On 12/09/2011 12:58 PM, Keegan Holley wrote:
> Can you post the filter and a sh int extensive? You might have the burst
> rate too small. What kind of load are you generation? Do you see the ff
> counters incrementing?
firewall filters cause extra lookups... so it's reasonable that even a:
filter foo {
term boo {
then accept
}
}
will cause problems... Depending on what you match, and where in the
filter, and lots of other bits (packet sizes, packet rates, etc - which
are more of a problem than packet sizes!) of course there are problems :(
Also, for most cases the PFE is the shared resource that matters, so if
your PFE is very busy doing something else, less resources are available
for packet forwarding/acl-processing.
-chris
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
