[j-nsp] Same filter but different behavior on MX80 and EX4200

Thu Aug 7 12:51:05 EDT 2014

Both an MX80 and an EX4200 have the following ntp related filtering in place on their loopback interface:
term ntp {    from {        protocol udp;        source-port ntp;        destination-port ntp;    }    then accept;}
...
term deny-any {    then discard;}
It is not a great filter, but it does protect the RE against those seeking to abuse the monlist feature. On the MX80 the filter is doing exactly as expected because I cannot run 'show ntp status' or 'show ntp association'. On the EX4200 the filter does not appear to be working. Both commands work and I've verified that communication is occurring using monitor:me at myex4200.onthe.net> ...face lo0.0 no-resolveverbose output suppressed, use <detail> or <extensive> for full protocol decodeAddress resolution is OFF.Listening on lo0.0, capture size 96 bytes
10:39:52.535884  In IP 127.0.0.1.57541 > 127.0.0.1.123: NTPv2, Reserved, length 1210:39:52.536275  In IP 127.0.0.1.123 > 127.0.0.1.57541: NTPv2, Reserved, length 352
Is there a behavior difference between the two routing engines that I'm not catching?
Jonathan