[j-nsp] J-series stateful firewall / NAT architecture
Florian Weimer
fweimer at bfk.de
Wed Apr 16 03:20:15 EDT 2008
* Alex Campbell:
> My first question is whether this is a terrible idea.
With a reasonably-sized filter configuration (about 100 terms), our
J4350 can handle just a few thousand new connections per second, and
can be maxed out with very little traffic (certainly below E3/DS3 line
speed). In our case, the overload was even triggered by non-malicious
traffic. 8-/
We're currently migrating to stateless filters and hope that this
problem does not occur. If it does, we'll move the filtering to a
separate box, this time using Netfilter.
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the juniper-nsp
mailing list