icbc-south b5区域srx防火墙合并评估

1、B5B5SPURE性能压力测试，以及迁移方案验证测试SPU 性能压力测统计数值累加获得合并后流量压力，20%4下试端口流量22SPURE性能压力测试，以及迁移方案验证测试SPU 性能压力测统计数值累加获得合并后流量压力，20%4下试端口流量22端口流量2,medim,bottom 三条策略，这三条策略分别位于策略表的顶部，部512byte由于仪表性能所限，部分测试参数与实际环境存在差异并发连接数：80000条会话。由于并发会话只会消耗内存资源，SRX火墙内存使用预分配机制，在未达到并发会话数量上限（1M/spu，3M/SPC配置）前，,medim,bottom 三条策略，这三条策略分别位于策略

2、表的顶部，部512byte由于仪表性能所限，部分测试参数与实际环境存在差异并发连接数：80000条会话。由于并发会话只会消耗内存资源，SRX火墙内存使用预分配机制，在未达到并发会话数量上限（1M/spu，3M/SPC配置）前，用率能够保持稳定。测试压力考虑SRX5600SPC板卡，SPCSPC板卡时（SPU），SRXMedium CP模式。SPU50%CP，1.5SPUflow转发处理，包括会话建立以及报文转发在工行实际环境中，SPC，SRXLargeCP模式。SPU处理，3SPUflow转发处理flowSPU为 1:2关系，（SPU利用率）2实际环境 SPU消耗情况通过测试项 2+验证了该计

3、算方式的合理性。为单块 68%，SPCrst报文拆除会话方式模拟新建会话压力ackSyn,Syn/Ack建立会话之间存在少量性能差异。以往测试经验，增加 10%性能测试流量不存在需要 ALG处理的报文，在现网环境中，会有少量流量(FTP,TFTP)需要 ALG处理。根据测试经验，10%用于评估真实环境性能现网可能存在其他性能损耗，包括网络中广播报文，校验和错误报文以及命中 deny 策略的报文等5%用于评估这部分内容造成的性能消耗说明为最大程度模拟性能消耗， 带内方式从 reth2接口送出，测试流量不存在需要 ALG处理的报文，在现网环境中，会有少量流量(FTP,TFTP)需要 ALG处理。根

4、据测试经验，10%用于评估真实环境性能现网可能存在其他性能损耗，包括网络中广播报文，校验和错误报文以及命中 deny 策略的报文等5%用于评估这部分内容造成的性能消耗说明为最大程度模拟性能消耗， 带内方式从 reth2接口送出，因此在统计流量时，会出现 reth2接口 output大于 reth1接口 input现象labNF56FW0G-B5#runreth1|matchInput:1105940480bps(270005Output:1105412096bps(269876labNF56FW0G-B5#runreth2|matchInput:1105969152bps(270014Outp

5、ut:1146258320bps(2898262. 关于第四年策略同步场景的策略数量，20%策略计算，10886(非同步条，若按策略数量翻倍计算，将达到 21772条策略。这将超出 from-zone to-zone略最大数量限制。在一个方向上（from-zone A to-zone B）10240条策略2. 关于第四年策略同步场景的策略数量，20%策略计算，10886(非同步条，若按策略数量翻倍计算，将达到 21772条策略。这将超出 from-zone to-zone略最大数量限制。在一个方向上（from-zone A to-zone B）10240条策略，20480条策略。试RE 性能压

6、力测每次策略变更时，RE(routing-engine)SPC板卡。数量增多时，这种策略编译工作将更为复杂，RECPU的消耗RE CPU带来的性能消耗。每次配置不同数量策略，commit，RECPU利用率，commit所需时间长度RE CPU editsecuritypoliciesfrom-zonetrustto-zoneuntrust Errorumlimitofpolicypercontext迁移方案验证迁移方案验证和 均关闭 4TCP会话，4Gbps速率传送流量（250,000pps），SRX5600-A发。同时，为保证所有会话通过新建流程，SRX5600-B无会话。EX9200-AE

7、X-trust/untrustlogical-system下修改路由下一跳配置，SRX5600-B。况SPU 压注*1，2NODE 配置一块SPC3，4置两块SPC1,2 的FLOW-SPU3,41,22 估算两块按照上述推算方法，实际环境性能压力如下SPU 压注*1，2NODE 配置一块SPC3，4置两块SPC1,2 的FLOW-SPU3,41,22 估算两块按照上述推算方法，实际环境性能压力如下端口流量22RE 性能压RE 性能压迁移方案验丢包数量进行计算，0.093148 sec。TCP连接未发生中断SPU 性能压合并后，能够支撑当前业务规模，结果，并未加入流量突发场景。若发生异常流量或

