Routing

last person joined: 3 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  How much firewall filter (ACLs) MX80 & MX240 can handle

    Posted 09-19-2011 12:17

    Hi guys 

    i would like to ask 

    How much firewall filter (ACLs) MX80 & MX240 can handle

    i can't find it in datasheet or another articles 

     

     

    ________________

    #JNCIP-SP, #JNCIS-ENT 


    #..


  • 2.  RE: How much firewall filter (ACLs) MX80 & MX240 can handle

    Posted 06-22-2016 01:14

    Dear all,

     

    I have same question, where can I find such information?



  • 3.  RE: How much firewall filter (ACLs) MX80 & MX240 can handle

    Posted 06-22-2016 01:35

    Hello,

    It depends on :

    1/ filter complexity - simple 5-tuple filter match terms wth "accept" or "discard" action scale into hundreds of thousands

    2/ filter action - "then next term" filter action causes re-evaluation of the packet and therefore scales less. "Reject" action causes sending ICMP Dest Unreach for each matching packet subject to internal rate-limiters and therefore also scales less. 

    3/ hardware - MX240 ICHIP DPC cards have a limited reserved memory space for filters which can also be used for storing the routes.Trio chipset in MX80 and MX240 MPC cards have much more memory.

    All-in-all,  the best source to obtain such information for Your specific design and business goals is Your nearest friendly Juniper Systems Engineer.

    HTH

    Thx

    Alex



  • 4.  RE: How much firewall filter (ACLs) MX80 & MX240 can handle

    Posted 06-22-2016 20:51

    Thank you for your reply, Alex!

     

    I understand that number of firewall filters MX can handle depend on reserved memory for firewall filter. But this space is flexible depending on the size of memory (total memory in case of MX80 or DPC memory with MX240-480-960 right?). Since this memory is shared for many resources: nexthop, counter, filter... there is not a fixed limitation of filter rules. Therefore, It is more difficult to monitor proactively, we should monitor the memory usage rather than filter rules limitation (in this case it is 256K?).

     

    In MX (except MX80 series), issue this command to monitor memory resource (from O'Reilly Juniper MX Series) :

     

    {master}
    regress@halfpint> request pfe execute target fpc5 command "show jnh 0 pool usage"
    SENT: Ukern command: show jnh 0 pool usage
    GOT:
    GOT: EDMEM overall usage:
    GOT: [NH///////////////|FW///|CNTR////////|HASH/////|ENCAPS////|---------------]
    GOT: 0                 7.0   9.0          14.0      21.8       25.9            32.0M
    GOT:
    GOT: Next Hop
    GOT: [***************************************************|--] 7.0M (98% | 2%)
    GOT:
    GOT: Firewall
    GOT: [|--------------------] 2.0M (1% | 99%)
    GOT:
    GOT: Counters
    GOT: [|----------------------------------------] 5.0M (1% | 99%)
    GOT:
    GOT:

     

    However, I cannot find similar command in MX5/10/40/80. Any help?

     

    Thank you so much,

     

    Trung

     



  • 5.  RE: How much firewall filter (ACLs) MX80 & MX240 can handle

    Posted 06-25-2016 08:32

    Hello,

     


    @trunglc wrote:

     

     

    However, I cannot find similar command in MX5/10/40/80. Any help?

     

    Thank you so much,

     

    Trung

     


    The "show jnh 0 pool usage" command is also valid for MX5/10/40/80.

    And I am unable to find where in the "Juniper MX Series" it says this command does not work on MX5/10/40/80. 

    If Your question is that You cannot select "fpc5" to execute this command on, the MX5/10/40/80 has only 1 PFE and it is referred to as "tfeb0":

     

    aarseniev@mx80labrouter> request pfe execute target tfeb0 command "show jnh 0 pool usage"   
    Jun 25 17:29:34
    SENT: Ukern command: show jnh 0 pool usage
    GOT:
    GOT: EDMEM overall usage:
    GOT: [NH///////|FW////////|CNTR///////////|HASH////////////|ENCAPS////|------------------]
    GOT: 0         4.0        8.0             14.0             20.7       24.8               32.0M
    GOT:
    GOT: Next Hop
    GOT: [*******************************|---------------] 4.0M (66% | 34%)
    GOT:
    GOT: Firewall
    GOT: [|----------------------|RRRRRRRRRRRRRRRRRRRRRRRR] 4.0M (<1% | >99%)
    GOT:
    GOT: Counters
    GOT: [*************************|---------------------------------------------] 6.0M (35% | 65%)
    GOT:
    GOT: HASH
    GOT: [********************************************************************************] 6.7M (100% | 0%)
    GOT:
    GOT: ENCAPS
    GOT: [************************************************] 4.1M (100% | 0%)
    GOT:
    GOT: Shared Memory - NH/FW/CNTR/HASH/ENCAPS
    GOT: [--------------------------------------------------------------------------------] 7.2M (0% | 100%)
    GOT:
    LOCAL: End of file

    HTH

    Thx

    Alex

     



  • 6.  RE: How much firewall filter (ACLs) MX80 & MX240 can handle

    Posted 06-29-2016 04:24

    Hi,

     

    I can confirm that the command works on MX5

     

    root@MX5-R2002> show chassis hardware detail 
    Hardware inventory:
    Item             Version  Part number  Serial number     Description
    Chassis                                                   MX5-T
    root@MX5-R2002> start shell pfe network tfeb0 TFEB platform (1000Mhz MPC 8548 processor, 1024MB memory, 512KB flash) TAZ-TBB-0(MX5-R2002 vty)# show jnh 0 pool usage EDMEM overall usage: [NH////////|FW////////|CNTR///////////|HASH////////////|ENCAPS////|------------------] 0 4.0 8.0 14.0 20.7 24.8 32.0M Next Hop [**************|--------|RRRRRRRRRRRRRRRRRRRRRRRR] 4.0M (30% | 70%) Firewall [|----------------------|RRRRRRRRRRRRRRRRRRRRRRRR] 4.0M (<1% | >99%) Counters [*************************|---------------------------------------------] 6.0M (35% | 65%) HASH [********************************************************************************] 6.7M (100% | 0%) ENCAPS [************************************************] 4.1M (100% | 0%) Shared Memory - NH/FW/CNTR/HASH/ENCAPS [--------------------------------------------------------------------------------] 7.2M (0% | 100%) DMEM overall usage: [-] 0 0.0M

    Regards

    Rakesh



  • 7.  RE: How much firewall filter (ACLs) MX80 & MX240 can handle

    Posted 07-01-2016 00:57

    Thank Alex,

     

    I also try to use this command with EX9200 and it works fine. But when I config two EX9200s to form to a virtual chassis, I cannot use "start shell pfe network..." or "request pfe network..." commands, it seems pfe network not found or other name? Please help!

     

    Thanks,

     

    Trung