On Wed, 11 Jul 2018 15:23:28 -0400, Saku Ytti <s...@ytti.fi> wrote: > > Hey Chris, > > On Wed, 11 Jul 2018 at 22:16, Chris Morrow <morr...@ops-netman.net> wrote: > > > > a) You can't just limit UDP to 2Mbps on every edge port > > > > it's really a limit of 2mbps on each PFE, so ... in some cases that's > > 2mbps on a port, in some cases not. This is a 'problem' because of the > > architecture of the MX though, right? not the filter itself... well... :) > > They were doing this to transit traffic, high rate of UDP isn't > strange, good portion of youtube streaming is UDP.
sorry, i think 'they' here is confusing :( or at least confusing me :) 'they' means: "juniper docs/engineers/etc" or 'they' means: "team cymru and their docs" which ? I was answering in the case of the first ;( which may have lead us astray here... > > > > b) LO filter matches on 'port' > > > > on 'port'.. meaning I can't do: > > destination-port ssh > > source-port 1024-65535 > > You can do that, you can't do 'port X', because then anyone setting > source port to X, allows them to reach any destination port you have. > I don't think source-port 1024-65534 matters, just additional resource > consumption. What does matter, is that you match destination-port > <ephemeral>, source-port <bgp,ssh,etc>, when you want to allow far-end > to respond to connection you opened. > i think that /port/ is a crutch :( and best avoided in the case of loopback filters. you know exactly what's ok, permit that, drop all else. > > > c) LO filter has wide permit instead of accept 1,2,3,4 drop rest > > > > how do you mean? doesn't it just permit/deny what you ask in the filter? > > In the relaxed one, they discard non allowed ssh etc, then have wide > accept. I.e. they don't know what they should accept and what not. > i sense you are talking about the 'they' that is cymru. > > > d) hardcore doesnt permit traceroute > > > > traceroute is permitted TO the box with the right config, and THROUGH > > the box on the MX without any holes in the loopback filter. > > In this config it is not allowed to the box. > ah-ha! that's kooky :) (again this is with respect to the cymru doc) I think the cymru guide is still good, it certainly gives you a leg up on 'how do I even start?' and PROBABLY is "ok" for an enterprise deployment. SP deployment will need more .... thought, but the structure is there to build from. _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp