[j-nsp] RE CPU DoS Filters

Marlon Duksa mduksa at gmail.com
Wed Aug 5 14:21:12 EDT 2009 

But the PFE stuff is only per DPC/FPC. I clearly see that there are no drops
there. The drops are somewhere in the control plane, on the routing engine
itself. How can I see what is going on there? Or RE can't process the volume
of the traffic that we send. The problem is that this volume is not that
big, and I do not believe that RE on MX can't process 1000 IGMP pps. It must
be something else.Thanks,
marlon




On Wed, Aug 5, 2009 at 11:12 AM, Harry Reynolds <harry at juniper.net> wrote:

> There is option packet rate limiting in the pfe. The "filter" is, I
> believe, standard tcp dump Op indicating that the packets passed whatever
> user supplied regex filter expression (in your case null), a function that
> is broken in junos and in theory evoked with the "matching" keyword to
> monitor traffic.
>
> Unlike the default arp policer I do not believe you can view the optioned
> packets rate limiting directly. I just posted to this forum w/some info on
> the rate limit and how to confirm.
>
> Regards
>
>
>
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:
> juniper-nsp-bounces at puck.nether.net] On Behalf Of Marlon Duksa
> Sent: Wednesday, August 05, 2009 11:07 AM
> To: Juniper-Nsp
> Subject: [j-nsp] RE CPU DoS Filters
>
> Hi - is there any way to look at he default filters that are applied on the
> RE? Or see what's being queued on the RE for processing, say RSVP packets,
> or BGP packets, or IGMP packets, something along the 'netstat' command.
>  We are dropping some control traffic into the RE. When we run the command
> "run monitor traffic interface xxx' we see that we receive only 533 packets
> by "filter". Which filter? We are sending 1000 packets but only receiving
> 533. We know that we do not have any filter on the interfaces. So this
> filter, is it a control plane filter? How do we see it or change it?
>
>
> 1:03:09.553047  In IP 20.1.1.2 > 224.0.0.22: igmp v3 report, 1 group
> record(s)
> 11:03:09.553048  In IP 20.1.1.2 > 224.0.0.22: igmp v3 report, 1 group
> record(s)
> 11:03:09.553049  In IP 20.1.1.2 > 224.0.0.22: igmp v3 report, 1 group
> record(s)
> 11:03:09.553051  In IP 20.1.1.2 > 224.0.0.22: igmp v3 report, 1 group
> record(s)
> ^C^C
> 533 packets received by filter
> 0 packets dropped by kernel
>
> Thanks,
> Marlon
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list