8、业务突发场景丢包数量进行计算，0.093148 sec。TCP连接未发生中断SPU 性能压合并后，能够支撑当前业务规模，结果，并未加入流量突发场景。若发生异常流量或业务突发场景，SPU利用率大幅上升。SPC处于轻载状态策略数量限从策略数量进行考虑，若开启策略同步特性，策略数上限。commit时间较长，并增加策略管理的难度。因此，如果需要开启策略同步特性，的策略总数测试项 1（当前流量压力/策略非同步labNF56FW0G-B5#runshowsecuritypolicieszone-FromTo Policy测试项 1（当前流量压力/策略非同步labNF56FW0G-B5#runshowsec

9、uritypolicieszone-FromTo PolicylabNF56FW0G-B5#runshowsecuritypoliciespolicy-Fromzone:trust,Tozone: ,e:enabled,Index:4,ScopePolicy:0,Sequencenumber:Sourceaddresses:Destinationaddresses:Applications:t-,Action:Fromzone:untrust,Tozone:,e:enabled,Index:10246,ScopePolicy:0,Sequencenumber:Sourceaddresses:D

10、estinationaddresses:,-traffic,Action:labNF56FW0G-B5#runshowsecuritypoliciespolicy-nameFromzone:trust,Tozone: Policy:medium,e:Action:labNF56FW0G-B5#runshowsecuritypoliciespolicy-nameFromzone:trust,Tozone: Policy:medium,e:enabled,Index:5005,ScopePolicy:0,Sequencenumber:Sourceaddresses:Destinationaddre

11、sses:Applications:t-u-medium,Action:Fromzone:untrust,Tozone:Policy:medium,e:enabled,Index:15245,ScopePolicy:0,Sequencenumber:Sourceaddresses:Destinationaddresses:Applications:medium,medium-traffic,Action:labNF56FW0G-B5#runshowsecuritypoliciespolicy-nameFromzone:trust,Tozone: Policy:bottom,e:enabled,

12、Index:10245,ScopePolicy:0,Sequencenumber:Sourceaddresses:Destinationaddresses:Applications:t-u-bottom,Action:Fromzone:untrust,Tozone:Policy:bottom,e:enabled,Index:20485,ScopePolicy:0,Sequencenumber:Sourceaddresses:Destinationaddresses:Applications:bottom,bottom-traffic,Action:Fromzone:untrust,Tozone

13、:Policy:bottom,e:enabled,Index:20485,ScopePolicy:0,Sequencenumber:Sourceaddresses:Destinationaddresses:Applications:bottom,bottom-traffic,Action:labNF56FW0G-B5#runreth1|matchInput:1105928192bps(270003Output:1105395712bps(269871labNF56FW0G-B5#runreth2|matchInput:1105915904bps(270001Output:1146217800b

14、ps(289818SPU2620356895新建会话数量在pic0,pic1labNF56FW0G-B5#runshowsecuritymonitoringfpc3nodeFPC PICCPU: 38 Memory: 60 Currentflow:Maxflow: CurrentCP:labNF56FW0G-B5#runshowsecuritymonitoringfpc3nodeFPC PICCPU: 38 Memory: 60 Currentflow:Maxflow: CurrentCP:MaxCP:CreationPerSecond(forlast96secondsage):PICCPU:

15、 68 Memory: 61 Currentflow:Maxflow: CurrentCPMaxCPCreationPerSecond(forlast96secondsage):测试项 2（当前流量压力/策略同步labNF56FW0G-B5#runshowsecuritypolicieszone-FromTo PolicylabNF56FW0G-B5#runshowsecuritypoliciespolicy-Fromzone:untrust,Tozone:,e:enabled,Index:10246,ScopePolicy:0,labNF56FW0G-B5#runshowsecuritypo

16、liciespolicy-Fromzone:untrust,Tozone:,e:enabled,Index:10246,ScopePolicy:0,Sequencenumber:Sourceaddresses:Destinationaddresses:,-traffic,Action:permit,Fromzone:trust,Tozone: ,e:enabled,Index:4,ScopePolicy:0,Sequencenumber:Sourceaddresses:Destinationaddresses:Applications:t-,Action:permit,labNF56FW0G-

