[j-nsp] Helo Juniper, your docs need work..
Chris Morrow
morrowc at ops-netman.net
Thu Feb 12 16:55:08 EST 2015
http://www.juniper.net/documentation/en_US/junos12.1/topics/concept/firewall-filter-ex-series-overview.html
read this:
The maximum number of terms allowed per firewall filter for EX Series
switches is:
512 for EX2200 switches
1,436 for EX3300 switches
Uhm.. 1436 looks like the number of TCAM entries, NOT the number of
terms. great. thanks.
Also:
"Note: On EX3300 switches, if you add and delete filters with a large
number of terms (on the order of 1000 or more) in the same commit
operation, not all the filters are installed. You must add filters in
one commit operation, and delete filters in a separate commit operation."
Really?? it silently doesn't work?? what?? and this is probably not
'terms' but 'tcam entries' I bet, which the average user probably
doesn't know either. Great.
This also is stellar:
"You can apply port, VLAN, or router firewall filters to both IPv4 and
IPv6 traffic on these switches:
EX2200 switch
EX3200 switch
EX4200 switch
EX4500 switch
EX8200 switch
You can apply port, VLAN, or router firewall filters to only IPv4
traffic on these switches:
EX3300 switch
EX6200 switch"
Uhm, this is the year 2015, the device was built and designed in ~2013 ?
and no ipv6 ? WHAT?
Also, in case that your firewall filter is over-spec and can't be
committed to TCAM the user has zero idea of this... Then once you fix it
(if you figured it out) you have to remove the filter from the interface
THEN reapply it?
This is ... very, very poor. The docs need work, the operational model
is broken ... Do you operate your own gear in actual networks and NOT
see these as problems? Could you ask your IT folks about this sort of
operational model and see how they react?
-chris
More information about the juniper-nsp
mailing list