[j-nsp] firewall filter prefix-list ordering
Nitzan Tzelniker
nitzan.tzelniker at gmail.com
Wed Mar 16 03:01:00 EDT 2016
BTW
if you have MPC5 or 6 you can use fast-lookup-filter to increase
the performance
http://www.juniper.net/techpubs/en_US/junos15.1/topics/concept/firewall-filter-fast-lookup-filter.html
Nitzan
On Wed, Mar 16, 2016 at 2:23 AM, Saku Ytti <saku at ytti.fi> wrote:
> On 15 March 2016 at 21:48, Chuck Anderson <cra at wpi.edu> wrote:
>
> Hey,
>
> > On the MX/Trio platform, from a performance standpoint with large
> > prefix-lists (~10,000) and firewall filters, does it matter what order
> > the prefix-list is in? Will the firewall filter perform better if
> > shorter prefixes are listed first or if some other criteria is used
> > for sorting?
>
> Very good question. MX/Trio being NPU box, isn't by any means constant
> time platform and does not use TCAM. So ordering of does have
> relevance. I don't know if it's possible for operator to even affect
> the ordering, or does it pass through internal optimisation which will
> mask your high-level CLI config?
> You can, with considerable effort see what I believe is actual HW
> level program with 'show filter index N jnh' but it will take several
> days of motivated poking to reason what is happening there.
>
> I guess best bet is being empirical and testing in lab. If it works
> you should optimise so that the search is matched as early as
> possible, if majority of packets will flow through whole prefix-list
> without matches anyhow, then I doubt it matters what order it is in.
>
> --
> ++ytti
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list