[j-nsp] EX4200 filter buggy?
Charlie Allom
charlie at playlouder.com
Wed Dec 15 11:21:12 EST 2010
On Wed, Dec 15, 2010 at 11:00:10AM -0500, Chris Morrow <morrowc at ops-netman.net> wrote:
> (ex-platform causes death/dismemberment/pain/anguish)
>
> On 12/15/10 09:18, Charlie Allom wrote:
> > On Sun, Dec 12, 2010 at 09:49:02PM -0600, Richard A Steenbergen <ras at e-gerbil.net> wrote:
> >
> > Richard how did you come to this realisation? Was this a JTAC case or do
> > you have a way to look at the filter optimization?
>
> juniper doesn't normally release this sort of data, you can run some
> command to dump the optimized code out though... it's kinda ugly :(
Any tips on where to find this command? :)
> > I think I have seen similar outcomes, but don't know how to match it up
> > with proof.
>
> try this fun experiment:
> 1) apply loopback filter, permit ssh/bgp/ospf (things you include
> normally in your loopback filter)
> 2) if you permit 'icmp' or 'traceroute' to the device (use the device
> interface ips in the from clause, potentially with a prefix-list built
> from an apply-path expression
> 3) traceroute to something behind/beyond the device
>
> note that the device doesn't show up in the traceroute? ;( packet
> processing/firewalling fail.
No. I'll take your word for it :)
Regards,
C.
--
+442077294797
http://mediaserviceprovider.com/
More information about the juniper-nsp
mailing list