Hi Mike,
I can give you a few hints:
DPCE will perform poorly, depending on how many policers you
instantiate.
(hint: 10K will kill it, and hint: policers will not be accurate).
MPCs will perform better but don't burden more than you need to...
obviously
the MPC generations vary in performance.
Your prefix-action config is spot-on.
- This instantiates 1 x policer per /32.
- If you change the subnet-prefix-length to 23, what you get is
1 x policer
*shared* between x.x.x.1 and x.x.(x+1).1, x.x.x.2 and x.x.(x+1).2, etc.
And a caution:
Your firewall filter config matches on 0/0.
- Uh oh! Won't this instantiate 2^32 policers? It's not
flow-based, it's
static instantiation..
And recommendations:
Change matching terms to /24s instead of 0/0...
Yes - I believe this is sane, scalable to at least 20K IPs on
MPC-3D-16XGE-SFPP.
NB:
On every instantiation of the firewall filter referencing the
prefix-action,
you are going to have another full set of policers.
Eg: If you have 2 links, each a LAG comprised of 2 x members, then
you'll
have 4 x sets of policers (in your case, 40K).
- If these are all on the same FPC, that's not just poor
redundancy, but
probably too many policers. :)
Good luck!Br,
Niall
-----Original Message-----
From: juniper-nsp [mailto:[email protected]] On Behalf Of
[email protected]
Sent: 08 January 2019 18:58
To: [email protected]
Subject: [j-nsp] rate limiting per-user prefix lists
Hi,
My platform is Juniper mx240 running 15.1R6.7 and I'm interested in using
prefix-action to establish rate limits per user in my network.
DDOS attacks targeting single users on my network can frequently affect
many users who happen to share the same backhaul connectivity such as to rural
communities served by microwave backhaul. We do a certain amount of ddos
filtering already, but we would like to tighten this up some more and one idea
was the use of prefix-action so that no single user can be forwarded traffic
which clearly they cannot handle.
In one case, I have a group of users that will not get over 100mbps of service
individually for example, perhaps it's 4 /24 subnets total in a prefix-list
called 'my100mbps-endusers'. It would be jim-dandy to guard against traffic
floods exceeding this 100mbps limit to any specific /32 in the group. So, I
worked out this possible config:
[edit firewall]
family inet {
prefix-action per-user-100mbps {
policer ratelimit-100mbps;
destination-prefix-length 32;
subnet-prefix-length 24;
}
}
filter per-user {
term max-per-user {
from {
source-address {
0.0.0.0/0;
}
destination-prefix-list {
my100mbps-endusers;
}
}
then prefix-action per-user-100mbps;
}
}
What I am wondering is, a) is this stupid (and would you like some of what I
am smoking?) b) will I melt my router (along with my brain?) c) is there a
better strategy (and will judith marry anthony?) d) how extensible would this
be and could I consider scaling up to 10,000 users this way?
Any comments, operational humor, or stack tracebacks concerning same are
appreciated. ;-)
Mike-
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
