> Saku Ytti
> Sent: Wednesday, March 16, 2016 12:23 AM
>
> On 15 March 2016 at 21:48, Chuck Anderson <[email protected]> wrote:
>
> Hey,
>
> > On the MX/Trio platform, from a performance standpoint with large
> > prefix-lists (~10,000) and firewall filters, does it matter what order
> > the prefix-list is in? Will the firewall filter perform better if
> > shorter prefixes are listed first or if some other criteria is used
> > for sorting?
>
> Very good question. MX/Trio being NPU box, isn't by any means constant
> time platform and does not use TCAM. So ordering of does have relevance. I
> don't know if it's possible for operator to even affect the ordering, or does
> it
> pass through internal optimisation which will mask your high-level CLI config?
> You can, with considerable effort see what I believe is actual HW level
> program with 'show filter index N jnh' but it will take several days of
> motivated poking to reason what is happening there.
>
> I guess best bet is being empirical and testing in lab. If it works you should
> optimise so that the search is matched as early as possible, if majority of
> packets will flow through whole prefix-list without matches anyhow, then I
> doubt it matters what order it is in.
>
Yes the order of statements does make a difference indeed, since Trio is not
using TCAM, as Saku mentioned (Not sure about the MPC7 though), the ACL and FW
filter processing is not deterministic at all and depends on the combination of
length (number of terms/lines), order and most importantly type of match
criteria.
So I suggest you play with the prefix-list a little to find out which variation
performs the best and also to make sure you can still have your desired Gbps
performance through the PFE (the LU, to be specific).
adam
Adam Vitkovsky
IP Engineer
T: 0333 006 5936
E: [email protected]
W: www.gamma.co.uk
This is an email from Gamma Telecom Ltd, trading as “Gamma”. The contents of
this email are confidential to the ordinary user of the email address to which
it was addressed. This email is not intended to create any legal relationship.
No one else may place any reliance upon it, or copy or forward all or any of it
in any form (unless otherwise notified). If you receive this email in error,
please accept our apologies, we would be obliged if you would telephone our
postmaster on +44 (0) 808 178 9652 or email [email protected]
Gamma Telecom Limited, a company incorporated in England and Wales, with
limited liability, with registered number 04340834, and whose registered office
is at 5 Fleet Place London EC4M 7RD and whose principal place of business is at
Kings House, Kings Road West, Newbury, Berkshire, RG14 5BY.
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
