Mailing List Archive

MX204 Maximum Packet Rates
Hello,

during an approximate 240 Mpps / 80 Gbps UDP DDOS attack to one target IP
we have experienced a massive and immediate packet loss at an MX204 router.

The attack was coming in through MX10003 and MX204. The MX204 was not able
to forward more than 120 Mpps during the attack. The MX10003 forwarded 180
Mpps without any issue.

Both routers are running Juniper 18.4R2-S3. The MX204 has all 4 x 100 Gbps
interfaces active in use.

Any idea if 120 Mpps for Juniper MX204 is already the hardware limitation?
This would equal to only roughly 41 Gbps of the attacks packet size of 43
bytes. We are certain that no policer or firewall filter lead to the packet
drops.

Anyone has a recommendation what could be done to increase performance?


Kind Regards
Leon Kramer
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: MX204 Maximum Packet Rates [ In reply to ]
Hi Leon,

both MX204 und MX10003/LC2103 use
eagle forwarding ASIC, LC2103 Linecard has 3xASIC,
MX204 has 1xASIC, WAN Output Rate for eagle
pfe is for 100G Interface ~110 MPPS.

Assumption is, that you got the traffic on the
MX10003 over more than one PFE/ASIC incoming.

BR,

.peter

On 20.05.21 11:49, Leon Kramer wrote:
> Hello,
>
> during an approximate 240 Mpps / 80 Gbps UDP DDOS attack to one target IP
> we have experienced a massive and immediate packet loss at an MX204 router.
>
> The attack was coming in through MX10003 and MX204. The MX204 was not able
> to forward more than 120 Mpps during the attack. The MX10003 forwarded 180
> Mpps without any issue.
>
> Both routers are running Juniper 18.4R2-S3. The MX204 has all 4 x 100 Gbps
> interfaces active in use.
>
> Any idea if 120 Mpps for Juniper MX204 is already the hardware limitation?
> This would equal to only roughly 41 Gbps of the attacks packet size of 43
> bytes. We are certain that no policer or firewall filter lead to the packet
> drops.
>
> Anyone has a recommendation what could be done to increase performance?
>
>
> Kind Regards
> Leon Kramer
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: MX204 Maximum Packet Rates [ In reply to ]
Hi,

MX204 has some limitations in terms of pps rates for smaller packet
sizes if inline-flow is configured compared to e.g. MX10003 not only but
also related to the pfe/fabric layout (no fabric in 204). So even if
they are the same pfe they might behave differently.

The details are not public, so you might want to reach out to your
partner/SE.

regards
Tobias

On 20.05.2021 12:39, Peter Sievers wrote:
> Hi Leon,
>
> both MX204 und MX10003/LC2103 use
> eagle forwarding ASIC, LC2103 Linecard has 3xASIC,
> MX204 has 1xASIC, WAN Output Rate for eagle
> pfe is for 100G Interface ~110 MPPS.
>
> Assumption is, that you got the traffic on the
> MX10003 over more than one PFE/ASIC incoming.
>
> BR,
>
> .peter
>
> On 20.05.21 11:49, Leon Kramer wrote:
>> Hello,
>>
>> during an approximate 240 Mpps / 80 Gbps UDP DDOS attack to one target IP
>> we have experienced a massive and immediate packet loss at an MX204
>> router.
>>
>> The attack was coming in through MX10003 and MX204. The MX204 was not
>> able
>> to forward more than 120 Mpps during the attack. The MX10003 forwarded
>> 180
>> Mpps without any issue.
>>
>> Both routers are running Juniper 18.4R2-S3. The MX204 has all 4 x 100
>> Gbps
>> interfaces active in use.
>>
>> Any idea if 120 Mpps for Juniper MX204 is already the hardware
>> limitation?
>> This would equal to only roughly 41 Gbps of the attacks packet size of 43
>> bytes. We are certain that no policer or firewall filter lead to the
>> packet
>> drops.
>>
>> Anyone has a recommendation what could be done to increase performance?
>>
>>
>> Kind Regards
>> Leon Kramer
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: MX204 Maximum Packet Rates [ In reply to ]
By the way this one is public (not sure if relevant or not though):
https://kb.juniper.net/InfoCenter/index?page=content&id=KB33477


> Le 20 mai 2021 à 14:00, Tobias Heister <lists@tobias-heister.de> a écrit :
>
> Hi,
>
> MX204 has some limitations in terms of pps rates for smaller packet sizes if inline-flow is configured compared to e.g. MX10003 not only but also related to the pfe/fabric layout (no fabric in 204). So even if they are the same pfe they might behave differently.
>
> The details are not public, so you might want to reach out to your partner/SE.
>
> regards
> Tobias
>
> On 20.05.2021 12:39, Peter Sievers wrote:
>> Hi Leon,
>> both MX204 und MX10003/LC2103 use
>> eagle forwarding ASIC, LC2103 Linecard has 3xASIC,
>> MX204 has 1xASIC, WAN Output Rate for eagle
>> pfe is for 100G Interface ~110 MPPS.
>> Assumption is, that you got the traffic on the
>> MX10003 over more than one PFE/ASIC incoming.
>> BR,
>> .peter
>> On 20.05.21 11:49, Leon Kramer wrote:
>>> Hello,
>>>
>>> during an approximate 240 Mpps / 80 Gbps UDP DDOS attack to one target IP
>>> we have experienced a massive and immediate packet loss at an MX204 router.
>>>
>>> The attack was coming in through MX10003 and MX204. The MX204 was not able
>>> to forward more than 120 Mpps during the attack. The MX10003 forwarded 180
>>> Mpps without any issue.
>>>
>>> Both routers are running Juniper 18.4R2-S3. The MX204 has all 4 x 100 Gbps
>>> interfaces active in use.
>>>
>>> Any idea if 120 Mpps for Juniper MX204 is already the hardware limitation?
>>> This would equal to only roughly 41 Gbps of the attacks packet size of 43
>>> bytes. We are certain that no policer or firewall filter lead to the packet
>>> drops.
>>>
>>> Anyone has a recommendation what could be done to increase performance?

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: MX204 Maximum Packet Rates [ In reply to ]
Interesting, that KB link mentions...

"From Junos 19.1R1, we support "High-performance mode" to enable WAN Output block resource allocation. In this mode, better throughput is achieved at line-rate traffic for small sized packets."

Maybe this will help others and OP achiever higher rates

-Aaron


_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: MX204 Maximum Packet Rates [ In reply to ]
It looks like "High performance mode" means configuring port speed in
pic mode that may not be feasible in all cases depending on port
configuration.
No data for HP mode provided...
And finally, from the example, where did they find fpc 5 on MX10003? ;)

Kind regards,
Andrey

aaron1@gvtc.com ????? 2021-05-21 13:54:
> Interesting, that KB link mentions...
>
> "From Junos 19.1R1, we support "High-performance mode" to enable WAN
> Output block resource allocation. In this mode, better throughput is
> achieved at line-rate traffic for small sized packets."
>
> Maybe this will help others and OP achiever higher rates
>
> -Aaron
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp