[j-nsp] ACX5048 - protect remote access (telnet, ssh, http, snmp)

Saku Ytti saku at ytti.fi
Sat Apr 2 05:04:35 EDT 2016


On 2 April 2016 at 11:41, Mark Tinka <mark.tinka at seacom.mu> wrote:

>> ACX does not support lo0 filter presently, which sucks. Good news is
>> that it's on the roadmap for sometime this year I believe. No clue why
>> they left it out in the first place...
>
> Well that sucks...

It does, and even when it will support the TCAM is very very small
(Based on QFX5k) and quite flat (no port/addr abstraction), so add
port and you'll re-add all prefix-lists in TCAM. Having said that,
usually CSCO and other vendors in same class of devices do not support
any configurable CoPP so it's still usually better than competitors.
So in all likelihood you'll need to have different lo0 filters for
'low-scale' environments.

I've always wondered why is this a hard problem, especially in low
end? Naively I'd think that from your ASIC waste one revenue port as
host-bound facing and implement normal port ACLs there.


-- 
  ++ytti


More information about the juniper-nsp mailing list