Hey, >> b) LPTS only has 'aggregate' (NPU) level policing, ddos-protection has >> aggregate => ifd => ifl => sub > I don't really see a need for hierarchical policers and besides the uKernel > and RE policers are SW, only the LU has HW policer.
It's not really hierarchical, same packet can't hit many of those, only one of those. They are all in HW. Without different level of policers, how do you stop one customer from bringing all customers down? If all is just aggregate, then one customer can break all customers. >> c) There is no log information of what is causing LPTS or XIPC to drop >> packets >> > Not sure what you mean you're getting no info or insufficient info? Cause > although native LPTS alerting doesn't exist it can be done with a TCL script > applied through EEM. Alerting how? To actually know what packets you're dropping, you'd need to capture NPU counters, tricky thing to do and causes short outage in older versions. > Hmm but even if it was, the session would have to time-out first so during > the timeout period the "good" session could be affected/starved out. Quite. Only solution, as far as I can see, is to create more-specific solution for offenders, removing stress from the aggregate one. -- ++ytti _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
