be able to handle ~1Mpps, and I know I've ran with smartbits over 800kpps.
(minimum size ethernet frames, eg max IP packet size 46B)

> The 7304/NSE-100 (hardware based forwarding) is different from the 7304/
> NPE-G100 (software based forwarding) in the face of DoS attacks.

 NSE100 will happily handle 1GE unidirectionional attack with any
packet size even with ACL+RPF etc. In NSE100 it's either one or two
passes through the NPU complex. Single pass means 3.5Mpps so two
passes are still 1.75Mpps, more than enough to handle 1GE unidirectional
DoS.
 Some limitation in NSE100 are that it only takes max. 512MB of memory,
and eg IPv6 will not be done in PXF yet.

-- 
  ++ytti


More information about the juniper-nsp mailing list