[j-nsp] Multicast/Broadcast Packets going to EX CPU

Sebastian Wiesinger juniper-nsp at ml.karotte.org
Wed Mar 5 09:49:34 EST 2014


Hello,

I'm currently looking at an EX4500 setup that had a few problems
related to multicast/broadcast packets going to the CPU (and sometimes
preventing required packets like LACP reaching the CPU) of the switch.
I assume this was because the queue between PFE and CPU was full (is
there a way to check?).

I noticed that multicast and broadcast packets in all VLANs are sent
to the CPU. My question is why? IGMP snooping and VSTP is not enabled
on the switch and apart from that I don't see an apparent reason why
it should do this for tagged frames.

Example of packets being sent to the CPU includes VRRP packets from
attached routers (DMAC 01:00:5e:00:00:12) and BOOTP/DHCP (DMAC
ff:ff:ff:ff:ff:ff) packets.

Would an lo0 firewall filter help? Is this applied before or after the
packets are sent over the PFE-CPU link?

Perhaps you could share your ideas on how this could be prevented and
what you're doing to protect the CPU on these EX boxes.

Regards

Seastian

-- 
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE SCYTHE.
            -- Terry Pratchett, The Fifth Elephant


More information about the juniper-nsp mailing list