[j-nsp] what’s the story behind MPC5E

Saku Ytti saku at ytti.fi
Sun May 22 06:34:44 EDT 2016


On 22 May 2016 at 10:14, Adam Vitkovsky <Adam.Vitkovsky at gamma.co.uk> wrote:

Hey,

> Aww now I see where the confusion is coming from.
> I wasn't talking about the traffic entering the PFE via WAN input, but I meant traffic coming in via Fabric input, should have mention that explicitly.
>
> Unless you have cone filters at all AS entry points you can't really control or capacity manage how much traffic is going to be sent down to any port hosting publically accessible services or customers during a DDoS attack.
> In this direction (from fabric) it is very easy for a PFE to get oversubscribed and it doesn't even need to be doing anything fancy and can have just one active port on it, just the 240Gbps from fabric can max it out.

Even in this case wouldn't the attack traffic have different fabric
stream than the good traffic due to QoS? The fabric capacity probably
is 2x the rated capacity, due to btree replication, but of course
that's not important here, either way you can congest it.
In congestion from fabric side, how does shared XL make it more
difficult? That is from XL's POV, how is one XM with say 8 WAN port
and 'fabric ports' different to two XM with 4 WAN port and 'fabric
port' each?

-- 
  ++ytti


More information about the juniper-nsp mailing list