Hi Brendan,
If you use filter-list on Lo0 interface as per "securing RE guide" then
it's not supported. Only first filter in list is programmed and
everything else is ignored. We ran into the same issue and had to pull
it out from JTAC to confirm.
Brendan Mannella писал 04.12.2017 15:51:
+ Programmed: YES
+ Total TCAM entries available: 1788
+ Total TCAM entries installed : 516
Brendan Mannella
TeraSwitch Inc.
Main - 1.412.945.7045
Direct - 1.412.945.7049
eFax - 1.412.945.7049
Colocation . Cloud . Connectivity
----
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender. Please note that any views or opinions presented in this
email are solely those of the author and do not necessarily represent
those of the company. Finally, the recipient should check this email
and any attachments for the presence of viruses. The company accepts
no liability for any damage caused by any virus transmitted by this
On Mon, Dec 4, 2017 at 11:57 AM, Saku Ytti <s...@ytti.fi> wrote:
Hey Brendan,
This is news to me, but plausible. Can you do this for me
start shell pfe network fpc0
show filter
<pick your lo0 filter from above>
show filter hw <from above> show_term_info
Compare how many TCAM entries are needed, and how many are
available.
Also if you can take a risk of reloading the FPC run:
show filter hw <from above> show_terms_brcm
This may crash your PFE, if you actually did not have all of the
entries programmed in HW.
commit will succeed if you build filter which will not fit in HW,
there should be syslog entry, but no complain during commit. You
will
end up having no filter or some mangled version of it. So it's just
alternative theory on why you may be accepting something you thought
you aren't.
On 4 December 2017 at 18:02, Brendan Mannella
<bmanne...@teraswitch.com>
wrote:
> Hello,
>
> So i have been testing QFX5100 product for use as a core L3
switch/router
> with BGP/OSPF. I have my standard RE filter blocking various
things
> including BGP from any unknown peer. I started to receive errors
in my
logs
> showing BGP packets getting through from hosts that weren't
allowed.
After
> digging around i found that Juniper apparently has built in ACL to
allow
> BGP, which bypasses my ACLs, probably for VCF or something.. Is
there any
> way to disable this behavior or does anyone have any other
suggestions?
>
> root@XXX% cprod -A fpc0 -c "show filter hw dynamic 47 show_terms"
>
> Filter name : dyn-bgp-pkts
> Filter enum : 47
> Filter location : IFP
> List of tcam entries : [(total entries: 2)
> Entry: 37
> - Unit 0
> - Entry Priority 0x7FFFFFFC
> - Matches:
> PBMP 0x00000001fffffffffffffffc
> PBMP xe
> L4 SRC Port 0x000000B3 mask 0x0000FFFF
> IP Protocol 0x00000006 mask 0x000000FF
> L3DestHostHit 1 1
> - Actions:
> ChangeCpuQ
> ColorIndependent param1: 1, param2: 0
> CosQCpuNew cosq: 30
> Implicit Counter
> Entry: 38
> - Unit 0
> - Entry Priority 0x7FFFFFFC
> - Matches:
> PBMP 0x00000001fffffffffffffffc
> PBMP xe
> L4 DST Port 0x000000B3 mask 0x0000FFFF
> IP Protocol 0x00000006 mask 0x000000FF
> L3DestHostHit 1 1
> - Actions:
> ChangeCpuQ
> ColorIndependent param1: 1, param2: 0
> CosQCpuNew cosq: 30
> Implicit Counter
> ]
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
--
++ytti
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
--
Kind regards,
Andrey Kostin
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
