On Apr 28, 2008, at 21:01, Richard A Steenbergen wrote:
On Sun, Apr 27, 2008 at 11:14:29PM +0300, Juha Suhonen wrote:
Hello, Juniper gurus!
We recently got few Juniper EX3200's, after paging thru the (quite
inconsistent and scattered) documentation on Juniper's web site I
still
haven't been able to find a solution to this (probably quite simple)
problem.
...
In Juniper routers, I'd stick a firewall filter to the "lo0"
interface and
be happy with it, but EX3200 complains about this configuration -
"Filters
are not supported on loopback or LAG interface lo0".
Yeah I found the same problem, and I'm pretty sure there is
currently no
other way to do it (short of filters on every other interface, with
hardcoded IPs). With any luck this will be fixable in future
versions of
code, but technically speaking we really have no idea if this is even
supported in hardware at all. Hopefully someone from Juniper can
confirm.
To me things like "oh woops we forgot to mention, no filters on the
control-plane or LAG interfaces" are 1000x more interesting than
hooking
up a box to a traffic generator and watching it pass ordinary packets
successfully. Wait until you see the reduced number of things you can
match on once you actually do get a filter working. :)
IMNSHO, control-plane filtering (and CoPP) should have been there from
FCS. While technically the box seems nice and the per-port price seems
to be a bit lower than vendor C some features just need to be there
for the box to participate in the internet as we know it today. ;-)
This holds true especially if you're planning to use the EX as a
router instead of a layer 2 switch with the management interface
protected in a management lan (or something). The lack of filtering
isn't obvious when one reads through the documentation either (until
you try it and are negatively surprised). The closest thing to an
unsupported statement list is Table 123 on page 820 which lists
specific filter features not supported in EX.
To be fair, the manual does state that filters aren't supported on LAG
interfaces (page 748 ;-)) but there is no mention on loopbacks at all.
HTH
Kaj
--
Kaj J. Niemi
<[EMAIL PROTECTED]>
+358 45 63 12000
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
