[j-nsp] J series users bitten by the massive memory useincrease with flow mode add, please file jtac cases.

Amos Rosenboim amos at oasis-tech.net
Thu Jul 22 15:19:41 EDT 2010 

Chris,

Thanks for your feedback.
However I think it does not address the following points:

1. Memory consumption increased by flow mode even if the router  
reverts to packet mode the pre allocation is not released.
2. Upgrade from packet mode version to flow mode version locks you out  
of the router unless you have out of band access (as the router comes  
up with some default stateful configuration)
3. The issues raised below (I didn't realize this myself ) about  
sessions destined to the router still being processed as flow mode,  
which can tear down TCP sessions under certain circumstances.

Regards

Amos

On Jul 22, 2010, at 9:37 PM, Chris Whyte wrote:

>> * Leigh Porter:
>>
>>> I thought that as soon as you turn MPLS on the flow mode was diabled
>>> and you were back to good old packet mode?
>>
>> No, packets targeted at the device itself are still processed in flow
>> mode.  According to the documentation, there is no way around that.
>> It means that all existing TCP sessions involving the device are
>> severed when rerouting event occurs because their flow implementation
>> is interface-sensitive.
>
> MPLS is not supported in flow mode today. To enable MPLS in packet  
> mode, do
> the following:
>
> set security forwarding-options family mpls mode packet-based
>
> As I'm sure many of you know (but apparently not everyone), flow  
> mode was
> created because Juniper felt it was the best architectural approach to
> implementing security functionality (eg stateful FW, IDP, etc). Any  
> J-Series
> router running 9.4+ code can run as a packet-based router, which also
> disables any of these stateful features, by doing the above command.  
> You
> also have the ability to run or chain flow-mode and packet-mode  
> routing
> instances.
>
> I realize that it's probably irritating to some people that all  
> post-9.3
> releases have flow mode enabled by default but it is fairly simple  
> to change
> the router to packet-based only.
>
> Thanks, Chris
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list