[j-nsp] A low number of Firewall filters reducing the bandwidth capacity.

Saku Ytti saku at ytti.fi
Sun Aug 25 01:35:57 EDT 2024 

The RE and LC CPU have nothing to do with this, you'd need to check
the Trio PPE congestion levels to figure out if you're running out of
cycles for ucode execution.

This might improve your performance:
https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/firewall-fast-lookup-filter.html

There is also old and new trio ucode, new being 'hyper mode', but this
may already be default on, depending on your release. Hyper mode
should give a bit more PPS.

There is precious little information available, like what exactly are
your filters doing, what kind of PPS are you pushing in the Trio
experiencing this, where are you seeing the drops, if you are
dropping, they are absolutely accounted for somewhere.

Unless you are really pushing very heavy PPS, I have difficulties
seeing 100 sensible FW rules impacting performance, not saying it is
impossible, but suspecting there is a lot more here. We'd need to deep
dive into the rules, PPE configuration and load.

On Sat, 24 Aug 2024 at 23:35, Gustavo Santos via juniper-nsp
<juniper-nsp at puck.nether.net> wrote:
>
> Hi,
>
> We have noticed that when a not so large  number of firewall filters terms
> are generated and pushed to edge routers via  via NETCONF into a triplet of
> MX10003 ,
> we start receiving customer complaints. These issues seem to be related to
> the router's FPC limiting overall network traffic. To resolve the problem,
> we simply deactivate the ephemeral configuration database that contains the
> rules, which removes all the rules,
> and the traffic flow returns to normal. Is there any known limitation or
> bug that could cause this type of issue?
> We typically observe this problem with more than 100 rules; with a smaller
> number of rules, we don't experience the same issue, even with much larger
> attacks. Is there any known bug or limitation?
>
> As it is a customer traffic issue I didn't have the time to check fpc
> memory or fpc shell.  I just checked the routing engine and fpc cpu and
> they are all fine ( under 50% fpc and under 10% RE).
>
> Any thoughts?
>
> Regards.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



-- 
  ++ytti

More information about the juniper-nsp mailing list