[j-nsp] Very Bad Policer Bug
Mark Tinka
mtinka at globaltransit.net
Tue Oct 20 01:08:23 EDT 2009
Hello all.
Some of you may have hit this bug - for those that haven't,
here it is:
JUNOS 9.3R2.8 is affected by a severe bug that "locks" up
the PFE when a policer configured with the 'logical-
interface-policer' feature is applied to a logical unit.
We discovered it because we were trying to apply bandwidth
management to a customer's dual-stacked connection, i.e.,
IPv4 and IPv6.
The issue affects the FPC on which the PIC where the policer
is applied resides. So, like in our case, the fall-out was
pretty bad since an M7i was in question, and it has only one
FPC. An M10i or higher would still be relatively functional
as those have multiple FPC's (assuming you load balance
connectivity between multiple FPC's, of course).
Since only the PFE is affected, console access is still
available during the issue.
The issue was resolved from JUNOS 9.3R3.8 and later.
Many of you might not be running JUNOS 9.3R2.8, but in case
anyone is, and you need to support multi-family policing
under a logical unit (or dual-stack IPv4/IPv6 for that
matter), upgrade!
We were moving to JUNOS 9.5R3 anyway later this month, so
we'll dodge this bullet.
PR for this is currently internal, but asking JTAC to see if
they can make it public.
Cheers,
Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20091020/36861ba4/attachment.bin>
More information about the juniper-nsp
mailing list