[j-nsp] punting base address packets to RE

Michael Hare michael.hare at wisc.edu
Mon Aug 24 14:38:46 EDT 2015


Hello-

Sorry if this is remedial, but are packets sent to the base address of a directly connected subnet always punted to RE and if so, why?  Historic compatibility?  I couldn't determine any bucket under the ddos-protection protocol statistics such traffic ends up in, either.  I haven't seen any negative side effects of this, only noticing this after I followed up on a high pps drop rate for one of our routing engines.  This seems to happen regardless of what I have 'targeted-broadcast' configured with [absent, forward-only].

For example, in below I ran "telnet X.Y.0.0 16888" and "telnet X.Y.0.0 55555" from A.B.254.29, resulting in the firewall logs as follows.

Time of Log: 2015-08-24 12:53:38 CDT, Filter: pfe, Filter action: discard, Name of interface: ae1.3416
Name of protocol: TCP, Packet Length: 52, Source address: A.B.254.29:34776, Destination address: X.Y.0.0:16888

Time of Log: 2015-08-24 12:57:17 CDT, Filter: pfe, Filter action: discard, Name of interface: ae1.3416
Name of protocol: TCP, Packet Length: 52, Source address: A.B.254.29:31968, Destination address: X.Y.0.0:55555

I have a 'then log' at the bottom of my protect-re filter in lo0.0 family inet.

As you can see X.Y.0.0/21 is directly connected on the given chassis, but the local address is not the X.Y.0.0/32 address.

# run show route X.Y.0.0 table inet.0 

inet.0: 396 destinations, 417 routes (395 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

X.Y.0.0/21      *[Direct/0] 39w3d 18:24:03
                    > via irb.157

For what it's worth, the above is an MX104, but I also see this on other MX MPC hardware.

-Michael


More information about the juniper-nsp mailing list