On (2011-08-09 16:25 -0400), Clarke Morledge wrote: > Well, I hope this all helps someone. If someone can clarify and/or > improve on this, please let me know. I had to learn the hard way.
Nice pointers, thanks. People should also have forwarding-options filter in every routing-instance (inclusive main) to police IP options and IPv6 hop-by-hop options. Rate of 5Mbps (on small packets) will kill your MX80. It is unfortunately you cannot police with pps, only with bps. If you are running RSVP, you might want to allow your linknet/lo0 space unpoliced or policed separately rather than putting all IP options under same policer. I've not done testing at all how MX is vulnarable when using L2 interfaces, but I'm certain there are lot more things to watch out for then, due to software handling of BPDU. One thing I've noticed is that receiving LLDP attack of about 5Mbps will kill MX80. This is particularly annoying as you can't match ethertype on inet family filter, and you cannot do bridge filters on inet interface, so there really isn't way to police them. Luckily MX is only punting LLDP if LLDP is enabled in interface (single bit marker in mq stream), so only enable it on trusted interfaces. Also 11.2 DDOS protection actually has policer for LLDP (and it is missing IPv6 hop-by-hop options) -- ++ytti _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
