On 10/22/2011 10:14 PM, Stefan Fouant wrote:
Enabling BGP multi-hop is a very common approach with DDoS Mitigation services
and also variations of Remote-Triggered Black Holes where the discard route
isn't localized on the edge router. This is not because the customer router
will be greater than one hop away, but because enabling multi-hop has an
additional side effect of disabling next-hop validation. Without this enabled,
the edge router will invalidate the “mitigate” routes received from the
customer because the next-hop is not directly reachable via the neighbor.
yeah, I didn't think of that side effect, probably because I don't
modify next-hops myself.
Not sure about the PPS limitations... The PFE ASICs should be able to handle a
750Mbps / 1.5 Mpps DoS pretty easy...
That's what I'm thinking. My m120 shows 0 problems with the load, but 2
of my transits dropped packets to me without saturating their respective
links. I expected more out of NSPs.
Jack
