[j-nsp] M40 and Multilink PPP

Michael Loftis mloftis at wgops.com
Mon Mar 28 14:58:21 EST 2005 


--On Monday, March 28, 2005 21:46 +0200 Nils Swart <nils at tdsdata.net> wrote:


> Exactly, since everything related to forwarding of packets is done in
> hardware instead of being processed using a CPU, this brings two things
> to  the table: wire-rate & predictable performance for normal forwarding
> of  packets, but inflexibility in special processing of packets (IPSEC,
> GRE,  Multilink PPP).

Which is why you buy the AS-PIC, because it'll do all of that.  Some 
operations (EG sampling, stateful firewall) can be resource limited (AS PIC 
CPU or memory) but the limits are VERY generous even in the ASM, and 
looking at the AS-PIC specs they are even more generous.  This means when 
slammer II hits, your juniper continues forwarding up to (or VERY near) 
line rates, as long as you don't severely oversubscribe your ASM/AS-PIC

> Service PICs like the Adaptive Service PIC (or onboard module in an M7i
> as  mentioned by Erdem) solve this. Traffic is sent into an AS-PIC, gets
> processed (encrypted, tunneled, stateful firewalled, etc), and comes
> back to the packet forwarding engine to be shipped  off to it's final
> destination.

Also there's nothing that prevents one from using an AS-PIC in an M7i if 
you have need for more bandwidth than the ASM allows.  The Only hitch about 
the AS-PIC I think are the FPC and FEB (or CFEB) forwarding rates.

> (Ps.: Adaptive Services PICs are called adaptive since they can be
> programmed to do a variety of stuff, as opposed to an ML-PIC or
> Encryption  services PIC that can only perform one task; before you go
> off and buy any  of these, you'd best contact your juniper tech guy to
> check if you've got  supported hardware)

Yup.

> Regarding performance, Michael's mentioned 800 Mbps is related to tunnel
> (GRE,logical/virtual tunnel) capacity only; not to IPSEC,MLPPP or SFW.
> (which is about OC-3 worth of bandwidth on the onboard ASM in an M7i)

Ahhh, well, either way.  Faster than just about anything from vendor C ;) 
Thanks for clearing that up though....I'm deploying a small number of IPSec 
tunnels (~100mbit) and was a little worried we might hit that limit.  But 
it makes sense...everything in hardware, and the AS-PIC is just a FPGA like 
the rest of the kit....so they probably demand configure it to do whatevers 
needed.  There's always the backplane or CFEB limits to hit, but there's 
not enough ports in ours. :)

More information about the juniper-nsp mailing list