[j-nsp] firewall filter prefix-list ordering
Saku Ytti
saku at ytti.fi
Tue Mar 15 20:23:08 EDT 2016
On 15 March 2016 at 21:48, Chuck Anderson <cra at wpi.edu> wrote:
Hey,
> On the MX/Trio platform, from a performance standpoint with large
> prefix-lists (~10,000) and firewall filters, does it matter what order
> the prefix-list is in? Will the firewall filter perform better if
> shorter prefixes are listed first or if some other criteria is used
> for sorting?
Very good question. MX/Trio being NPU box, isn't by any means constant
time platform and does not use TCAM. So ordering of does have
relevance. I don't know if it's possible for operator to even affect
the ordering, or does it pass through internal optimisation which will
mask your high-level CLI config?
You can, with considerable effort see what I believe is actual HW
level program with 'show filter index N jnh' but it will take several
days of motivated poking to reason what is happening there.
I guess best bet is being empirical and testing in lab. If it works
you should optimise so that the search is matched as early as
possible, if majority of packets will flow through whole prefix-list
without matches anyhow, then I doubt it matters what order it is in.
--
++ytti
More information about the juniper-nsp
mailing list