[j-nsp] EX4200 filter buggy?
Richard A Steenbergen
ras at e-gerbil.net
Sun Dec 12 22:49:02 EST 2010
On Mon, Dec 13, 2010 at 10:51:26AM +0800, Gavin Tweedie wrote:
> We're hitting the exact same issue on a EX4200 with 9.6R3.8, which
> we're stuck on because of a bug preventing us from upgrading to
> Junos10. We have 256 terms which are matching on source IP without
> issue. Once each term is changed to match on 3 items per term rather
> than 1 the errors begin.
> I also have a case open with JTAC.
We hit a really nasty EX filter bug in early 10.1. Essentially the
firewall compiler would try to optimize the filter in ways that weren't
supported by the EX's hardware, causing unconfigured filter matches. For
example, if you configured a single term to match on 0.0.0.0/8,
18.104.22.168/8, or 22.214.171.124/8, the firewall compiler would try to optimize
that match into "0.0.0.0/6 && !126.96.36.199/8". The problem is the NOT match
wasn't supported on the EX, so it would ignore that operation and match
the 188.8.131.52/8 packets anyways, even though you didn't configure that
range in your filter.
Obviously that doesn't sound related to your issue, but the moral of the
story is that I would be absurdly suspicious of EX filter code in JUNOS
that is that old. :)
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
More information about the juniper-nsp