[unisog] Blocking inbound Internet traffic

John Kristoff jtk at depaul.edu
Mon May 12 15:16:46 GMT 2003


Responding the list publicly with permission.

On Mon, 12 May 2003 10:25:24 -0400
"Andrew W. Elble" <aweits at discipline.rit.edu> wrote:

> What made you decide to go with this particular configuration, rather
> than a per-src-ip hard rate limit?

The simple answer is to avoid 'hard' rate limits.  On the one hand,
since unused capacity cannot be recovered and would just go to waste,
particularly on these expensive external connections, we might as well
let people and hosts who want it use it if its available.  On the other
hand, there may be instances where people or end hosts really need to go
fast and we'd prefer not to limit them if there is legitimate need and
available capacity.

> > I'm not sure, but I seem to recall Cisco having a similar feature as
> > the Juniper prefix-action in recent versions of IOS.  It essentially
[...]
> I can't find any platform-independent documentation of this feature,
> do you have any references? We've heard some good things about
> this kind of feature coming on the 6500/Sup720, but we currently
> only have 7500's at the border.

I can't seem to locate anything at the moment and I don't recall where I
might have heard about it.  Perhaps on the juniper-nsp list?  I only
looked for a couple minutes though.  For Juniper, here is the
appropriate doc:

<http://www.juniper.net/techpubs/software/junos/junos57/swconfig57-poli
cy/html/policer-config9.html>

> Do you have any before and after MRTG graphs (latency, bandwidth,
> etc...) from when you implemented this change?

Some public info is here:

  <http://netstat.depaul.edu>
  <http://flows.is-net.depaul.edu>

The most recent change was made about a week ago (you'll see the total
external connection capacity peaking and staying there).

Unfortunately I don't have good before-and-after data available,
particularly packet drop graphs, we're still working out the details for
that.  Per-IP statistics are not available due to privacy reasons.  I
have some related data on a simpler implementation of RED (without per
source controls) on a border router from a couple years ago you may be
interested in:

  <http://condor.depaul.edu/~jkristof/red/>

If we can make any progress on collecting better data we'll probably put
together a new page or paper detailing what we've seen.

John



More information about the unisog mailing list