[j-nsp] EX4200 filter buggy?
Charlie Allom
charlie at playlouder.com
Wed Dec 15 09:18:26 EST 2010
On Sun, Dec 12, 2010 at 09:49:02PM -0600, Richard A Steenbergen <ras at e-gerbil.net> wrote:
> On Mon, Dec 13, 2010 at 10:51:26AM +0800, Gavin Tweedie wrote:
> >
> >
> > I also have a case open with JTAC.
>
> For
> example, if you configured a single term to match on 0.0.0.0/8,
> 1.0.0.0/8, or 3.0.0.0/8, the firewall compiler would try to optimize
> that match into "0.0.0.0/6 && !2.0.0.0/8". The problem is the NOT match
> wasn't supported on the EX, so it would ignore that operation and match
> the 2.0.0.0/8 packets anyways, even though you didn't configure that
> range in your filter.
Richard how did you come to this realisation? Was this a JTAC case or do
you have a way to look at the filter optimization?
I think I have seen similar outcomes, but don't know how to match it up
with proof.
C.
--
+442077294797
http://mediaserviceprovider.com/
More information about the juniper-nsp
mailing list