[j-nsp] firewall filter prefix-list ordering

Adam Vitkovsky Adam.Vitkovsky at gamma.co.uk
Wed Mar 16 04:52:51 EDT 2016


> Saku Ytti
> Sent: Wednesday, March 16, 2016 12:23 AM
>
> On 15 March 2016 at 21:48, Chuck Anderson <cra at wpi.edu> wrote:
>
> Hey,
>
> > On the MX/Trio platform, from a performance standpoint with large
> > prefix-lists (~10,000) and firewall filters, does it matter what order
> > the prefix-list is in?  Will the firewall filter perform better if
> > shorter prefixes are listed first or if some other criteria is used
> > for sorting?
>
> Very good question. MX/Trio being NPU box, isn't by any means constant
> time platform and does not use TCAM. So ordering of does have relevance. I
> don't know if it's possible for operator to even affect the ordering, or does it
> pass through internal optimisation which will mask your high-level CLI config?
> You can, with considerable effort see what I believe is actual HW level
> program with 'show filter index N jnh' but it will take several days of
> motivated poking to reason what is happening there.
>
> I guess best bet is being empirical and testing in lab. If it works you should
> optimise so that the search is matched as early as possible, if majority of
> packets will flow through whole prefix-list without matches anyhow, then I
> doubt it matters what order it is in.
>
Yes the order of statements does make a difference indeed, since Trio is not using TCAM, as Saku mentioned (Not sure about the MPC7 though), the ACL and FW filter processing is not deterministic at all and depends on the combination of length (number of terms/lines), order and most importantly type of match criteria.
So I suggest you play with the prefix-list a little to find out which variation performs the best and also to make sure you can still have your desired Gbps performance through the PFE (the LU, to be specific).



adam










        Adam Vitkovsky
        IP Engineer

T:      0333 006 5936
E:      Adam.Vitkovsky at gamma.co.uk
W:      www.gamma.co.uk

This is an email from Gamma Telecom Ltd, trading as “Gamma”. The contents of this email are confidential to the ordinary user of the email address to which it was addressed. This email is not intended to create any legal relationship. No one else may place any reliance upon it, or copy or forward all or any of it in any form (unless otherwise notified). If you receive this email in error, please accept our apologies, we would be obliged if you would telephone our postmaster on +44 (0) 808 178 9652 or email postmaster at gamma.co.uk

Gamma Telecom Limited, a company incorporated in England and Wales, with limited liability, with registered number 04340834, and whose registered office is at 5 Fleet Place London EC4M 7RD and whose principal place of business is at Kings House, Kings Road West, Newbury, Berkshire, RG14 5BY.




More information about the juniper-nsp mailing list