[j-nsp] Core network design for an ISP

Saku Ytti saku at ytti.fi
Fri Mar 25 15:56:27 EDT 2016


On 25 March 2016 at 21:39, Adam Vitkovsky <Adam.Vitkovsky at gamma.co.uk> wrote:

>> I believe Luis refers to FIB localisation introduced in 12.3:
>> http://www.juniper.net/documentation/en_US/junos15.1/topics/concept/f
>> ib-localization-overview.html>
>>
> Hmm interesting concept -then with this feature enabled where would the VRF filter be executed on FIB-remote PFE or FIB-local PFE?

I'm not big fan, due to the potential multiple NPUs involved in
lookups and multiple fabric travels. I'm not intimately familiar with
the feature though.

> Sorry I wasn’t clear I meant how the box performs when under DDoS attack.

Do you mean transit DDoS? With proper QoS, should be fine.

> But yeah I guess I know what you mean with regards to lo0 filters I've been there, what I miss in Junos is the ability to say that only defined interfaces can be used to access the box. So one has to be very careful with the filter construction as well as understand the lo0 filter applicability rules posted here recently.

You could use interface-groups, they are mutually exclusive with some
forwarding filters though. I've previously used interface-groups to
mark edge interfaces with 'privileged' access to control-plane, such
like DHCP.

-- 
  ++ytti


More information about the juniper-nsp mailing list