[j-nsp] QFX5100 ACLs

Saku Ytti saku at ytti.fi
Tue Dec 12 05:20:14 EST 2017


ACK. Which is common in the industry, lot, probably most boxes are not
edge L3 compatible. Inclusive all the BRCM super cost-effective
10/100GE boxes.

We don't even have to think about malicious users, what happens when
my BGP customer has L2 loop? Entirely reasonable to think they'll
inject 1.48Mpps of BGP to me. Heck, I've created L2 loop or two
accidentally.


On 12 December 2017 at 11:12,  <adamv0025 at netconsultings.com> wrote:
> Good point actually, and there's the fact that one can't block the protocol if not used.
> So I guess one has to burry these in the core and rely on flawless iACLs
>
> adam
>
> netconsultings.com
> ::carrier-class solutions for the telecommunications industry::
>
>> -----Original Message-----
>> From: Saku Ytti [mailto:saku at ytti.fi]
>> Sent: Tuesday, December 12, 2017 9:08 AM
>> To: adamv0025 at netconsultings.com
>> Cc: Brendan Mannella; juniper-nsp at puck.nether.net
>> Subject: Re: [j-nsp] QFX5100 ACLs
>>
>> Policer on term which does not discriminate good and bad only gives attacker
>> an leverage by reducing the pps/bps demand to congest the good?
>>
>>
>> On 12 December 2017 at 10:21,  <adamv0025 at netconsultings.com> wrote:
>> >> Of Saku Ytti
>> >> Sent: Monday, December 11, 2017 2:46 PM
>> >>
>> >> Someone pointed this to me -
>> >> https://kb.juniper.net/InfoCenter/index?page=content&id=KB24145
>> >>
>> > Are there any "sensible" policers defined for these "70 such hardware
>> > filters, which target different protocols"?
>> >
>> > adam
>> >
>> > netconsultings.com
>> > ::carrier-class solutions for the telecommunications industry::
>> >
>>
>>
>>
>> --
>>   ++ytti
>



-- 
  ++ytti


More information about the juniper-nsp mailing list