[j-nsp] Very Bad Policer Bug

Mark Tinka mtinka at globaltransit.net
Tue Oct 20 01:08:23 EDT 2009

Hello all.

Some of you may have hit this bug - for those that haven't, 
here it is:

JUNOS 9.3R2.8 is affected by a severe bug that "locks" up 
the PFE when a policer configured with the 'logical-
interface-policer' feature is applied to a logical unit.

We discovered it because we were trying to apply bandwidth 
management to a customer's dual-stacked connection, i.e., 
IPv4 and IPv6.

The issue affects the FPC on which the PIC where the policer 
is applied resides. So, like in our case, the fall-out was 
pretty bad since an M7i was in question, and it has only one 
FPC. An M10i or higher would still be relatively functional 
as those have multiple FPC's (assuming you load balance 
connectivity between multiple FPC's, of course).

Since only the PFE is affected, console access is still 
available during the issue.

The issue was resolved from JUNOS 9.3R3.8 and later.

Many of you might not be running JUNOS 9.3R2.8, but in case 
anyone is, and you need to support multi-family policing 
under a logical unit (or dual-stack IPv4/IPv6 for that 
matter), upgrade!

We were moving to JUNOS 9.5R3 anyway later this month, so 
we'll dodge this bullet.

PR for this is currently internal, but asking JTAC to see if 
they can make it public.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 835 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20091020/36861ba4/attachment.bin>

More information about the juniper-nsp mailing list