[j-nsp] SCB Utilization Threshold?
Jeff Wheeler
jeff at reflected.net
Tue Mar 23 16:46:24 EST 2004
On Tue, 2004-03-23 at 13:42, Kashif.Khawaja at Broadwing.com wrote:
> and I'd preferrably start thinking about expanding my routing capacity at 75% - 80%
> base-line usage.
I believe you're talking about the "exception processor" utilization. I
had hoped the knowledgable Juniper folks on the list would weigh in, but
as they haven't yet, maybe I can clear this up. I hope I'm not talking
completely out of my ass here. :-)
The "CPU utilization" value shown for the FEB, SSB, SCB, or SFM is for
the exception processor, which does not handle most transit traffic. It
gets involved in special cases that were probably not practical to
implement on ASIC, such as IP options, which are very rarely used.
Anytime a packet is received for a route that has a REJECT next-hop, the
exception processor has to generate the ICMP response packet. Also,
when a packet that has reached 0 TTL is transiting the box, an ICMP TTL
EXCEEDED packet must be generated (for most types of packets, anyway.)
Packets with a LOG action also utilize the exception processor.
When the exception processor, which is a PowerPC (?) that is seperate in
function and implementation from the Internet Processor / IP II, is at
100% utilization, a few things will suffer; but your box will still
forward all normal transit traffic at the 2.5Gb/s-per-FPC performance
you have come to expect from your box.
What happens when the exception processor utilization is high / 100%?
As far as I know, traceroute and REJECT generation suffers, and not all
packets with the LOG action setup will actually be logged. No real
worries. What should you do to prevent high CPU use? It is a common
mistake to anchor routes to REJECT next-hops instead of DISCARD, or to
create firewall filters that REJECT instead of DISCARD traffic. Keep in
mind that you want your customers to see fast, clean traceroutes through
your network. Perception is reality. If you really want to REJECT/LOG
traffic, consider a policer so you can reject a little, discard excess.
I'm not sure what method others on the list use to generate backscatter,
but I use a spare vlan with nothing on it, and use a policer to limit
the rate at which packets reach the firewall filter term that performs
the reject action, keeping exception processor utilization low.
--
Jeff at Reflected Networks
More information about the juniper-nsp
mailing list