PowerMode

PowerMode is a new default dataplane framework that introduces an optimized fast-path allowing for higher throughput and lower latency on SRX Series Firewalls. PowerMode is able to accelerate IPsec operations and generic TCP and UDP flows in the same manner as Express Path on Trio-Based platforms.

In Junos OS Release 21.3R1, the feature has the following limitations:

• Non-IP protocol.
• IP protocols which are not TCP, UDP, ESP, SCTP and GTP.
• Multicast sessions.
• Egress Logical Tunnel (LT) interfaces and cross-lsys traffic.
• Sessions that require TCP-Proxy.
• Firewall Filters.
• Mac learning and transparent mode.
• Active/Active HA clusters when the sessions are transiting the fabric link known as Z-mode traffic.

• PowerMode Express Overview
• How does PowerMode Express Process the Traffic
• How to Re-enable PowerMode Express
• Verification

PowerMode Express Overview

PowerMode Express (PME) is a mode of operation that provides performance improvements using vector packet processing. PME use a small software block inside the Packet Forwarding Engine (PFE) that helps to process multiple packets in receive buffer thus better utilizing CPU cache.

Figure 1: Packet Flow in PowerMode Express

[edit]
user@host# delete security flow power-mode-disable
user@host# commit

user@host# show security flow status | grep "Flow power mode:" 
  Flow power mode: Enabled

PowerMode IPsec (PMI) is a new mode of operation for SRX4100, SRX4200, SRX4600, SRX5400, SRX5600, SRX5800, and vSRX Virtual Firewall instances to improve IPsec performance. Starting with Junos OS Release 19.1R1, the PMI is enhanced to handle the incoming and outgoing fragment packets using first path or fast path processing.

Enable the PMI process by using the set security flow power-mode-ipsec command. To verify that the packets are leveraging PMI, use the show security flow pmi statistics command.

In a PMI first path processing:

• The incoming first path packet is delivered to flow to create session.

• The incoming fragment packets are delivered to flow for reassembling.

• The incoming packets are delivered to flow for advanced security service processing.

In a PMI fast path processing, the PMI driver is used:

• To encrypt and send out the incoming clear text directly.

• To decrypt and send out the incoming ESP packets directly with session match.

The first path processing involves more features and instructions, while the PMI fast path processing provides better performance. In a PMI session, the packet processing switches between first path and fast path based on the packets flow in the session.

• The PMI session with both fragment and non-fragment packets are processed by first path.

• When the session only has non-fragmented packets, the session will switch from first path to fast past processing.

To support fragmentation for incoming IP packets for PMI, following steps are used in first path:

• PMI transmits all the fragmented IP packets in a session to the flow module for processing.

• PMI transmits all the non-fragmented IP packets in the same session to the flow module for packet ordering.

• The Flow module completes reassembly of fragmented packets and transmits the packets back to PMI for encryption.

To support fragmentation for outgoing IP packets for PMI, following steps are used:

• PMI detects clear text packets that requires fragmentation during session lookup and delivers packets to the flow module.

• Flow module does fragmentation for outgoing packets.

• PMI encrypts the packets before transmitting them.

On SRX4100, SRX4200, and vSRX Virtual Firewall devices, fragment and non-fragment packets are hashed to the same CPU core for processing. Hence, NP session is not supported.

On SRX5400, SRX5600, and SRX5800 devices with SPC3, fragment and non-fragment packets are hashed to different CPU cores for processing. Hence, NP session is supported to deliver fragment or non-fragment packets to the same core for ordering.