[AusNOG] mx80 flow-spec

Andrew Jones Andrew.Jones at salmat.com.au
Thu May 30 14:17:12 EST 2013


The Juniper MX series book is a godsend for this, there is a whole
section on flow-spec. In regards to performance limitations, see the
section below:

http://www.juniper.net/jp/jp/training/jnbooks/mx-series.html 

----

Limit Flow-Spec Resource Usage

Flow-spec routes are essentially firewall filters, and like any filter
there is some resource consumption and processing burden that can vary
as a function of the filter's complexity. However, unlike a conventional
filter that requires local definition, once flow-spec is enabled on a
BGP session, the remote peer is effectively able to cause local filter
instantiation, potentially up until the point of local resource
exhaustion, which can lead to bad things. To help guard against
excessive resource usage in the event of misconfigurations or malicious
intent, Junos allows you to limit the number of flow routes that can be
in effect.

Use the maximum-prefixes statement to place a limit on the number of
flow routes that can be installed in the inetflow.0 RIB:
 set routing-options rib inetflow.0 maximum-prefixes <number>
set routing-options rib inetflow.0 maximum-prefixes threshold <percent>

To limit the number of flow-spec routes permitted from a given BGP peer,
use the prefix-limit statement for the flow family:
 set protocols bgp group x neighbor <address> family inet flow
prefix-limit
  maximum <number>
set protocols bgp group x neighbor <address> family inet flow
prefix-limit
  teardown <%>

-----

Hope this helps.

-----Original Message-----
From: ausnog-bounces at lists.ausnog.net
[mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Luke Iggleden
Sent: Thursday, 30 May 2013 2:07 PM
To: ausnog at lists.ausnog.net
Subject: [AusNOG] mx80 flow-spec

Hi Noggers,

We're looking to implement flow-spec filters on our mx80 borders,
however we've come across a post from 2011 suggesting that with as few
as 15 flow-spec filters live, the PFE on the mx80 drops to 3-5Mpps. This
is of course not something we could afford.

I haven't been able to find any recent posts online as to whether or not
this is an issue with code from back in 2011 (possibly) or if it is a
trio chipset (pfe?) limitation?

I would have thought that basic acls' on a hardware router like the mx,
wouldn't affect packet performance as bad as this? I wouldn't expect a
flow-spec filter to be any different at the pfe level than a
filter-statement generated from the CLI?

I'd really appreciate any pointers to sites with people discussing
flow-spec, mx series, exabgp, nfsen and anything else that we should be
looking at. If it comes down to it, I guess we'll just end up with a
S/RTBH setup.

Original Post
http://mailman.nanog.org/pipermail/nanog/2011-January/030051.html



Cheers,

Luke Iggleden
http://sishosting.com.au
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

***********************************************************************************
This e-mail, including any attachments to it, may contain confidential and/or personal information. If you have received this e-mail in error, you must not copy, distribute, or disclose it, use or take any action based on the information contained within it. Please notify the sender immediately by return e-mail of the error and then delete the original e-mail.

The information contained within this e-mail may be solely the opinion of the sender and may not necessarily reflect the position, beliefs or opinions of the organisation on any issue. This email has been swept for the presence of computer viruses known to the organisation's anti-virus systems.
***********************************************************************************



More information about the AusNOG mailing list