[j-nsp] J series users bitten by the massive memory useincrease with flow mode add, please file jtac cases.

Chris Whyte cwhyte at juniper.net
Thu Jul 22 15:33:11 EDT 2010 

Fair enough. 

I personally don't have answers to those questions but I'll do what I can to
make sure they get answered in the next day or two.

Thanks, Chris


On 7/22/10 12:19 PM, "Amos Rosenboim" <amos at oasis-tech.net> wrote:

> Chris,
> 
> Thanks for your feedback.
> However I think it does not address the following points:
> 
> 1. Memory consumption increased by flow mode even if the router
> reverts to packet mode the pre allocation is not released.
> 2. Upgrade from packet mode version to flow mode version locks you out
> of the router unless you have out of band access (as the router comes
> up with some default stateful configuration)
> 3. The issues raised below (I didn't realize this myself ) about
> sessions destined to the router still being processed as flow mode,
> which can tear down TCP sessions under certain circumstances.
> 
> Regards
> 
> Amos
> 
> On Jul 22, 2010, at 9:37 PM, Chris Whyte wrote:
> 
>>> * Leigh Porter:
>>> 
>>>> I thought that as soon as you turn MPLS on the flow mode was diabled
>>>> and you were back to good old packet mode?
>>> 
>>> No, packets targeted at the device itself are still processed in flow
>>> mode.  According to the documentation, there is no way around that.
>>> It means that all existing TCP sessions involving the device are
>>> severed when rerouting event occurs because their flow implementation
>>> is interface-sensitive.
>> 
>> MPLS is not supported in flow mode today. To enable MPLS in packet
>> mode, do
>> the following:
>> 
>> set security forwarding-options family mpls mode packet-based
>> 
>> As I'm sure many of you know (but apparently not everyone), flow
>> mode was
>> created because Juniper felt it was the best architectural approach to
>> implementing security functionality (eg stateful FW, IDP, etc). Any
>> J-Series
>> router running 9.4+ code can run as a packet-based router, which also
>> disables any of these stateful features, by doing the above command.
>> You
>> also have the ability to run or chain flow-mode and packet-mode
>> routing
>> instances.
>> 
>> I realize that it's probably irritating to some people that all
>> post-9.3
>> releases have flow mode enabled by default but it is fairly simple
>> to change
>> the router to packet-based only.
>> 
>> Thanks, Chris
>> 
>> 
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list