[j-nsp] traffic drops to 8 Gb/s when a firewall filter is applied

Chris Morrow morrowc at ops-netman.net
Fri Dec 9 13:08:41 EST 2011



On 12/09/2011 12:58 PM, Keegan Holley wrote:
> Can you post the filter and a sh int extensive?  You might have the burst
> rate too small.  What kind of load are you generation?  Do you see the ff
> counters incrementing?

firewall filters cause extra lookups... so it's reasonable that even a:
  filter foo {
    term boo {
       then accept
    }
  }

will cause problems... Depending on what you match, and where in the
filter, and lots of other bits (packet sizes, packet rates, etc - which
are more of a problem than packet sizes!) of course there are problems :(

Also, for most cases the PFE is the shared resource that matters, so if
your PFE is very busy doing something else, less resources are available
for packet forwarding/acl-processing.

-chris


More information about the juniper-nsp mailing list