Hi folks, Thanks for taking the time to reply!
I was afraid that was the case, but wanted to check in with the experts regardless =) On Thu, Apr 14, 2022 at 6:25 PM Nathan Ward via juniper-nsp < [email protected]> wrote: > > > > ---------- Forwarded message ---------- > From: Nathan Ward <[email protected]> > To: Tobias Heister <[email protected]> > Cc: [email protected] > Bcc: > Date: Fri, 15 Apr 2022 00:08:50 +1200 > Subject: Re: [j-nsp] FlowSpec rules being installed, but not matching any > traffic > > > On 14/04/2022, at 10:53 PM, Tobias Heister via juniper-nsp < > [email protected]> wrote: > > > > Hi, > > > > I doubt that BGP Flow Spec is systested or supported on any QFX5k > platform. > > > > Feature Explorer (while not perfect :)) does support me in that > thinking: > https://apps.juniper.net/feature-explorer/parent-feature-info.html?pFKey=1541&pFName=BGP+Flow+Specification > > > Yeah… QFX5100 (and all the Broadcom boxes, AFACT) fail open when firewall > filters get too complex - and that complexity limit is pretty low. > Given that, having BGP be able to program those same firewall filters > seems like a very bad idea on those boxes. > > I wonder if the flowspec rules aren’t matching because the whole thing is > too complex and it’s failing open. > > -- > Nathan Ward > > > > > ---------- Forwarded message ---------- > From: Nathan Ward via juniper-nsp <[email protected]> > To: Tobias Heister <[email protected]> > Cc: > Bcc: > Date: Fri, 15 Apr 2022 00:08:50 +1200 > Subject: Re: [j-nsp] FlowSpec rules being installed, but not matching any > traffic > _______________________________________________ > juniper-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
