[j-nsp] MX loopback filter and monitor traffic

Stefan Fouant sfouant at shortestpathfirst.net
Thu Jun 16 16:02:59 EDT 2011 

Hi Clarke,

One thing you forgot to mention is if your re-protect filter is actually discarding the traffic or not. However, assuming that you are discarding, the reason you are not seeing the traffic via the monitor command is because the traffic destined to the RE is not actually being filtered on the RE itself but is actually being filtered at the PFE. When you commit the config, the compiled filter is pushed down to microkernel on PFE so anything destined to the RE can be filtered via forwarding plane hardware. You can see counters because those are actually gathered at PFE and then the statistics are sent to the RE.

Hope this makes sense. Sorry for the top post, I am on my Android.

Stefan Fouant
GPG Key ID: 0xB4C956EC

Sent from my HTC EVO.

----- Reply message -----
From: "Clarke Morledge" <chmorl at wm.edu>
Date: Thu, Jun 16, 2011 10:53 am
Subject: [j-nsp] MX loopback filter and monitor traffic
To: <juniper-nsp at puck.nether.net>

I have a question about how the "monitor traffic" capability works on the 
loopback interface, particularly with respect to a filter.

If write a filter, such as under a "firewall family inet filter 
re-protect" stanza, and apply it to the loopback address, unit 0:

set interfaces lo0 unit 0 family inet filter input re-protect

I can see traffic hitting the filter, if I have any counters configured in 
the filter.   I can see that the traffic coming into the filter is getting 
to the RE via any IRBs or other layer 3 interfaces that are terminated on 
the MX.   I can do a "monitor traffic"  on any of these layer 3 interfaces 
on the input side and see the relevant traffic (to and/or from the RE).

However, if I do a "monitor traffic" on the loopback interface itself, I 
see nothing:

MX> monitor traffic interface lo0.0 no-resolve
no-domain-names
verbose output suppressed, use <detail> or <extensive> for full protocol
decode
Address resolution is OFF.
Listening on lo0.0, capture size 96 bytes

^C
0 packets received by filter
0 packets dropped by kernel


If all of the traffic that comes into the router to the RE via these 
exposed Layer3 interfaces eventually makes it way to the RE via the 
loopback address, at unit 0, why is that the "monitor traffic" command 
does not show me anything?    Why is the loopback interface so "special"?


Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list