[j-nsp] MX960 vs MX10K
Saku Ytti
saku at ytti.fi
Thu Mar 5 11:29:57 EST 2020
On Thu, 5 Mar 2020 at 18:05, Alexander Arseniev <arseniev at btinternet.com> wrote:
> I would expect the "IPSEC anchor PFE", just like it is done with BFD et
> al a.t.m.
> That anchor PFE maintains IKE exchange sequences/anti-replay etc and any
> IKE/IPSec packet arriving on a different PFE would be redirected there.
> Same thing really what currently happens on a Services card.
I'm not sure what you mean by BFD here. BFD can be done in various ways
a) RPD
b) PPMd on RE CPU
c) PPMd on LC CPU
d) Inline on NPU
If you do it on d) it's done the NPU where the neighbour is, entirely
on the NPU.
And sure there is signalling in IPSEC, just like there is in BGP,
which is not done in hardware. But actual bit pushing is done in
hardware.
--
++ytti
More information about the juniper-nsp
mailing list