Mailing List Archive

On Mon, Jun 23, 2003 at 12:25:01PM -0500, Jack.W.Parks@alltel.com wrote:
> We are looking to enable uRPF on our M-series routers (M20's and below).
> The benefits of enabling this feature are obvious, but the unknown side
> effects are what I'm concerned about. What performance impact could I
> expect by enabling uRPF at a peak traffic flow of 100k pps/600Mbps?
>
> Has anyone enabled uRPF on their network and do you have any lessoned
> learned? I would like to iron out the quirks prior to deployment.

I've been using the loose unicast-rpf with no problems
on m20 and m40 devices.

These devices have more than your 100k and 600M passing
through them.

- Jared

--
Jared Mauch | pgp key available via finger from jared@puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.

Jack,

We (DANTE) have enabled uRPF right across 90% of our border
interfaces and we have seen zero performance degradation. Many or our
access circuits are as high as 10G so i would say that you would have no
problem with 600Mbps.

I would recommend you investigate the different implementations
and understand the differences between strict, feasible path and loose as
to avoid and unexpected behavior though. ;o)

cheers,
Rob


At 12:25 23/06/2003 -0500, Jack.W.Parks@alltel.com wrote:
>We are looking to enable uRPF on our M-series routers (M20's and below).
>The benefits of enabling this feature are obvious, but the unknown side
>effects are what I'm concerned about. What performance impact could I
>expect by enabling uRPF at a peak traffic flow of 100k pps/600Mbps?
>
>Has anyone enabled uRPF on their network and do you have any lessoned
>learned? I would like to iron out the quirks prior to deployment.
>
>Jack W. Parks IV
>Sr. Network Engineer
>ALLTEL Communications
>jack.w.parks@alltel.com
>Work: 501-905-5961
>Cell: 501-680-3341
>
>_______________________________________________
>juniper-nsp mailing list juniper-nsp@puck.nether.net
>http://puck.nether.net/mailman/listinfo/juniper-nsp

_________________________________________________________________

* * Rob Walton - Network engineer
* *
* Francis House Tel +44 1223 302 992
* 112 Hills Road Fax +44 1223 303 005
* Cambridge CB2 1PQ
D A N T E United Kingdom
_________________________________________________________________

On 23.06.2003 12:25:01 +0000, Jack.W.Parks@alltel.com wrote:
> We are looking to enable uRPF on our M-series routers (M20's and below).
> The benefits of enabling this feature are obvious, but the unknown side
> effects are what I'm concerned about. What performance impact could I
> expect by enabling uRPF at a peak traffic flow of 100k pps/600Mbps?

None.

> Has anyone enabled uRPF on their network and do you have any lessoned
> learned? I would like to iron out the quirks prior to deployment.

Yes. We use it extensively on customer ports without no problems at all.

Be sure to check up on your routing so you're not rejecting valid
traffic from the customer.

/Michael

--
Michael Lyngb?l -- michael at lyngbol dot dk
Network Architect, AS3292 TDC, IP?backbone

On Mon, Jun 23, 2003 at 12:25:01PM -0500, Jack.W.Parks@alltel.com wrote:
> We are looking to enable uRPF on our M-series routers (M20's and below).

Thank you!

> The benefits of enabling this feature are obvious, but the unknown side
> effects are what I'm concerned about. What performance impact could I
> expect by enabling uRPF at a peak traffic flow of 100k pps/600Mbps?

None.


Regards,
Daniel

There is a performance drop from 40Mpps to 12.5Mpps when use anything other
than standard plain routing... if you have a firewall-filter configured, it
already has such a penalty in place.Although it's 125 times your peak
traffic flow, you should consider the peak traffic that a DoS attack can
generate on the router, not your usual traffic. Even than, it's very
unlikely that usual configurations of M-5, M-10 and M-20 interfaces can sum
up to that amount.



Rubens


----- Original Message -----
From: <Jack.W.Parks@alltel.com>
To: <juniper-nsp@puck.nether.net>
Sent: Monday, June 23, 2003 2:25 PM
Subject: [j-nsp] uRPF - Performance


| We are looking to enable uRPF on our M-series routers (M20's and below).
| The benefits of enabling this feature are obvious, but the unknown side
| effects are what I'm concerned about. What performance impact could I
| expect by enabling uRPF at a peak traffic flow of 100k pps/600Mbps?
|
| Has anyone enabled uRPF on their network and do you have any lessoned
| learned? I would like to iron out the quirks prior to deployment.
|
| Jack W. Parks IV
| Sr. Network Engineer
| ALLTEL Communications
| jack.w.parks@alltel.com
| Work: 501-905-5961
| Cell: 501-680-3341
|
| _______________________________________________
| juniper-nsp mailing list juniper-nsp@puck.nether.net
| http://puck.nether.net/mailman/listinfo/juniper-nsp
|
|

We have conducted tests that show that with very heavy firewall filters
(3000 terms ingress and egress, lotsa layer4 ops, port ranges, etc), you
will get 22.4M pps, not 12.5. If you are getting 12.5, then your line
cards aren't well distributed on the FPC's to assure that packets will
always egress out all FPCs (statistical varience due to the stipe-write
of jcells to all FPCs).

