[j-nsp] ethernet promisc mode
Richard A Steenbergen
ras at e-gerbil.net
Wed Oct 8 12:11:26 EDT 2003
On Wed, Oct 08, 2003 at 11:40:39AM -0400, Avram Dorfman wrote:
> Richard,
>
> Getting the ethernet into promiscuous mode wouldn't solve your problem.
> If the packets it picks up don't have the RE as a destination IP
> address on them, they're just going to get forwarded according to the
> forwarding table anyway (presumable back out that interface, and get
> picked up again, causing a forwarding loop).
>
> This is a dangerous idea anyway, because there is only a fast-e between
> the FE and the RE. It would be extremely easy to saturate it, and that
> can break things, and put a dangerous load on the CPU (I assume this is
> an active router).
Yes well,
MAC statistics: Receive Transmit
Total octets 9234 0
Total packets 27 0
Unicast packets 27 0
Somehow I don't think this awesome packet load will put the RE under too
much strain. :) Honestly though, I'd like to see an end to that argument.
There are a million ways to blow up a router, including logging too much
data under a firewall term, and yet that command is still included because
it has useful diagnostic functions which haven't been completely outlawed
because some tards killed their routers and called jtac (yet anyways). If
you want to make it safer, put in some default rate-limits, but please
don't bypass useful features because someone might do something stupid
with them.
But yes I see your point, I'm looking for a way to force packets to the RE
for analysis as well. You can't put a firewall on a CCC family so you
can't even log things that way.
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
More information about the juniper-nsp
mailing list