[j-nsp] SRX Dynamic Address limits

Chris Lee chris at datachaos.com.au
Fri Mar 1 17:36:11 EST 2024 

Hi Eric,

Thanks for that, not too sure where the dynamic lists are stored in RAM or
some other onboard memory.

That said I ended up loading the lists in a srx340 first which is pretty
similar anyway and couldn't see any issues so went ahead and loaded on the
srx345's and it looks fine so far, I was a little out with my counts anyway
as the lists I'm feeding are v4/v6 so the split ended up less than 20k v4
and less than 10k v6.

Instance Name                              : default
    Total number of IPv4 entries           : 18226
    Total number of IPv4 entries from feed : 17258
    Total number of IPv6 entries           : 9733
    Total number of IPv6 entries from feed : 9518

I just found another reference at
https://www.juniper.net/documentation/us/en/software/junos/security-policies/topics/topic-map/security-policy-configuration.html
which has a table of the various models and suggest the srx345 can only
have 2048 address objects per policy, which is a bit confusing from the
previous link but that was referring to address-sets I think.

In any case this article seems to suggest to me the policy memory usage is
definitely just loaded into regular RAM, and from what I've seen there was
a little bit of an uptick in memory usage but only by a couple of hundred
MB, just a few percentage points in the overall usage on the RE that I can
see, so doesn't look to be an issue.

I do have a pair of srx1600's on order to swap out the 345's, I just
realised the datasheet doesn't list how much RAM they ship with as was
mostly looking at them from the point of view of more throughput on
interfaces, but hopefully they have been a bit more generous on the memory
modules in the 1600's.

Thanks,
Chris


On Sat, Mar 2, 2024 at 1:51 AM Eric Harrison <eric.harrison at cascadetech.org>
wrote:

>
> I don't know if this is relevant or not in regards to the srx345, but I
> recently stress tested a srx4100 and started to notice some
> anomalies around 64k prefixes. I don't recall anything being logged and it
> reported that it loaded all >=64k prefixes, "show security match-policies"
> gave the right answers, but some actual test traffic started to be logged
> on an unexpected policy.  Opening a ticket is on the TODO list.
>
>
> One of our production srx4100's currently has 53k dynamic IPv4 prefixes
> w/o skipping a beat:
>
> > show security dynamic-address summary
> .....
> Instance Name                              : default
>     Total number of IPv4 entries           : 232848
>     Total number of IPv4 entries from feed : 53445
>     Total number of IPv6 entries           : 0
>     Total number of IPv6 entries from feed : 0
>
>
> -Eric
>
>
> On Fri, Mar 1, 2024 at 5:11 AM Chris Lee via juniper-nsp <
> juniper-nsp at puck.nether.net> wrote:
>
>> Hi All,
>>
>> Does anyone know if there's any specific limits/bounds/impacts on the
>> number of IP addresses that can be imported into a SRX Dynamic Address
>> list, specifically for an SRX345 ?
>>
>>
>> https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/dynamic-address.html
>>
>> Have been trialling it for a little while now with a relatively small
>> number (around 3000 IPv4 and 1200 IPv6 entries), but looking to do some
>> further GeoIP restrictions which would likely be around another 22000 IPv4
>> entries I need to import for the specific countries I need. Will anything
>> topple/break with that many IP's in various dynamic lists ?
>>
>> I've tried looking but my google-fu is failing to turn up any data on
>> limitations anywhere... I've found reference to address sets "One address
>> set can reference a maximum of 16384 address entries and a maximum of 256
>> address sets." but I'm not sure that this applies to dynamic address list
>> entries as I figure that restriction may have more to do with the SRX
>> having to parse a massive configuration file ?
>>
>> Thanks,
>> Chris
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>
> --
> Eric Harrison
> Network Services
> Cascade Technology Alliance / Multnomah Education Service District
> office: 503-257-1554   cell: 971-998-6249   NOC 503-257-1510
>

More information about the juniper-nsp mailing list