[j-nsp] Helo Juniper, your docs need work..

Olivier Benghozi olivier.benghozi at wifirst.fr
Thu Feb 12 19:08:09 EST 2015 

By the way in current JunOS 12.3 it looks there's at least one fix; in:
http://www.juniper.net/documentation/en_US/junos12.3/topics/concept/firewall-filter-ex-series-overview.html <http://www.juniper.net/documentation/en_US/junos12.3/topics/concept/firewall-filter-ex-series-overview.html>

they write that "You can apply port, VLAN, or router firewall filters to both IPv4 and IPv6 traffic on these switches:"
[...]
	• EX3300 switch
	• EX6200 switch
[...]


> Le 12 févr. 2015 à 22:55, Chris Morrow <morrowc at ops-netman.net> a écrit :
> 
> http://www.juniper.net/documentation/en_US/junos12.1/topics/concept/firewall-filter-ex-series-overview.html
> 
> read this:
> The maximum number of terms allowed per firewall filter for EX Series
> switches is:
> 
> 512 for EX2200 switches
> 1,436 for EX3300 switches
> 
> 
> Uhm.. 1436 looks like the number of TCAM entries, NOT the number of
> terms. great. thanks.
> 
> Also:
> "Note: On EX3300 switches, if you add and delete filters with a large
> number of terms (on the order of 1000 or more) in the same commit
> operation, not all the filters are installed. You must add filters in
> one commit operation, and delete filters in a separate commit operation."
> 
> Really?? it silently doesn't work?? what?? and this is probably not
> 'terms' but 'tcam entries' I bet, which the average user probably
> doesn't know either. Great.
> 
> This also is stellar:
> "You can apply port, VLAN, or router firewall filters to both IPv4 and
> IPv6 traffic on these switches:
> 
> EX2200 switch
> EX3200 switch
> EX4200 switch
> EX4500 switch
> EX8200 switch
> You can apply port, VLAN, or router firewall filters to only IPv4
> traffic on these switches:
> 
> EX3300 switch
> EX6200 switch"
> 
> Uhm, this is the year 2015, the device was built and designed in ~2013 ?
> and no ipv6 ? WHAT?
> 
> Also, in case that your firewall filter is over-spec and can't be
> committed to TCAM the user has zero idea of this... Then once you fix it
> (if you figured it out) you have to remove the filter from the interface
> THEN reapply it?
> 
> This is ... very, very poor. The docs need work, the operational model
> is broken ... Do you operate your own gear in actual networks and NOT
> see these as problems? Could you ask your IT folks about this sort of
> operational model and see how they react?
> 
> -chris

More information about the juniper-nsp mailing list