[j-nsp] prefix-limit effectiveness

Dan Farrell danno at appliedi.net
Mon Feb 9 11:33:26 EST 2009


Thanks for the information... I will let you know how it goes (though it seems you already know hehehe, since this was your baby.)

Thanks,


Dan

-----Original Message-----
From: Richard A Steenbergen [mailto:ras at e-gerbil.net]
Sent: Thursday, February 05, 2009 7:04 PM
To: Dan Farrell
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] prefix-limit effectiveness

On Thu, Feb 05, 2009 at 02:05:14PM -0800, Dan Farrell wrote:
>
>
> Then I limit the number of prefixes it will even look at to 5000 -
>
> import default-route;
> family inet {
>     unicast {
>         prefix-limit {
>             maximum 5000;
...
> This is effective- I have only the default to use from my upstream.
> But I keep generating tons of log messages because I keep getting (and
> rejecting) tons of routes. Without asking the upstream to not
> advertise the full route table, is there something I can do on my end
> to limit the syslog messages I keep getting?
>
> Feb  5 19:00:43  nap-r2-edge-2 rpd[82464]: RPD_RT_PREFIX_LIMIT_REACHED: Number of prefixes (4000) in table inet.0 still exceeds or equals configured maximum (4000)

Well technically speaking you can always filter by regexp anything that
you send to system, but what you really want is accepted-prefix-limit
instead of prefix-limit above.

Prefix-limit is applied to all routes received by the router, even if
they are rejected by your import policy. Basically this protects router
DRAM from something going wild and sending you a billion routes, but is
less useful as a policy protection, or in your case to limit the number
of routes being installed to FIB.

Accepted-prefix-limit is a relatively new feature added in 9.2 (and
pardon me while I do a little dance about it, but this is one of my
feature requests which I've been asking for for 6 years and it just
finally got implemented! :P) which limits the number of routes AFTER
your import policy has been applied. In the example above, even though
you are receiving a full table, you are rejecting all but 1 route in
policy, so the value that would be evaluated yb accepted-prefix-limit is
1.

--
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)


__________ Information from ESET NOD32 Antivirus, version of virus signature database 3831 (20090205) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



__________ Information from ESET NOD32 Antivirus, version of virus signature database 3838 (20090209) __________

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com



More information about the juniper-nsp mailing list