Hi Morgan - On Mon, Jan 09, 2012 at 03:23:57PM -0800, Morgan McLean wrote: > Its an SRX3600 cluster, with no traffic traversing the fabric > connection, so its all being contained on one chassis. These are just > standard ICMP packets between two linux hosts on different subnets.
By ICMP packets I assume you mean ICMP echo request/responses? If so, this may not be the best test to obtain latency numbers as each ICMP echo request will generate a new session and then tear it down when the response is delivered. This is the "slow path" and your ICMP echo request is always the "first packet" that requires session setup through the CP. This adds additional latency that normally wouldn't be incurred for packets in an established TCP flow, for example. I'd suggest using a higher-level type of PING that uses something like UDP or TCP to send packets across an already established session. Another somewhat hacky option I've found useful for testing firewall latency, if you can manage it, is to create a GRE or IPIP tunnel between two hosts through the firewall. This way the firewall only sees one session and all packets for that session are forwarded using the "fast path." - Mark -- Mark Kamichoff p...@prolixium.com http://www.prolixium.com/
signature.asc
Description: Digital signature
_______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp