[j-nsp] Packet classification in Juniper routers

Rubens Kuhl Jr. rubensk at gmail.com
Thu Aug 25 16:56:14 EDT 2005


Juniper routers (both M-series with IP II and T-series) have extensive
packet classification capabilities, provided by JunOS syntax of
firewall filters.
I'm trying to establish good and bad practices for building the
firewall filters, based on what algorithm it uses for traversing the
filter when a packet is processed, as each of the known algorithms* in
this matter is based on one or more heuristics that match a wide range
of field-used filters, but may not match someone' own filters. Or
worst, match during hardware testing and stop being aligned with those
heuristics after some time of being in production.

 Any hints of what Juniper uses, wether being the exact algorithm, or
what algorithm is close enough to what is used to share good and bad
properties ? So far my best guess is some kind of decision tree.

(Private mail is OK, list e-mail is fine too)


* A very good reference of packet classification techniques can be
found on a report by D. Taylor of WUSTL at

More information about the juniper-nsp mailing list