[j-nsp] In Search of the Optimal RE Protect Filter - A Journey

Saku Ytti saku at ytti.fi
Fri Aug 26 11:44:34 EDT 2011


On (2011-08-26 11:38 -0400), Clarke Morledge wrote:Q

> (haven't tested that).   Other filters do not work since the packet
> headers probably get stripped off before hitting the RE.

Quite, but the packets are not anywhere near RE when lo0 filter is being
processed, there isn't any strict technical reason why lo0 filter couldn't do
matching on ethertype, mac address, etc. Just implementation is missing,
atleast in case of trio.

> At least, I haven't figured out a way to do that on the MX platform.
> You would have to grab that using bridge type filters on L2
> interfaces on your platform.

The 'ddos protection' introduced by 11.2 allows you to police ARP, ISIS, STP,
LLDP etc, of course you cannot differentiate between good and bad packet, but
it is better than nothing.

> Pretty annoying if you ask me.

Agreed. I want 'inet' and 'inet6' family filters to have full visibility to
everything LU has visibility, i.e. L2 too. (This is not the case for older
lookup engines JNPR has)


-- 
  ++ytti


More information about the juniper-nsp mailing list