[j-nsp] uRPF - Performance

Eric Van Tol eric at atlantech.net
Tue Jul 1 11:38:13 EDT 2003 

Igor,
You bring up an interesting point:

>If you are getting 12.5, then your line
>cards aren't well distributed on the FPC's to assure that packets will
>always egress out all FPCs (statistical varience due to the stipe-write

>of jcells to all FPCs).

Does this mean that the line cards should be distributed in some
recommended fashion on the router?  Do you have any examples or
recommendations?  Does this apply to all Junipers, or just the M20?  

Eric

-----Original Message-----
From: pain at royal.net [mailto:pain at royal.net] 
Sent: Wednesday, June 25, 2003 5:52 PM
To: Rubens Kuhl Jr.
Cc: Jack.W.Parks at alltel.com; juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] uRPF - Performance


We have conducted tests that show that with very heavy firewall filters
(3000 terms ingress and egress, lotsa layer4 ops, port ranges, etc), you
will get 22.4M pps, not 12.5. If you are getting 12.5, then your line
cards aren't well distributed on the FPC's to assure that packets will
always egress out all FPCs (statistical varience due to the stipe-write 
of jcells to all FPCs).

The test was on an M40e, but it's the same IP2.

-igor

On 
Tue, 24 Jun 2003, Rubens Kuhl Jr. wrote:

> 
> There is a performance drop from 40Mpps to 12.5Mpps when use anything
other
> than standard plain routing... if you have a firewall-filter
configured, it
> already has such a penalty in place.Although it's 125 times your peak
> traffic flow, you should consider the peak traffic that a DoS attack
can
> generate on the router, not your usual traffic. Even than, it's very
> unlikely that usual configurations of M-5, M-10 and M-20 interfaces
can sum
> up to that amount.
> 
> 
> 
> Rubens
> 
> 
> ----- Original Message ----- 
> From: <Jack.W.Parks at alltel.com>
> To: <juniper-nsp at puck.nether.net>
> Sent: Monday, June 23, 2003 2:25 PM
> Subject: [j-nsp] uRPF - Performance
> 
> 
> | We are looking to enable uRPF on our M-series routers (M20's and
below).
> | The benefits of enabling this feature are obvious, but the unknown
side
> | effects are what I'm concerned about.  What performance impact could
I
> | expect by enabling uRPF at a peak traffic flow of 100k pps/600Mbps?
> |
> | Has anyone enabled uRPF on their network and do you have any
lessoned
> | learned?  I would like to iron out the quirks prior to deployment.
> |
> | Jack W. Parks IV
> | Sr. Network Engineer
> | ALLTEL Communications
> | jack.w.parks at alltel.com
> | Work: 501-905-5961
> | Cell: 501-680-3341
> |
> | _______________________________________________
> | juniper-nsp mailing list juniper-nsp at puck.nether.net
> | http://puck.nether.net/mailman/listinfo/juniper-nsp
> |
> |
> 
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
> 

_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list