Re: [j-nsp] SRX Dynamic Address limits
I don't know if this is relevant or not in regards to the srx345, but I recently stress tested a srx4100 and started to notice some anomalies around 64k prefixes. I don't recall anything being logged and it reported that it loaded all >=64k prefixes, "show security match-policies" gave the right answers, but some actual test traffic started to be logged on an unexpected policy. Opening a ticket is on the TODO list. One of our production srx4100's currently has 53k dynamic IPv4 prefixes w/o skipping a beat: > show security dynamic-address summary . Instance Name : default Total number of IPv4 entries : 232848 Total number of IPv4 entries from feed : 53445 Total number of IPv6 entries : 0 Total number of IPv6 entries from feed : 0 -Eric On Fri, Mar 1, 2024 at 5:11 AM Chris Lee via juniper-nsp < juniper-nsp@puck.nether.net> wrote: > Hi All, > > Does anyone know if there's any specific limits/bounds/impacts on the > number of IP addresses that can be imported into a SRX Dynamic Address > list, specifically for an SRX345 ? > > > https://www.juniper.net/documentation/us/en/software/junos/cli-reference/topics/ref/statement/dynamic-address.html > > Have been trialling it for a little while now with a relatively small > number (around 3000 IPv4 and 1200 IPv6 entries), but looking to do some > further GeoIP restrictions which would likely be around another 22000 IPv4 > entries I need to import for the specific countries I need. Will anything > topple/break with that many IP's in various dynamic lists ? > > I've tried looking but my google-fu is failing to turn up any data on > limitations anywhere... I've found reference to address sets "One address > set can reference a maximum of 16384 address entries and a maximum of 256 > address sets." but I'm not sure that this applies to dynamic address list > entries as I figure that restriction may have more to do with the SRX > having to parse a massive configuration file ? > > Thanks, > Chris > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- Eric Harrison Network Services Cascade Technology Alliance / Multnomah Education Service District office: 503-257-1554 cell: 971-998-6249 NOC 503-257-1510 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] MX304 - Edge Router
Yes indeed having dhcp-relay by default trigger scale-l2tp -- a licensed subscriber management feature -- is quite annoying. "set forwarding-options dhcp-relay forward-only" will turn off that licensing requirement. IIRC there were scalpel knobs to accomplish the same, we opted for the hammer knob. On Wed, Oct 25, 2023 at 6:25 AM Chuck Anderson via juniper-nsp < juniper-nsp@puck.nether.net> wrote: > On Wed, Oct 25, 2023 at 03:12:29PM +0200, Mark Tinka via juniper-nsp wrote: > > On 10/25/23 10:57, Sebastian Wiesinger via juniper-nsp wrote: > > > Yeah it depends. Our MX204 also needed licenses for subscriber > > > managment. Some options would produce a license warning and some other > > > stuff just failed silently which was worse. Also noone at Juniper > > > seemed to know WHICH licenses we needed for our usecase. > > > > > > In the end our license list looked like this: > > > > > > subscriber-accounting > > > subscriber-authentication > > > subscriber-address-assignment > > > subscriber-vlan > > > subscriber-ip > > > scale-subscriber > > > scale-l2tp > > > l2tp-inline-lns > > > > > > So yeah.. that wasn't a nice experience at all. > > > > Subscriber Management has always required real licenses on the MX since > > it started shipping BNG code. > > > > You got 1,000 subscribers as standard, and then needed an enforceable > > license after that. > > This caused us heartburn for our Campus LAN when we upgraded as we had > been using "forwarding-options helpers bootp" and were told that it > was deprecated and we needed to move to "forwarding-options > dhcp-relay" which is a BNG feature that requires a subscriber > license--a ridiculous requirement for a Campus LAN. It turns out that > "helpers bootp" still worked, and may still work today, but I'm no > longer working in that environment so I'm not sure. > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- Eric Harrison Network Services Cascade Technology Alliance / Multnomah Education Service District office: 503-257-1554 cell: 971-998-6249 NOC 503-257-1510 ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp