[j-nsp] Marking/shaping UDP reflection traffic
Saku Ytti
saku at ytti.fi
Thu Mar 10 02:43:05 EST 2022
On Wed, 9 Mar 2022 at 19:48, Gert Doering via juniper-nsp
<juniper-nsp at puck.nether.net> wrote:
> We use different classes for UDP/123, UDP/53 (exclude well-known
> recursives), fragments, ... and are currently using between 20 and 100
> mbit/s for these classes. What is the right number for you depends
> on "how much can your customers stomach?" and "how much do you see
> under normal conditions?".
We do the same, but we classify protocols to two classes 'important'
and 'unimportant',. Unimportant being protocols we deem not to be used
in reality for anything but abuse, and important to be dual-use.
'unimportant' gets policed on port-level out-right and 'important'
gets 2coloured on port level, that exceeding traffic gets downgraded
below BE.
Answering 'what rate is right' is difficult without understanding
better how you are policing, where and what your access ports usually
look like. Do remember that JNPR policers are per NPU level by
default, unlike CSCO which are per interface level and per-NPU level
is not even a configurable option.
--
++ytti
More information about the juniper-nsp
mailing list