[j-nsp] fxp0.0 interface match in firewall filter doesn't work in JUNOS 12.3R5.7
Tore Anderson
tore at fud.no
Mon Jan 20 20:35:48 EST 2014
This is a heads-up to anyone planning to upgrade to 12.3R5.7, especially
if you don't have easy access to the serial console, but only a firewall
term such as:
term allow-oob-management {
from {
interface fxp0.0;
}
then accept;
}
...in your lo0.0 input filter (which presumably then goes on to drop all
unmatched traffic): It simply doesn't work.
I've confirmed on both MX80 and MX240, several times. After a reboot,
the term just gets skipped, it seems. Deactivating the term, committing,
and then reactivating it fixes the problem but that might of course be
easier said than done if locked out of the box.
Terms doing source-address matches seems to work fine.
Tore
More information about the juniper-nsp
mailing list