The test was on an M40e, but it's the same IP2.

-igor

On
Tue, 24 Jun 2003, Rubens Kuhl Jr. wrote:

>
> There is a performance drop from 40Mpps to 12.5Mpps when use anything other
> than standard plain routing... if you have a firewall-filter configured, it
> already has such a penalty in place.Although it's 125 times your peak
> traffic flow, you should consider the peak traffic that a DoS attack can
> generate on the router, not your usual traffic. Even than, it's very
> unlikely that usual configurations of M-5, M-10 and M-20 interfaces can sum
> up to that amount.
>
>
>
> Rubens
>
>
> ----- Original Message -----
> From: <Jack.W.Parks@alltel.com>
> To: <juniper-nsp@puck.nether.net>
> Sent: Monday, June 23, 2003 2:25 PM
> Subject: [j-nsp] uRPF - Performance
>
>
> | We are looking to enable uRPF on our M-series routers (M20's and below).
> | The benefits of enabling this feature are obvious, but the unknown side
> | effects are what I'm concerned about. What performance impact could I
> | expect by enabling uRPF at a peak traffic flow of 100k pps/600Mbps?
> |
> | Has anyone enabled uRPF on their network and do you have any lessoned
> | learned? I would like to iron out the quirks prior to deployment.
> |
> | Jack W. Parks IV
> | Sr. Network Engineer
> | ALLTEL Communications
> | jack.w.parks@alltel.com
> | Work: 501-905-5961
> | Cell: 501-680-3341
> |
> | _______________________________________________
> | juniper-nsp mailing list juniper-nsp@puck.nether.net
> | http://puck.nether.net/mailman/listinfo/juniper-nsp
> |
> |
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>

Igor,
You bring up an interesting point:

>If you are getting 12.5, then your line
>cards aren't well distributed on the FPC's to assure that packets will
>always egress out all FPCs (statistical varience due to the stipe-write

>of jcells to all FPCs).

Does this mean that the line cards should be distributed in some
recommended fashion on the router? Do you have any examples or
recommendations? Does this apply to all Junipers, or just the M20?

Eric

-----Original Message-----
From: pain@royal.net [mailto:pain@royal.net]
Sent: Wednesday, June 25, 2003 5:52 PM
To: Rubens Kuhl Jr.
Cc: Jack.W.Parks@alltel.com; juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] uRPF - Performance


We have conducted tests that show that with very heavy firewall filters
(3000 terms ingress and egress, lotsa layer4 ops, port ranges, etc), you
will get 22.4M pps, not 12.5. If you are getting 12.5, then your line
cards aren't well distributed on the FPC's to assure that packets will
always egress out all FPCs (statistical varience due to the stipe-write
of jcells to all FPCs).

The test was on an M40e, but it's the same IP2.

-igor

On
Tue, 24 Jun 2003, Rubens Kuhl Jr. wrote:

>
> There is a performance drop from 40Mpps to 12.5Mpps when use anything
other
> than standard plain routing... if you have a firewall-filter
configured, it
> already has such a penalty in place.Although it's 125 times your peak
> traffic flow, you should consider the peak traffic that a DoS attack
can
> generate on the router, not your usual traffic. Even than, it's very
> unlikely that usual configurations of M-5, M-10 and M-20 interfaces
can sum
> up to that amount.
>
>
>
> Rubens
>
>
> ----- Original Message -----
> From: <Jack.W.Parks@alltel.com>
> To: <juniper-nsp@puck.nether.net>
> Sent: Monday, June 23, 2003 2:25 PM
> Subject: [j-nsp] uRPF - Performance
>
>
> | We are looking to enable uRPF on our M-series routers (M20's and
below).
> | The benefits of enabling this feature are obvious, but the unknown
side
> | effects are what I'm concerned about. What performance impact could
I
> | expect by enabling uRPF at a peak traffic flow of 100k pps/600Mbps?
> |
> | Has anyone enabled uRPF on their network and do you have any
lessoned
> | learned? I would like to iron out the quirks prior to deployment.
> |
> | Jack W. Parks IV
> | Sr. Network Engineer
> | ALLTEL Communications
> | jack.w.parks@alltel.com
> | Work: 501-905-5961
> | Cell: 501-680-3341
> |
> | _______________________________________________
> | juniper-nsp mailing list juniper-nsp@puck.nether.net
> | http://puck.nether.net/mailman/listinfo/juniper-nsp
> |
> |
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp