PTX VoQ 101 - char.blog

# PTX VoQ 101 PTX silicon ships with per-interface virtual-output-queues (VoQ), including a dedicated queue for packets punted to the line-card CPU. On paper that’s control-plane Valhalla; in reality the default queue map is a hairball. A mere 10 Mb/s of well-crafted noise can starve routing protocols and turn your chassis into an inert heat sink. Let’s unpack why. ## VoQ Theory vs. Reality **How it _should_ work** - Each interface owns eight queues, half with guaranteed bandwidth, half best-effort overflow. - BGP, OSPF, gRPC telemetry live in high-priority queues with hard reservations. - Bulk transfers (TFTP, HTTP image fetches) sit in mid-tier queues that can steal spare cycles. - ICMP pings and stray UDP belong in bargain-basement excess queues. **What ships out of the box** - The built-in classifier dumps most punted packets, good, bad, or chaotic neutral, into the same queue. - Queue 2 is limited to 10 Mb/s and was historically non-bursting. Firmware copies crawl like dial-up, while a small targeted flood knocks out keepalives. Elegant. ## The “Fix” That Wasn’t Juniper loosened the burst parameters but kept the janky classifier. Now malicious traffic can hog _more_ bandwidth _and_ spike unpredictably, blackholing the router even faster. Peak Schadenfreude. ## Why DIY Tuning Won’t Save You - Junos exposes `ddos-protocols` knobs, but punt-queue mapping is still hard-coded. - Even if it were open, many shops already mangle the simpler `lo0` filter (pro-tip: swapping SPORT/ DPORT still slips past the MX book example). Handing them VoQ surgery would be … Darwinian. - Queue math is non-trivial: token buckets, burst debt, micro-burst absorption. Mis-tune it and you’ve built your own DoS cannon. ## What _Should_ Happen (Dear Vendor, pls) - Expose a documented CLI/NETCONF model to remap protocols, resize per-queue guarantees, and set burst limits. - Ship a hardened default profile that separates bulk transfers from control traffic and rate-limits unauthenticated punts to a sliver of capacity. - Publish reference traffic models so operators can verify queue headroom _before_ the outage tweet-storm. ## Interim Mitigations You Can Deploy _Today_ - Edge policing – Drop or rate-limit junk _before_ it reaches the PTX. - TAC-only knobs – Push Juniper for hidden commands if your risk profile justifies the escalation. - Watch the canaries – Stream `show class-of-service queue voq` counters into telemetry; rising tail-drops signal impending face-plant. ## Takeaway The silicon is solid; the default queue taxonomy is a latent outage. Until the punt queues are re-architected, a script kiddie with 10 Mb/s and Wireshark can still write a very expensive love letter to your NOC. Adjust your risk register accordingly and keep a polite-but-firm JTAC template on standby.