[j-nsp] Input firewall on lo0 of EX --> ARP issue

Ralph Smit Ralph.Smit at nxs.nl
Thu Jun 14 04:07:25 EDT 2012 

Hi Dennis,

We've run into the same issue. I've been told that the architecture of the EX  switches requires a packet for an 'unknown' destination to be sent to the Routing-engine for further processing (creating an arp request?), however this packet is filtered by the firewall placed in front of it. So your firewall filter for the routing engine should be so that to also accepts the packets for hosts attached to the switch.

Regards,

Ralph Smit


On 14 jun. 2012, at 09:42, "Dennis Krul | Tilaa" <dennis at tilaa.nl> wrote:

> Hello list,
> 
> We've been having a weird issue on our ex4200-24t's (all running 10.4R8.5). We use them for both L2 and L3. Gateways are configured on the vlan interface of the ex. So what happens is this:
> 
> - A new host enters the network
> - I connect to the host (with ssh, but protocol doesn't matter as long as it's tcp) from another subnet/vlan, nothing happens (no arp requests on the target host, nothing in the arp cache on the ex)
> - I send 1 icmp packet to the host, I get a reply
> - We now see arp requests, the ex shows an arp entry
> - Next connection succeeds
> 
> This issue exists both ways: It also happens if the first connection is attempted from this host to the outside world
> 
> This only happens with new hosts. Once they are learned by the EX everything keeps on working. It's easy to reproduce by manually clearing the arp entries and starting over. (The same happens with IPv6 ND.)
> 
> So after days of tcpdumping and excluding possible causes we finally learned that it was caused by our input filters on the loopback interface. We disabled the firewall on lo0 and everything started working.
> 
> The way I understand it firewall rules on the lo0 should only be protecting the RE and not interfere with forwarded traffic. So I guess the RE is somehow involved in the ARP learning process. 
> 
> I've been reading a lot of JunOS docs over the last couple of days, but I'm unable to figure out why this is happening. 
> 
> Does anybody recognize this behavior? Could someone enlighten me about why this is happening (and perhaps recommend a way to protect our RE without breaking ARP on our network)?
> 
> Any feedback would be much appreciated.
> 
> Regards,
> 
> --
> Dennis Krul
> Tilaa
> 
> e: dennis at tilaa.nl
> w: http://www.tilaa.nl
> 
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list