[j-nsp] rate limiting per-user prefix lists

Niall Donaghy niall.donaghy at geant.org
Wed Jan 9 09:14:40 EST 2019


Hi Mike,

I can give you a few hints:

	DPCE will perform poorly, depending on how many policers you instantiate. 
(hint: 10K will kill it, and hint: policers will not be accurate).
	MPCs will perform better but don't burden more than you need to... obviously 
the MPC generations vary in performance.
	Your prefix-action config is spot-on.
		- This instantiates 1 x policer per /32.
		- If you change the subnet-prefix-length to 23, what you get is 1 x policer 
*shared* between x.x.x.1 and x.x.(x+1).1, x.x.x.2 and x.x.(x+1).2, etc.

And a caution:

	Your firewall filter config matches on 0/0.
		- Uh oh! Won't this instantiate 2^32 policers? It's not flow-based, it's 
static instantiation..

And recommendations:

	Change matching terms to /24s instead of 0/0...
	Yes - I believe this is sane, scalable to at least 20K IPs on 
MPC-3D-16XGE-SFPP.

NB:

	On every instantiation of the firewall filter referencing the prefix-action, 
you are going to have another full set of policers.

	Eg: If you have 2 links, each a LAG comprised of 2 x members, then you'll 
have 4 x sets of policers (in your case, 40K).
		- If these are all on the same FPC, that's not just poor redundancy, but 
probably too many policers. :)

Good luck!Br,
Niall

-----Original Message-----
From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of 
mike+jnsp at willitsonline.com
Sent: 08 January 2019 18:58
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] rate limiting per-user prefix lists

Hi,

    My platform is Juniper mx240 running 15.1R6.7 and I'm interested in using 
prefix-action to establish rate limits per user in my network.

    DDOS attacks targeting single users on my network can frequently affect 
many users who happen to share the same backhaul connectivity such as to rural 
communities served by microwave backhaul. We do a certain amount of ddos 
filtering already, but we would like to tighten this up some more and one idea 
was the use of prefix-action so that no single user can be forwarded traffic 
which clearly they cannot handle.
In one case, I have a group of users that will not get over 100mbps of service 
individually for example, perhaps it's 4 /24 subnets total in a prefix-list 
called 'my100mbps-endusers'. It would be jim-dandy to guard against traffic 
floods exceeding this 100mbps limit to any specific /32 in the group. So, I 
worked out this possible config:


[edit firewall]

family inet {

    prefix-action per-user-100mbps {
        policer ratelimit-100mbps;
        destination-prefix-length 32;
        subnet-prefix-length 24;

       }
}
filter per-user {
    term max-per-user {
        from {
            source-address {
                0.0.0.0/0;
            }
            destination-prefix-list {
                my100mbps-endusers;
            }
        }
        then prefix-action per-user-100mbps;
    }

}

What I am wondering is, a) is this stupid (and would you like some of what I 
am smoking?) b) will I melt my router (along with my brain?) c) is there a 
better strategy (and will judith marry anthony?) d) how extensible would this 
be and could I consider scaling up to 10,000 users this way?

Any comments, operational humor, or stack tracebacks concerning same are 
appreciated. ;-)


Mike-


_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net 
https://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list