17、B5#runshowsecuritypoliciespolicy-nameFromzone:untrust,Tozone:Policy:medium,e:enabled,Index:15245,ScopePolicy:0,Sequencenumber:Sourceaddresses:Destinationaddresses:Applications:medium,medium-traffic,Action:permit,Fromzone:trust,Tozone: Policy:medium,e:enabled,Index:5005,ScopePolicy:Action:permit,From

18、zone:trust,Tozone: Policy:medium,e:enabled,Index:5005,ScopePolicy:0,Sequencenumber:Sourceaddresses:Destinationaddresses:Applications:t-u-medium,Action:permit,labNF56FW0G-B5#runshowsecuritypoliciespolicy-nameFromzone:untrust,Tozone:Policy:bottom,e:enabled,Index:20485,ScopePolicy:0,Sequencenumber:Sour

19、ceaddresses:Destinationaddresses:Applications:bottom,bottom-traffic,Action:permit,Fromzone:trust,Tozone: Policy:bottom,e:enabled,Index:10245,ScopePolicy:0,Sequencenumber:Sourceaddresses:Destinationaddresses:Applications:t-u-bottom,Action:permit,labNF56FW0G-B5#runreth1|matchInput:1105928192bps(270002

20、Output:1105338368bps(269858labNF56FW0G-B5#runreth2|matchInputlabNF56FW0G-B5#runreth1|matchInput:1105928192bps(270002Output:1105338368bps(269858labNF56FW0G-B5#runreth2|matchInput:1105899520bps(269996Output:1146207560bps(289819SPU2941857795新建会话数量在pic0,pic1labNF56FW0G-B5#runshowsecuritymonitoringfpc3no

21、deFPC PICCPU: 37 Memory: 61 Currentflow:Maxflow: CurrentCP:MaxCP:CreationPerSecond(forlast96secondsage):PICCPU: 67 Memory: 62 Currentflow:MaxflowCreationPerSecond(forlast96secondsage):PICCPU: 67 Memory: 62 Currentflow:Maxflow: CurrentCPMaxCPCreationPerSecond(forlast96secondsage):测试项 2+（两块 SPC 板卡对比测试

22、SPCSPC2倍，2相同的测试用例。试SRX单机，SPC板卡labNF56FW0G-B5#runshowsecuritypolicieszone-FromTo PolicylabNF56FW0G-B5#runshowsecuritypoliciespolicy-Fromzone:untrust,Tozone:,e:enabled,Index:10,ScopePolicy:0,Sequencenumber:labNF56FW0G-B5#runshowsecuritypoliciespolicy-Fromzone:untrust,Tozone:,e:enabled,Index:10,ScopePo

23、licy:0,Sequencenumber:Sourceaddresses:Destinationaddresses:,-traffic,Action:permit,Fromzone:trust,Tozone: ,e:enabled,Index:6363,ScopePolicy:0,Sequencenumber:Sourceaddresses:Destinationaddresses:Applications:t-,Action:permit,labNF56FW0G-B5#runshowsecuritypoliciespolicy-nameFromzone:untrust,Tozone:Pol

24、icy:medium,e:enabled,Index:3010,ScopePolicy:0,Sequencenumber:Sourceaddresses:Destinationaddresses:Applications:medium,medium-traffic,Action:permit,Fromzone:trust,Tozone: Policy:medium,e:enabled,Index:9359,ScopePolicy:0,Sequencenumber:Sourceaddresses:Destinationaddresses:Applications:t-u-medium,Actio

25、n:permit,labNF56FW0G-B5#runshowsecuritypoliciespolicy-nameFromzone:untrust,Sourceaddresses:Destinationaddresses:Applications:t-u-medium,Action:permit,labNF56FW0G-B5#runshowsecuritypoliciespolicy-nameFromzone:untrust,Tozone:Policy:bottom,e:enabled,Index:6362,ScopePolicy:0,Sequencenumber:Sourceaddress

26、es:Destinationaddresses:Applications:bottom,bottom-traffic,Action:permit,Fromzone:trust,Tozone: Policy:bottom,e:enabled,Index:12711,ScopePolicy:0,Sequencenumber:Sourceaddresses:Destinationaddresses:Applications:t-u-bottom,Action:permit,labNF56FW0G-B5#runreth1|matchInput:1105948672bps(270007Output:11

27、05469440bps(269890labNF56FW0G-B5#runreth2|matchInput:1105940480bps(270006Output:1146171776bps(289816labNF56FW0G-B5#runreth2|matchInput:1105940480bps(270006Output:1146171776bps(289816SPU279132972729606新建会话数量在pic0,pic1labNF56FW0G-B5#runshowsecuritymonitoringfpcFPC PICCPU2 Memory: 69 CurrentflowMaxflow

