SRX Services Gateway
Highlighted
SRX Services Gateway

MTU filter revisited...

[ Edited ]
‎05-21-2019 01:37 PM
I have implemented an MTU filter at value 1522 . As such.

firewall {
filter 1522mtu {
term 1 {
from {
packet-length 1522-1522;
}
then {
count 1522mtu_DROP;
discard;
}
}
term 2 {
then accept;
}
}
}

My questions are these...

1. Will adding a third term help me in terms of round trip improvement? I want to make the filter more redundant but I realize that adding another term will divide the filter even more. In three parts.

The reason I want to do this is because of anomalous behavior at value 1522.

2. I have set a range in my code block, but if I set a single value will that change behavior closer to the needed behavior?

3. How can I shortened the round trip time of any term?

4. Or how can I lengthen the time that the whole filter processes for?

5. Is any of this possible?
2 REPLIES 2
SRX Services Gateway

Re: MTU filter revisited...

[ Edited ]
‎05-22-2019 12:38 AM

Hi Eugene,

 

Im not sure I understand what you mean with "Will adding a third term help me in terms of round trip improvement?", can you elaborate further?

 

I dont think there is a way to know how much time it takes for a filter to process a packet but I can tell it is very very fast, at a point that I dont think you will notice the difference. I could think on a test like this:

 

PC_A------------SRX----------PC_B

 

You can try 10000 pings from PC_A to PC_B and check the statistics:

 

Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=71ms TTL=55
Reply from 8.8.8.8: bytes=32 time=67ms TTL=55
Reply from 8.8.8.8: bytes=32 time=67ms TTL=55
Reply from 8.8.8.8: bytes=32 time=61ms TTL=55

Ping statistics for 8.8.8.8:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 61ms, Maximum = 71ms, Average = 66ms

 

Then you can apply the filter, try the test again and check the statistics. You can also add more terms and test if you see a considerable difference in the times.

 

Regarding the fact that you used a range on the matching criteria, I dont think it will make any difference if you use a single value but if thats an option, I will go with the fixed value instead of the range.

 

I hope I was able to help you a bit.

 

 

SRX Services Gateway

Re: MTU filter revisited...

‎05-23-2019 08:00 AM
Thx for the reply lpaniagua .
Anyone have answer before I try what was suggested.