[j-nsp] punting base address packets to RE
Michael Hare
michael.hare at wisc.edu
Mon Aug 24 14:38:46 EDT 2015
Hello-
Sorry if this is remedial, but are packets sent to the base address of a directly connected subnet always punted to RE and if so, why? Historic compatibility? I couldn't determine any bucket under the ddos-protection protocol statistics such traffic ends up in, either. I haven't seen any negative side effects of this, only noticing this after I followed up on a high pps drop rate for one of our routing engines. This seems to happen regardless of what I have 'targeted-broadcast' configured with [absent, forward-only].
For example, in below I ran "telnet X.Y.0.0 16888" and "telnet X.Y.0.0 55555" from A.B.254.29, resulting in the firewall logs as follows.
Time of Log: 2015-08-24 12:53:38 CDT, Filter: pfe, Filter action: discard, Name of interface: ae1.3416
Name of protocol: TCP, Packet Length: 52, Source address: A.B.254.29:34776, Destination address: X.Y.0.0:16888
Time of Log: 2015-08-24 12:57:17 CDT, Filter: pfe, Filter action: discard, Name of interface: ae1.3416
Name of protocol: TCP, Packet Length: 52, Source address: A.B.254.29:31968, Destination address: X.Y.0.0:55555
I have a 'then log' at the bottom of my protect-re filter in lo0.0 family inet.
As you can see X.Y.0.0/21 is directly connected on the given chassis, but the local address is not the X.Y.0.0/32 address.
# run show route X.Y.0.0 table inet.0
inet.0: 396 destinations, 417 routes (395 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both
X.Y.0.0/21 *[Direct/0] 39w3d 18:24:03
> via irb.157
For what it's worth, the above is an MX104, but I also see this on other MX MPC hardware.
-Michael
More information about the juniper-nsp
mailing list