28、CurrentCP:MaxCP:CreationPerSecond(forlast96secondsage):PICCPU: 35 Memoryutilization : 61Currentflow:Maxflow: CurrentCPMaxCPCreationPerSecond(forlast96secondsage):labNF56FW0G-B5#runshowsecuritymonitoringfpcFPC Currentflow:Maxflow: CurrentCPMaxCPCreationPerSecond(forlast96secondsage):labNF56FW0G-B5#ru

29、nshowsecuritymonitoringfpcFPC PICCPU: 34 Memory: 61 Currentflow:Maxflow: CurrentCPMaxCPCreationPerSecond(forlast96secondsage):PICCPU: 34 Memory: 61 Currentflow:Maxflow: CurrentCPMaxCPCreationPerSecond(forlast96secondsage):测试项 3（第四年/策略非同步labNF56FW0G-B5#runshowsecuritypolicieszone-FromTo PolicylabNF56

30、FW0G-B5#runshowsecuritypoliciespolicy-labNF56FW0G-B5#runshowsecuritypolicieszone-FromTo PolicylabNF56FW0G-B5#runshowsecuritypoliciespolicy-Fromzone:trust,Tozone: ,e:enabled,Index:6363,ScopePolicy:0,Sequencenumber:Sourceaddresses:Destinationaddresses:Applications:t-,Action:permit,Fromzone:untrust,Toz

31、one:,e:enabled,Index:10,ScopePolicy:0,Sequencenumber:Sourceaddresses:Destinationaddresses:,-traffic,Action:permit,labNF56FW0G-B5#runshowsecuritypoliciespolicy-nameFromzone:trust,Tozone: Policy:medium,e:enabled,Index:9359,ScopePolicy:0,Sequencenumber:SourceFromzone:trust,Tozone: Policy:medium,e:enabl

32、ed,Index:9359,ScopePolicy:0,Sequencenumber:Sourceaddresses:Destinationaddresses:Applications:t-u-medium,Action:permit,Fromzone:untrust,Tozone:Policy:medium,e:enabled,Index:3010,ScopePolicy:0,Sequencenumber:Sourceaddresses:Destinationaddresses:Applications:medium,medium-traffic,Action:permit,labNF56F

33、W0G-B5#runshowsecuritypoliciespolicy-nameFromzone:trust,Tozone: Policy:bottom,e:enabled,Index:12711,ScopePolicy:0,Sequencenumber:Sourceaddresses:Destinationaddresses:Applications:t-u-bottom,Action:permit,Fromzone:untrust,Tozone:Policy:bottom,e:enabled,Index:6362,ScopePolicy:0,Sequencenumber:Sourcead

34、dresses:Destinationaddresses:Applications:bottom,bottom-traffic,Action:permit,labNF56FW0G-B5#runreth1|matchInput:1720360960bps(420009Output:1719410688Destinationaddresses:Applications:bottom,bottom-traffic,Action:permit,labNF56FW0G-B5#runreth1|matchInput:1720360960bps(420009Output:1719410688bps(4197

35、80labNF56FW0G-B5#runreth2|matchInput:1720291328bps(419993Output:1788753072bps(453691SPU408153043337440新建会话数量在pic0,pic1labNF56FW0G-B5#runshowsecuritymonitoringfpcFPC PICCPU4 Memory: 69 CurrentflowMaxflowCurrentCP:MaxCP:CreationPerSecond(forlast96secondsage):PICCPU: 54 MemoryMemory: 69 CurrentflowMaxf

36、lowCurrentCP:MaxCP:CreationPerSecond(forlast96secondsage):PICCPU: 54 Memory: 61 Currentflow:Maxflow: CurrentCPMaxCPCreationPerSecond(forlast96secondsage):labNF56FW0G-B5#runshowsecuritymonitoringfpcFPC PICCPU: 54 Memory: 61 Currentflow:Maxflow: CurrentCPMaxCPCreationPerSecond(forlast96secondsage):PIC

37、CPU: 53 Memory: 61 Currentflow:PICCPU: 53 Memory: 61 Currentflow:Maxflow: CurrentCPMaxCPCreationPerSecond(forlast96secondsage):测试项 4（第四年/最大策略数量labNF56FW0G-B5#runshowsecuritypolicieszone-FromTo Policy测试项 4（第四年/最大策略数量labNF56FW0G-B5#runshowsecuritypolicieszone-FromTo PolicylabNF56FW0G-B5showsecuritypol

