[j-nsp] uRPF - Performance (fwd)
igor at nullrouteit.net
Wed Jun 25 19:03:42 EDT 2003
We have conducted tests that show that with very heavy firewall filters
(3000 terms ingress and egress, lotsa layer4 ops, port ranges, etc), you
will get 22.4M pps, not 12.5. If you are getting 12.5, then your line
cards aren't well distributed on the FPC's to assure that packets will
always egress out all FPCs (statistical varience due to the stipe-write
of jcells to all FPCs).
The test was on an M40e, but it's the same IP2.
Tue, 24 Jun 2003, Rubens Kuhl Jr. wrote:
> There is a performance drop from 40Mpps to 12.5Mpps when use anything other
> than standard plain routing... if you have a firewall-filter configured, it
> already has such a penalty in place.Although it's 125 times your peak
> traffic flow, you should consider the peak traffic that a DoS attack can
> generate on the router, not your usual traffic. Even than, it's very
> unlikely that usual configurations of M-5, M-10 and M-20 interfaces can sum
> up to that amount.
> ----- Original Message -----
> From: <Jack.W.Parks at alltel.com>
> To: <juniper-nsp at puck.nether.net>
> Sent: Monday, June 23, 2003 2:25 PM
> Subject: [j-nsp] uRPF - Performance
> | We are looking to enable uRPF on our M-series routers (M20's and below).
> | The benefits of enabling this feature are obvious, but the unknown side
> | effects are what I'm concerned about. What performance impact could I
> | expect by enabling uRPF at a peak traffic flow of 100k pps/600Mbps?
> | Has anyone enabled uRPF on their network and do you have any lessoned
> | learned? I would like to iron out the quirks prior to deployment.
> | Jack W. Parks IV
> | Sr. Network Engineer
> | ALLTEL Communications
> | jack.w.parks at alltel.com
> | Work: 501-905-5961
> | Cell: 501-680-3341
> | _______________________________________________
> | juniper-nsp mailing list juniper-nsp at puck.nether.net
> | http://puck.nether.net/mailman/listinfo/juniper-nsp
> juniper-nsp mailing list juniper-nsp at puck.nether.net
More information about the juniper-nsp