[j-nsp] traffic drops to 8 Gb/s when a firewall filter is applied
Chris Morrow
morrowc at ops-netman.net
Fri Dec 9 13:08:41 EST 2011
On 12/09/2011 12:58 PM, Keegan Holley wrote:
> Can you post the filter and a sh int extensive? You might have the burst
> rate too small. What kind of load are you generation? Do you see the ff
> counters incrementing?
firewall filters cause extra lookups... so it's reasonable that even a:
filter foo {
term boo {
then accept
}
}
will cause problems... Depending on what you match, and where in the
filter, and lots of other bits (packet sizes, packet rates, etc - which
are more of a problem than packet sizes!) of course there are problems :(
Also, for most cases the PFE is the shared resource that matters, so if
your PFE is very busy doing something else, less resources are available
for packet forwarding/acl-processing.
-chris
More information about the juniper-nsp
mailing list