38、iciespolicy-Fromzone:trust,Tozone: ,e:enabled,Index:4,ScopePolicy:0,Sequencenumber:Sourceaddresses:Destinationaddresses:Applications:t-,Action:Fromzone:untrust,Tozone:,e:enabled,Index:10246,ScopePolicy:0,Sequencenumber:Sourceaddresses:Destinationaddresses:,-traffic,Action:labNF56FW0G-B5showsecurityp

39、oliciespolicy-nameFromzone:trust,Tozone: Policy:medium,e:enabled,Index:5005,labNF56FW0G-B5showsecuritypoliciespolicy-nameFromzone:trust,Tozone: Policy:medium,e:enabled,Index:5005,ScopePolicy:0,Sequencenumber:Sourceaddresses:Destinationaddresses:Applications:t-u-medium,Action:Fromzone:untrust,Tozone:

40、Policy:medium,e:enabled,Index:15245,ScopePolicy:0,Sequencenumber:Sourceaddresses:Destinationaddresses:Applications:medium,medium-traffic,Action:labNF56FW0G-B5showsecuritypoliciespolicy-nameFromzone:trust,Tozone: Policy:bottom,e:enabled,Index:10245,ScopePolicy:0,Sequencenumber:Sourceaddresses:Destina

41、tionaddresses:Applications:t-u-bottom,Action:Fromzone:untrust,Tozone:Policy:bottom,e:enabled,Index:20485,ScopePolicy:0,Sequencenumber:Sourceaddresses:Destinationaddresses:Applications:bottom,bottom-traffic,Action:labNF56FW0G-B5#runPolicy:bottom,e:enabled,Index:20485,ScopePolicy:0,Sequencenumber:Sour

42、ceaddresses:Destinationaddresses:Applications:bottom,bottom-traffic,Action:labNF56FW0G-B5#runreth1|matchInput:1720295424bps(419994Output:1719402496bps(419775labNF56FW0G-B5#runreth2|matchInput:1720365056bps(420012Output:1788810672bps(453707SPU403893662136474新建会话数量在pic0,pic1labNF56FW0G-B5#runshowsecur

43、itymonitoringfpcFPC PICCPU6 Memory: 69 CurrentflowMaxflowCurrentCP:MaxCP:CreationPerSecond(forlast96FPC PICCPU6 Memory: 69 CurrentflowMaxflowCurrentCP:MaxCP:CreationPerSecond(forlast96secondsage):PICCPU: 54 Memory: 62 Currentflow:Maxflow: CurrentCPMaxCPCreationPerSecond(forlast96secondsage):labNF56F

44、W0G-B5#runshowsecuritymonitoringfpcFPC PICCPU: 53 Memory: 62 Currentflow:Maxflow: CurrentCPMaxCPCreationPerSecond(forlast96secondsCurrentCPMaxCPCreationPerSecond(forlast96secondsage):PICCPU: 53 Memory: 62 Currentflow:Maxflow: CurrentCPMaxCPCreationPerSecond(forlast96secondsage):测试项 1（最小 POLICIES 数量l

45、abRow1-Rack3-SRX5600B#runshowsecuritypolicieszone-FromTo Policy测试项 1（最小 POLICIES 数量labRow1-Rack3-SRX5600B#runshowsecuritypolicieszone-FromTo Policy11变更其中一条策略，RE RE100idlelabRow1-Rack3-SRX5600B#runshowchassisrouting-enginenodeRoutingEngineSlotCurrentElectionMaster38degreesC/100degreesCPU35degreesC/95

46、degrees2048Memory30CPU1108 0 81MSerialStart2014-03-1415:06:473days,2hours,54minutes,4308 0 81MSerialStart2014-03-1415:06:473days,2hours,54minutes,43LastrebootRouterrebootedafteranormalLoad1minute 5minute 15COMMIT测试项 2（12000条 labRow1-Rack3-SRX5600B#runshowsecuritypolicieszone-FromTo Policy变更其中一条策略，RE RE100idlelabRow1-Rack3-SRX5600B#runshowchassisrouting-enginenodeRoutingEngineSlotCurrentElectionMaster38degreesC/100degreesCPU37degreesC/98degreesRoutingEngineSlotCurrentElectionMaster38degreesC/100degreesCPU37degreesC/98degrees2048Memory31CPU250110 64MSerialStart2014-03-14