Sorry, I meant the opposite (i.e. the defaults are too high). One that is specially high is the IGMP at 20k. Multicast loops on large layer-2 fabrics (IXPs) will bring down first-gen Trios very easily (can't say the same for the newer ones up to Eagle).
On Tue, Nov 21, 2017 at 10:19 AM, Saku Ytti <[email protected]> wrote: > On 21 November 2017 at 14:12, Luis Balbinot <[email protected]> wrote: > >> The DDoS protection factory defaults are very low in some cases. The >> Juniper MX Series book has a nice chapter on that. > > Do you have an example? Most of them are like 20kpps, which ismore > than you need to congest the built-in NPU=>PFE_CPU policer. I.e. they > are massively too large out-of-the-box. > > I doubt anyone has configured them to sensible values, as it would be > hundreds of lines of ddos-protection config, as you cannot set default > values which apply to all of them and then more-specific ones to the > ones you care. Correct configuration needs to manually configure each > and every one, those which you don't need, as low as you want, like > 10pps. > > > -- > ++ytti _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
