[j-nsp] MPC(MX80) + DPCE-R firewall filter cpacity
OBrien, Will
ObrienH at missouri.edu
Sun May 5 16:15:57 EDT 2013
You can definitely do this. There's room for several hundred filter statements on the R blades. I had policers (as firewall filters) configured for a couple of /16s on a /24 basis for scale.
When I added a third /16 I hit a limit where I couldn't apply changes without restarting the card, if that gives you a sense of scale. (keep in mind that each policer was configured twice - once for each direction.
When I did hit the limit, the problem wasn't that it couldn't handle the terms, it was that making changes re-writes the filter to the card in another set of memory, then processing switches over to the new set. The card couldn't handle the double entry of all those terms in the firewall memory - which is a finite amount.
Again, even after going way over, a reset of the blade would succeed in writing the filter and using it.
Hope that gives you an idea.
On May 5, 2013, at 3:08 PM, Peter Krupl <paak at siminn.dk>
wrote:
> Hi Group,
>
> I have googled and checked the KB for som time, but I'm unable to find anything usable...
>
> The question is:
> Is it safe to apply a firewall filter on an interface with 1700 "from source-address x.x.x.x/y" criteria ?
> Could I do it on several interfaces, what about interface speciffic filters ?
> I assume that the limit must be in the Trio or Ichip on each DPC or MPC, right ?
> How can I check resource usage ?
>
>
> Kind regards,
> Peter Krüpl
> Network Specialist
> Tel: +45 88805242
> Siminn Danmark A/S
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list