[j-nsp] rate limiting per-user prefix lists
Niall Donaghy
niall.donaghy at geant.org
Wed Jan 9 09:14:40 EST 2019
Hi Mike,
I can give you a few hints:
DPCE will perform poorly, depending on how many policers you instantiate.
(hint: 10K will kill it, and hint: policers will not be accurate).
MPCs will perform better but don't burden more than you need to... obviously
the MPC generations vary in performance.
Your prefix-action config is spot-on.
- This instantiates 1 x policer per /32.
- If you change the subnet-prefix-length to 23, what you get is 1 x policer
*shared* between x.x.x.1 and x.x.(x+1).1, x.x.x.2 and x.x.(x+1).2, etc.
And a caution:
Your firewall filter config matches on 0/0.
- Uh oh! Won't this instantiate 2^32 policers? It's not flow-based, it's
static instantiation..
And recommendations:
Change matching terms to /24s instead of 0/0...
Yes - I believe this is sane, scalable to at least 20K IPs on
MPC-3D-16XGE-SFPP.
NB:
On every instantiation of the firewall filter referencing the prefix-action,
you are going to have another full set of policers.
Eg: If you have 2 links, each a LAG comprised of 2 x members, then you'll
have 4 x sets of policers (in your case, 40K).
- If these are all on the same FPC, that's not just poor redundancy, but
probably too many policers. :)
Good luck!Br,
Niall
-----Original Message-----
From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
mike+jnsp at willitsonline.com
Sent: 08 January 2019 18:58
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] rate limiting per-user prefix lists
Hi,
My platform is Juniper mx240 running 15.1R6.7 and I'm interested in using
prefix-action to establish rate limits per user in my network.
DDOS attacks targeting single users on my network can frequently affect
many users who happen to share the same backhaul connectivity such as to rural
communities served by microwave backhaul. We do a certain amount of ddos
filtering already, but we would like to tighten this up some more and one idea
was the use of prefix-action so that no single user can be forwarded traffic
which clearly they cannot handle.
In one case, I have a group of users that will not get over 100mbps of service
individually for example, perhaps it's 4 /24 subnets total in a prefix-list
called 'my100mbps-endusers'. It would be jim-dandy to guard against traffic
floods exceeding this 100mbps limit to any specific /32 in the group. So, I
worked out this possible config:
[edit firewall]
family inet {
prefix-action per-user-100mbps {
policer ratelimit-100mbps;
destination-prefix-length 32;
subnet-prefix-length 24;
}
}
filter per-user {
term max-per-user {
from {
source-address {
0.0.0.0/0;
}
destination-prefix-list {
my100mbps-endusers;
}
}
then prefix-action per-user-100mbps;
}
}
What I am wondering is, a) is this stupid (and would you like some of what I
am smoking?) b) will I melt my router (along with my brain?) c) is there a
better strategy (and will judith marry anthony?) d) how extensible would this
be and could I consider scaling up to 10,000 users this way?
Any comments, operational humor, or stack tracebacks concerning same are
appreciated. ;-)
Mike-
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list