[j-nsp] TCAM full on EX8200?

Richard A Steenbergen ras at e-gerbil.net
Sat Oct 15 21:42:16 EDT 2011 

On Sat, Oct 15, 2011 at 02:56:01PM -0400, Jeff Wheeler wrote:
> 
> Most customers find that their Juniper boxes still operate at wire 
> rate even when they load up some ugly filters.  On some boxes in some 
> cases, however, that is not true.  But to generalize, M/MX does 
> everything with RAM, provides the operator with more flexibility, but 
> also gives him a little more rope with which to hang himself.

It turns out that on I-chip, a dozen or so relatively simple filter 
terms are enough to exceed maximum number of accesses that give you line 
rate performance. It's especially bad if you try to use filter chains, 
since there is no "next filter" command, and the "next term" command 
(which is REQUIRED in every term in order to keep processing things 
further into the chain) is relatively expensive (4 lookups each, and you 
only get ~28 for line rate performance).

Having flowspec routes is another good way to make it angry, since they 
get evaluated on every ingress interface. Even worse, when you DO exceed 
your lookup capacity, the only symptom will be silent packet drops, with 
nothing logged on any interface counter outside of "show ichip" commands 
in the pfe shell.

We had to kill our filter chains and use commit script built non-chain 
filters to implement "chain-like" logic (i.e. re-use of common filter 
config components), it was the only way to do it without killing the 
box.


> I doubt Juniper has ignored the possibility of grafting some CAM onto 
> their "router" boxes for certain operations, but when you already have 
> the ALU+RAM method R&D'd and you can simply scale it up a little bit, 
> this is probably more sensible than adding a power-hungry CAM and all 
> the guts necessary to interface to it, and then do more R&D to have 
> the control-plane figure out how to take advantage of it, and *then* 
> still live with the fact that Juniper firewall filters *still* give 
> you the flexibility to make that operation not perform at wire rate 
> also.

They actually did put TCAM onto the modular MPCs (i.e. MPC1 and MPC2, 
but not the 16x10GE "MPC", and also I'd like to take this opportunity to 
offer an extreme "DIAF" to whoever butchered the use of the word 
"modular" on these products!) for exactly this reason. But I've been 
told there are no immediate plans to actually add any support for it in 
software, if ever. :)

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

More information about the juniper-nsp mailing list