[j-nsp] output-list for ex4200

[Richard A Steenbergen]

On Wed, Apr 27, 2011 at 12:24:25PM +0100, Nick Ryce wrote:
> 
> Any ideas if this is supported in 10.4 as we have a standard ACL we 
> use on most customer vlans and then a customer specific vlan?

Nah, filter chains are definitely not supported on EX, and I'm not aware 
of any near term plans to add it.

Even on the major platforms, filter chains aren't exactly a completely 
well-thought-out solution. Doing the "next term" operation that you need 
to force packets to be evaluated all the way through the chain actually 
consumes lookup capacity inside the firewall processing, and it is 
surprisingly easy to exhaust this capacity. For example, something on 
the order of a dozen filter terms in a chain, doing relatively simple 
matching, is enough to exhaust the capacity of an I-Chip on an MX DPC. 
When this happens, you'll suddenly discover that your ports are no 
longer capable of doing line rate packets/sec, and there will be no 
indications of the drops short of poking around in the "show ichip" 
commands on the PFE. Needless to say, this can make for a really bad 
day.

We use a commit script to automatically build unique per-interface 
firewall filters out of individual filter config components. It's not 
pretty, but unfortunately this is really the only practical way to get 
the kind of config reuse you're looking for, not to mention the only way 
to actually protect the control plane on the EX. :)

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)