[j-nsp] MX104 capabilities question
Saku Ytti
saku at ytti.fi
Wed Jun 8 04:04:23 EDT 2016
On 8 June 2016 at 00:00, Ross Halliday
<ross.halliday at wtccommunications.ca> wrote:
Hey,
> All kinds of problems happen, yes the only "real" safeguard is to put every customer on their own PE. You might remember a previous conversation we had regarding the DDoS Protection mechanism. This thing is a major thorn in my side. Thanks to this "faster" design, when one of these filters kicks in, any traffic matching that class on the ENTIRE box is blackholed. I don't think this is appropriate behaviour: In my experience, it actually *creates* a DoS situation on these boxes.
It's pretty funny situation, IOS-XR out of the box probably has best
in the market control-plane protection. Juniper has pretty
non-existing. But for operator knowing how to configure it right,
IOS-XR cannot be configured correctly, you'll always have to carry
significant shared risks. Trio+ platforms, otoh, can be configured
almost correctly, essentially with almost no shared risks.
To put it bluntly, you configured the box incorrectly. Even if you had
multiple linecards, you would have killed all of the traffic in the
single NPU, so you'd have severe collateral damage anyhow. And if you
had multiple MX104 (i.e multiple linecards) you'd have higher
resiliency than multiple linecards in single chassis.
You need to look into DDoS-protection, reduce the default aggregate
pps rates significantly (there is built in policer for how much NPU
can punt, and many DDoS protection protocols are higher rate than
that). And crucially you need to make sure you have per-IFL
ddos-protection set to sufficiently low number, so if one of your
customers has L2 loop and pukes some trash on your control-plane,
you'll only police that IFL, leaving all other IFL operating normally.
> These routers have their place, they're definitely a Swiss Army Knife type of machine, it's just that the handle is really small...
I agree the control-plane is shite, it's not DFZ router because of
that. But I don't agree on the single linecard design being liability,
to me it's an advantage. Fabric and distributed design is hack we
need, because technology isn't there to offer reasonable amount of
ports with single chip.
--
++ytti
More information about the juniper-nsp
mailing list