Configuring Service Set Limitations
You can set the following limitations on service set capacity:
You can limit the maximum number of flows allowed per service set. To configure the maximum value, include the max-flows statement at the [edit services service-set service-set-name] hierarchy level:[edit services service-set service-set-name]max-flows number;
The max-flows statement permits you to assign a single flow limit value. For IDS service sets only, you can specify various types of flow limits with a finer degree of control. For more information, see the description of the session-limit statement in Configuring IDS Rule Sets on an MS-DPC.
When an aggregated multiservices (AMS) interface is configured as the service interface for a service set, the max-flow value configured for the service set is applied to each of the member interfaces in the AMS interface. That is, if you have configured 1000 as the max-flow value for a service set that uses an AMS interface with four active member interfaces, each of the member interfaces can handle 1000 flows each, resulting in an effective max-flow value of 4000.
You can limit the maximum segment size (MSS) allowed by the Transmission Control Protocol (TCP). To configure the maximum value, include the tcp-mss statement at the [edit services service-set service-set-name] hierarchy level:[edit services service-set service-set-name]tcp-mss number;
The TCP protocol negotiates an MSS value during session connection establishment between two peers. The MSS value negotiated is primarily based on the MTU of the interfaces to which the communicating peers are directly connected to. However in the network, due to variation in link MTU on the path taken by the TCP packets, some packets that are still well within the MSS value may be fragmented when the concerned packet's size exceeds the link's MTU.
If the router receives a TCP packet with the SYN bit and MSS option set and the MSS option specified in the packet is larger than the MSS value specified by the tcp-mss statement, the router replaces the MSS value in the packet with the lower value specified by the tcp-mss statement. The range for the tcp-mss mss-value parameter is from 536 through 65535.
To view statistics of SYN packets received and SYN packets whose MSS value, is modified, issue the show services service-sets statistics tcp-mss operational mode command. For more information on this topic, see the Junos OS Administration Library.
Starting in Junos OS Release 17.1R1, you can limit the session setup rate per service set for an MS-MPC. To configure the maximum setup rate allowed, include the max-session-setup-rate statement at the [edit services service-set service-set-name] hierarchy level:[edit services service-set service-set-name]max-session-setup-rate (number | numberk);
The maximum session setup rate is the maximum number of session setups allowed per second. After this rate is reached, any additional session setup attempts are dropped.
The range for the max-session-setup-rate number is 1 through 429,496,729. You can also express the setup rate as thousands of sessions by using numberk. Starting in Junos OS Release 18.4R1, 1k=1000 for the max-session-setup-rate. Prior to Junos OS Release 18.4R1, 1k=1024. If you do not include the max-session-setup-rate statement, the session setup rate is not limited.