[j-nsp] Netscreen 5400 per-UDP-port bandwidth cap?

Phil Mayers p.mayers at imperial.ac.uk
Fri Mar 5 05:32:28 EST 2010


On 03/05/2010 10:17 AM, Phil Mayers wrote:
> On 03/05/2010 10:15 AM, Phil Mayers wrote:
>>
>> Damn... wait a minute.
>>
>> I recall something about screen options and vlan sub-ints, in the
>> release notes.
>>
>> Hmm.
>
> Blast.
>
> Yes - it was the UDP screen. Even though it's applied on a zone bound to
> a sub-int, evidently it works on a per-physical-interface basis.

In fact, the ScreenOS 6.2r4 release notes state:

"""Flood Screens — On ISG 1000, ISG 2000, NetScreen-5000 Series devices,
the UDP and ICMP flood screens apply to the physical interface and
therefore require that the zone be bound to a physical interface. The
following limitations apply:

   * When zones are bound to a sub-interface, the ICMP and UDP flood
screen are not enforced unless the zone is also bound to a physical
interface.

   * When ICMP and UDP flood screen options are configured for different
zones and on the same physical interface, the flood threshold is applied
based on the last configured zone threshold.
"""

I would argue this is misleading wording and it does not in fact 
represent our exact config - but disabling the "UDP Flood" option on the 
"Foo" zone does indeed allow UDP traffic between "Trust" and "Untrust" 
zones whose sub-ints are on the same physical int as "Foo".

One wonders why the screen options are configured on a zone basis if 
they apply to physical ints on this platform...


More information about the juniper-nsp mailing list