[j-nsp] How many bits/bytes of a packet can be matched in a firewall rule on Juniper MX-series?

Saku Ytti saku at ytti.fi
Fri Jul 9 01:30:30 EDT 2021 

Hey,

I'm not sure I can parse what you are asking. I thought you're asking
how far in the packet you can match with flexible-match-mask, which I
can commit up-to 255 byte offset, but didn't test. I know the original
Trio gets about 320B of the packet in the LU, but newer Trio's get a
little bit less.

Whenever MQ sends a packet to LU for lookup, if it is able to send the
entire packet, it sets the parcel type M2L_Packet, if it cannot send
the entire packet, it sends first N bytes and sets the parcel type
M2L_PacketHead.
Therefore if you ping through a quiet Trio, and increase packet size
byte by byte, once you see a counter shift from M2L_Packet to
M2L_PacketHead you've found the value of N.

You can review these counters on modern Trio via 'show mqss N lo
stats', such as:
IMPC2(r33.labxtx01.us.bb-re0 vty)# show mqss 0 lo stats
LO Block  Parcel Name           Counter Name                Total
           Rate
----------------------------------------------------------------------------------------------------------
0         M2L_Packet            Parcels sent to LUSS        8194632996
           3479 pps
0         M2L_PacketHead        Parcels sent to LUSS
22929007899           7559 pps


But seeing you included a question about filter chaining, I'm not sure
I understood your question right.


On Fri, 9 Jul 2021 at 03:21, embolist via juniper-nsp
<juniper-nsp at puck.nether.net> wrote:
>
>
>
>
> ---------- Forwarded message ----------
> From: embolist <embolist at pm.me>
> To: "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net>
> Cc:
> Bcc:
> Date: Fri, 09 Jul 2021 00:15:11 +0000
> Subject: How many bits/bytes of a packet can be matched in a firewall rule on Juniper MX-series?
> I'm trying to figure out how many bits/bytes of a packet I can match on in a firewall rule for a Juniper MX router. A lot of the documentation talks about a 128-bit match criteria, but then I see some examples which seem to imply that I can do multi-term matching, chaining match criteria together.
>
> Am I understanding this correctly? If so, how many 128-bit matching criteria can I chain together? Or am I totally misunderstanding?
>
> I'm a Juniper n00b (as if you couldn't tell), and would really appreciate any pointers. The documentation just doesn't seem to contain any information on how much of a packet I can match.
>
>
> ---------- Forwarded message ----------
> From: embolist via juniper-nsp <juniper-nsp at puck.nether.net>
> To: "juniper-nsp at puck.nether.net" <juniper-nsp at puck.nether.net>
> Cc:
> Bcc:
> Date: Fri, 09 Jul 2021 00:15:11 +0000
> Subject: [j-nsp] How many bits/bytes of a packet can be matched in a firewall rule on Juniper MX-series?
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



-- 
  ++ytti

More information about the juniper-nsp mailing list