Junos OS

last person joined: 5 days ago 

Ask questions and share experiences about Junos OS.

  • 1.  Junos filter limitation

    Posted 03-02-2016 04:29
    Is there a junos mx filter limitation on firewall before there are performance degradation. Lets say 1-4k firewall sets

    Does the more you add the more i degrades ie processing 20 million pps over multiple filters

    Filters will consist of multiple /29 and blocking port access to internet facing interfaces


  • 2.  RE: Junos filter limitation

    Posted 03-02-2016 13:49

    Hello,

    With simple 5-tuple filter terms and "accept"/"discard" action, the firewal filter' tested scale upper limit without degradation lies in hundreds of thousands on high-end Juniper routers. Such filter takes long time to commit though.

    If You are after more complicated action like "next term", then there is a degradation since with "next term" action You are forcing a second lookup on the same packet and hence Your PPS goes down. 

    If is entirely possible to construct a complex firewall filter severely degrading performance but having no real world applicability.

    HTH

    Thx

    Alex



  • 3.  RE: Junos filter limitation

    Posted 03-03-2016 02:42

    An example filter will be

     

     

    in firewal family inet

     

    filter xxx

     

     

    term xxx

     from

        source 1.2.3.4/32

     then discard

     

    term xxxx

     from

      protocol udp

      source-port53

      destination address 2.3.4.4/29

     

    term xxx

    .

    .

    .

    .

     

    Is thsi what you mean by next term?



  • 4.  RE: Junos filter limitation
    Best Answer

    Posted 03-03-2016 06:16

    Hello,

    Please have a look at 

    http://www.juniper.net/documentation/en_US/junos13.2/topics/concept/firewall-filter-stateless-guidelines-for-configuring.html#jd0e668

    Table 2

    "Flow control" section

    HTH

    Thx

    Alex