On Fri, 8 Aug 2025 at 18:45, Nick Hilliard via NANOG <nanog@lists.nanog.org> wrote:
If Cisco have implemented a pps limiter of 50k/s, that's a lot of snmp pps. Is this a realistic amount of requests to be properly serviced per second? SNMP packet encapsulation / general handling is one thing, but stats collection / intermediation can be more heavyweight. Bear in mind that the failure modes in this sort of situation are often non-linear.
In this case something less obvious is happening, OP isn't pushing 300 pps, yet the policer is firing. This could be a legitimate bug, might require a peek into what actually gets programmed into the BRCM. In PTX PE (Paradise) there isn't a PPS policer in the hardware, yet ddos-protection can only be configured as PPS. So as a compromise the developer decided to program (1500*8*pps) bps policer. So out of the box, standard configuration, the box will admit far too many small packets, more than the VoQ from ASIC -> LC_CPU can admit, congesting the whole VoQ, which is shared by most things. Unfortunately the user cannot change the 1500 into 64, nor can user decide which ddos-protocols go into which VoQ, making it very tricky to get reasonable punt results under poor weather. -- ++ytti