SRX Services Gateway
Highlighted
SRX Services Gateway

SRX CPU consumption / Routing Instance and Firewall Filters.

Friday

HI All,

i deployed a IPSEC VPN in a specific routing instance. The interface tunnel (st0.x) are deployed in a routing instance A, and the user segment that need to use this IPSEC tunnel, are associated with the default instance (inet.0). After the VPN is established, the SRX has installed a route 10.0.0.0/8 in ther instance A, but the user can´t access all 10.0.0.0/8 due some address conflict.

So, i applied a firewall filter with specific destination that need to be routed to instance A. This is working fine. However, i´m afraid with the cpu consumption. What is most recommended? 

1- Use firewall filter;

2-apply specific static routes using "next-table INST-A";

 

Thanks,

João Victor

João Victor
2 REPLIES
SRX Services Gateway
Solution
Accepted by topic author joaov
Friday

Re: SRX CPU consumption / Routing Instance and Firewall Filters.

Friday

Hello,

 


@joaov wrote:

 What is most recommended? 

1- Use firewall filter;

2-apply specific static routes using "next-table INST-A";

  


 

[1] is recommended. [2] causes packet "recirculation"/re-evaluaton of the IP header which will halve Your SRX PPS capacity.

HTH

Thx

Alex

 

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
SRX Services Gateway

Re: SRX CPU consumption / Routing Instance and Firewall Filters.

Friday

Ok, i will keep this design with firewall filter. 

Thanks a lot for you quick repply.

 

João Victor