[j-nsp] Input firewall on lo0 of EX --> ARP issue
Dennis Krul | Tilaa
dennis at tilaa.nl
Thu Jun 14 06:27:53 EDT 2012
On 14 jun. 2012, at 12:11, Georgios Vlachos wrote:
> Hello Dennis,
>
> Could you post the FF on lo0 for us?
>
> Thanks,
> George
Hello George,
As Ralph said, it's a known issue on EX switches. Oh and we just found PR486443, which confirms it:
EX is not generating local ARPs for transit traffic when loopback firewall filters are used
On EX switches, when a firewall filter is applied on the loopback (lo0) interface, the switch stops generating local ARP requests for transit traffic. As a workaround, do the following:
- Create firewall filters to block known unwanted traffic to the Routing Engine, and then accept all other traffic.
- Create firewall filters for specific hosts and all local subnets, and then discard all other traffic.
Severity Major
Status Closed
Last Modified 2012-02-15 22:33:31 PST
So yeah, I guess we'll have to implement that work-around.. It's not pretty, but unfortunately there doesn't seem to be another way.
Regards,
--
Dennis Krul
Tilaa
e: dennis at tilaa.nl
w: http://www.tilaa.nl
More information about the juniper-nsp
mailing list