[j-nsp] SRX Dynamic Address limits

Eric Harrison eric.harrison at cascadetech.org
Fri Mar 1 10:50:59 EST 2024 

I don't know if this is relevant or not in regards to the srx345, but I
recently stress tested a srx4100 and started to notice some
anomalies around 64k prefixes. I don't recall anything being logged and it
reported that it loaded all >=64k prefixes, "show security match-policies"
gave the right answers, but some actual test traffic started to be logged
on an unexpected policy.  Opening a ticket is on the TODO list.


One of our production srx4100's currently has 53k dynamic IPv4 prefixes w/o
skipping a beat:

> show security dynamic-address summary
.....
Instance Name                              : default
    Total number of IPv4 entries           : 232848
    Total number of IPv4 entries from feed : 53445
    Total number of IPv6 entries           : 0
    Total number of IPv6 entries from feed : 0


-Eric


On Fri, Mar 1, 2024 at 5:11 AM Chris Lee via juniper-nsp <
juniper-nsp at puck.nether.net> wrote:

> Hi All,
>
> Does anyone know if there's any specific limits/bounds/impacts on the
> number of IP addresses that can be imported into a SRX Dynamic Address
> list, specifically for an SRX345 ?
>
>
> https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/dynamic-address.html
>
> Have been trialling it for a little while now with a relatively small
> number (around 3000 IPv4 and 1200 IPv6 entries), but looking to do some
> further GeoIP restrictions which would likely be around another 22000 IPv4
> entries I need to import for the specific countries I need. Will anything
> topple/break with that many IP's in various dynamic lists ?
>
> I've tried looking but my google-fu is failing to turn up any data on
> limitations anywhere... I've found reference to address sets "One address
> set can reference a maximum of 16384 address entries and a maximum of 256
> address sets." but I'm not sure that this applies to dynamic address list
> entries as I figure that restriction may have more to do with the SRX
> having to parse a massive configuration file ?
>
> Thanks,
> Chris
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


-- 
Eric Harrison
Network Services
Cascade Technology Alliance / Multnomah Education Service District
office: 503-257-1554   cell: 971-998-6249   NOC 503-257-1510

More information about the juniper-nsp mailing list