[j-nsp] IGMP Join Rate Limiting

Harry Reynolds harry at juniper.net
Wed Aug 5 13:50:27 EDT 2009 

IGMP messages carry the router alert option, and as with all exception traffic are throttled in the pfe to prevent excess PFE cpu and PFE-RE bw consumption, as you surmise. I believe the default setting is ~ 25 PPS, and is not user configurable.  IIRC, on distributed PFE systems such as a T-series this is per pfe, so you can get an aggregate rate that is higher. Perhaps this explains your numbers.

I believe you can confirm by displaying pfe notification stats, which should count rate limit discards.

HTHs



regress at vpn02> show pfe statistics notification 

PFE Notification statistics:
     183466 parsed
          0 aged
          0 corrupt
          0 illegal
          0 sample
          0 giants
          0 transit options/ttl-exceeded (re-injected)
          0 transit options/ttl-exceeded errors
          0 svc options sent to ASP
          0 svc options sent to RE
          0 post svc options sent out
          0 options or ttl expired (not RE-destined)
          0 discard sample
          0 rate limited
^^^^^^^^^^^^^^^^^^^^^^^^^^^
          0 packet get failure
          0 DMA failure
          0 Total DMa'd packets
          0 Unknown/unclassified packets

PFE Notification Type statistics:
               Parsed       Input      Failed     Ignored
  Illegal           0           0           0           0
  Unclass           0           0           0           0
   Option        2858        2858           0           0
 Next-Hop      180608      180608           0           0
  Discard           0           0           0           0
   Sample           0           0           0           0
 Redirect           0           0           0           0
 DontFrag           0           0           0           0
     CfDF           0           0           0           0
   Poison           0           0           0           0
  Unknown           0           0           0           0

 

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Judah Scott
Sent: Tuesday, August 04, 2009 6:56 PM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] IGMP Join Rate Limiting

When testing IGMP join rates I see an unusual rate of ~500pps.  In an example I look at interface stats and see 1000 packets in, 539 input to local, 461 input to transit.  Corresponding to this I see 539 IGMP groups setup.  If I burst the same range again in the next second I don't learn any more.  If I burst a new range of joins then these will go through.

This leads me to believe that there is some filter or DOS protection for multicast packets because looking at the CPU I only see ~10% utilization.  I only see the default arp l2-policer being applied on this interface.  Does anyone have experience with DOS protection in JUNOS?


Thanks,
J Scott
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list