Switching

Hello,

We have 20x Ex4200 and we have in mind to use their sflow to analyze ddos attacks and traffics so :

1. Do we have any limitation on ex4200 sflow ?

2. If we enable sflow on our ex4200, when we receive ddos attacks it does not effect on CPU or cause high cpu usages or outage?

Thank you.

Hi blackmetal,

Please find answers inline:

1. Do we have any limitation on ex4200 sflow ?
[ANS] We should be ok if we configure sflow without being too aggressive:
Here's the document that explains the configuartion of sflow:
https://www.juniper.net/documentation/en_US/junos10.4/topics/example/sflow-configuring-ex-series.html#jd0e30
https://kb.juniper.net/InfoCenter/index?page=content&id=KB14855
For example, enabling "sflow" for all interfaces with polling-interval as 1 second and sample-rate as 100 for both ingress and egress, that's aggressive and is bound to spike the CPU.
2. If we enable sflow on our ex4200, when we receive ddos attacks it does not effect on CPU or cause high cpu usages or outage?
[ANS] Normally it doesn't affect the network performance ; However it also depends on several factors, like the polling interval, the sample rate, amount of traffic and number of interfaces that are being polled. If the polling interval is too aggressive, it can lead to High CPU (like "sfid" process etc.). Here is a link that talks mentions 300pps limit:
https://www.juniper.net/documentation/en_US/junos/topics/example/sflow-configuring-ex-series.html


Hope this helps.

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated :).

would you help us what is the best sflow configs (like as polling interval ,...) for detect ddos attacks and does not cause high cpu usages?

we just need to enable sflow on uplinks of our switches.

Hello blackmetal,

Please use the configuration example and ensure your collector receives samples as expected:https://www.juniper.net/documentation/en_US/junos/topics/example/sflow-configuring-ex-series.html

Example:
protocols {
sflow {
collector 1.1.1.254 {
udp-port 2011;
}
interfaces ge-0/0/0.0 {
sample-rate {
ingress 1000;
egress 1000;
}
}
interfaces ge-0/0/1.0 {
sample-rate {
ingress 1000;
egress 1000;
}
}
}

There is no one size fits all kind of a config that can guarantee every packet of interest is captured in every network. So you can start with a sample configuration and vary it as per your switches' usage. Hope that makes sense to you.

Hope this helps.

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated :).

To protect RE/CPU a RE Filter of some type is recommended to be set and associated with Loopback address (Lo0).  For Loopback setting info look here - https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-interface-config-loopback-interfaces.html

 

As for a generic RE Filter, suggest you look here to get started - https://www.juniper.net/documentation/en_US/junos/topics/example/firewall-filter-stateless-example-rate-limits-based-on-packets-per-second.html

 

This RE Filter is a good practice, no matter what the platform is, athough most documentation will be targeted toward MX.  There is no "one fits all" for this, but the doc should get you started and then it is just a matter of fine-turning for your specific environment and needs or worries.