[j-nsp] SRX Dynamic Address limits

Roger Wiklund roger.wiklund at gmail.com
Mon Mar 4 05:34:45 EST 2024 

We're using stamparm/ipsum: Daily feed of bad IPs (with blacklist hit
scores) (github.com) <https://github.com/stamparm/ipsum> with SRX300.

~37k entries with no issues.

  Address name              : ipsum-l2
      Address id                : 11
      IPv4 entries              : 37317

Regards
Roger



On Fri, Mar 1, 2024 at 11:37 PM Chris Lee via juniper-nsp <
juniper-nsp at puck.nether.net> wrote:

> Hi Eric,
>
> Thanks for that, not too sure where the dynamic lists are stored in RAM or
> some other onboard memory.
>
> That said I ended up loading the lists in a srx340 first which is pretty
> similar anyway and couldn't see any issues so went ahead and loaded on the
> srx345's and it looks fine so far, I was a little out with my counts anyway
> as the lists I'm feeding are v4/v6 so the split ended up less than 20k v4
> and less than 10k v6.
>
> Instance Name                              : default
>     Total number of IPv4 entries           : 18226
>     Total number of IPv4 entries from feed : 17258
>     Total number of IPv6 entries           : 9733
>     Total number of IPv6 entries from feed : 9518
>
> I just found another reference at
>
> https://www.juniper.net/documentation/us/en/software/junos/security-policies/topics/topic-map/security-policy-configuration.html
> which has a table of the various models and suggest the srx345 can only
> have 2048 address objects per policy, which is a bit confusing from the
> previous link but that was referring to address-sets I think.
>
> In any case this article seems to suggest to me the policy memory usage is
> definitely just loaded into regular RAM, and from what I've seen there was
> a little bit of an uptick in memory usage but only by a couple of hundred
> MB, just a few percentage points in the overall usage on the RE that I can
> see, so doesn't look to be an issue.
>
> I do have a pair of srx1600's on order to swap out the 345's, I just
> realised the datasheet doesn't list how much RAM they ship with as was
> mostly looking at them from the point of view of more throughput on
> interfaces, but hopefully they have been a bit more generous on the memory
> modules in the 1600's.
>
> Thanks,
> Chris
>
>
> On Sat, Mar 2, 2024 at 1:51 AM Eric Harrison <
> eric.harrison at cascadetech.org>
> wrote:
>
> >
> > I don't know if this is relevant or not in regards to the srx345, but I
> > recently stress tested a srx4100 and started to notice some
> > anomalies around 64k prefixes. I don't recall anything being logged and
> it
> > reported that it loaded all >=64k prefixes, "show security
> match-policies"
> > gave the right answers, but some actual test traffic started to be logged
> > on an unexpected policy.  Opening a ticket is on the TODO list.
> >
> >
> > One of our production srx4100's currently has 53k dynamic IPv4 prefixes
> > w/o skipping a beat:
> >
> > > show security dynamic-address summary
> > .....
> > Instance Name                              : default
> >     Total number of IPv4 entries           : 232848
> >     Total number of IPv4 entries from feed : 53445
> >     Total number of IPv6 entries           : 0
> >     Total number of IPv6 entries from feed : 0
> >
> >
> > -Eric
> >
> >
> > On Fri, Mar 1, 2024 at 5:11 AM Chris Lee via juniper-nsp <
> > juniper-nsp at puck.nether.net> wrote:
> >
> >> Hi All,
> >>
> >> Does anyone know if there's any specific limits/bounds/impacts on the
> >> number of IP addresses that can be imported into a SRX Dynamic Address
> >> list, specifically for an SRX345 ?
> >>
> >>
> >>
> https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/dynamic-address.html
> >>
> >> Have been trialling it for a little while now with a relatively small
> >> number (around 3000 IPv4 and 1200 IPv6 entries), but looking to do some
> >> further GeoIP restrictions which would likely be around another 22000
> IPv4
> >> entries I need to import for the specific countries I need. Will
> anything
> >> topple/break with that many IP's in various dynamic lists ?
> >>
> >> I've tried looking but my google-fu is failing to turn up any data on
> >> limitations anywhere... I've found reference to address sets "One
> address
> >> set can reference a maximum of 16384 address entries and a maximum of
> 256
> >> address sets." but I'm not sure that this applies to dynamic address
> list
> >> entries as I figure that restriction may have more to do with the SRX
> >> having to parse a massive configuration file ?
> >>
> >> Thanks,
> >> Chris
> >> _______________________________________________
> >> juniper-nsp mailing list juniper-nsp at puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >>
> >
> >
> > --
> > Eric Harrison
> > Network Services
> > Cascade Technology Alliance / Multnomah Education Service District
> > office: 503-257-1554   cell: 971-998-6249   NOC 503-257-1510
> >
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list