I don't know if this is relevant or not in regards to the srx345, but I recently stress tested a srx4100 and started to notice some anomalies around 64k prefixes. I don't recall anything being logged and it reported that it loaded all >=64k prefixes, "show security match-policies" gave the right answers, but some actual test traffic started to be logged on an unexpected policy. Opening a ticket is on the TODO list.
One of our production srx4100's currently has 53k dynamic IPv4 prefixes w/o skipping a beat: > show security dynamic-address summary ..... Instance Name : default Total number of IPv4 entries : 232848 Total number of IPv4 entries from feed : 53445 Total number of IPv6 entries : 0 Total number of IPv6 entries from feed : 0 -Eric On Fri, Mar 1, 2024 at 5:11 AM Chris Lee via juniper-nsp < juniper-nsp@puck.nether.net> wrote: > Hi All, > > Does anyone know if there's any specific limits/bounds/impacts on the > number of IP addresses that can be imported into a SRX Dynamic Address > list, specifically for an SRX345 ? > > > https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/dynamic-address.html > > Have been trialling it for a little while now with a relatively small > number (around 3000 IPv4 and 1200 IPv6 entries), but looking to do some > further GeoIP restrictions which would likely be around another 22000 IPv4 > entries I need to import for the specific countries I need. Will anything > topple/break with that many IP's in various dynamic lists ? > > I've tried looking but my google-fu is failing to turn up any data on > limitations anywhere... I've found reference to address sets "One address > set can reference a maximum of 16384 address entries and a maximum of 256 > address sets." but I'm not sure that this applies to dynamic address list > entries as I figure that restriction may have more to do with the SRX > having to parse a massive configuration file ? > > Thanks, > Chris > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- Eric Harrison Network Services Cascade Technology Alliance / Multnomah Education Service District office: 503-257-1554 cell: 971-998-6249 NOC 503-257-1510 _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp