[j-nsp] QFX5100 ACLs
Brendan Mannella
bmannella at teraswitch.com
Mon Dec 4 15:51:22 EST 2017
+ Programmed: YES
+ Total TCAM entries available: 1788
+ Total TCAM entries installed : 516
Brendan Mannella
TeraSwitch Inc.
Main - 1.412.945.7045
Direct - 1.412.945.7049
eFax - 1.412.945.7049
Colocation . Cloud . Connectivity
----
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender. Please note that any views or opinions presented in this
email are solely those of the author and do not necessarily represent
those of the company. Finally, the recipient should check this email
and any attachments for the presence of viruses. The company accepts
no liability for any damage caused by any virus transmitted by this
On Mon, Dec 4, 2017 at 11:57 AM, Saku Ytti <saku at ytti.fi> wrote:
> Hey Brendan,
>
> This is news to me, but plausible. Can you do this for me
>
> start shell pfe network fpc0
> show filter
> <pick your lo0 filter from above>
> show filter hw <from above> show_term_info
>
> Compare how many TCAM entries are needed, and how many are available.
>
> Also if you can take a risk of reloading the FPC run:
> show filter hw <from above> show_terms_brcm
>
> This may crash your PFE, if you actually did not have all of the
> entries programmed in HW.
>
>
> commit will succeed if you build filter which will not fit in HW,
> there should be syslog entry, but no complain during commit. You will
> end up having no filter or some mangled version of it. So it's just
> alternative theory on why you may be accepting something you thought
> you aren't.
>
>
> On 4 December 2017 at 18:02, Brendan Mannella <bmannella at teraswitch.com>
> wrote:
> > Hello,
> >
> > So i have been testing QFX5100 product for use as a core L3 switch/router
> > with BGP/OSPF. I have my standard RE filter blocking various things
> > including BGP from any unknown peer. I started to receive errors in my
> logs
> > showing BGP packets getting through from hosts that weren't allowed.
> After
> > digging around i found that Juniper apparently has built in ACL to allow
> > BGP, which bypasses my ACLs, probably for VCF or something.. Is there any
> > way to disable this behavior or does anyone have any other suggestions?
> >
> > root at XXX% cprod -A fpc0 -c "show filter hw dynamic 47 show_terms"
> >
> > Filter name : dyn-bgp-pkts
> > Filter enum : 47
> > Filter location : IFP
> > List of tcam entries : [(total entries: 2)
> > Entry: 37
> > - Unit 0
> > - Entry Priority 0x7FFFFFFC
> > - Matches:
> > PBMP 0x00000001fffffffffffffffc
> > PBMP xe
> > L4 SRC Port 0x000000B3 mask 0x0000FFFF
> > IP Protocol 0x00000006 mask 0x000000FF
> > L3DestHostHit 1 1
> > - Actions:
> > ChangeCpuQ
> > ColorIndependent param1: 1, param2: 0
> > CosQCpuNew cosq: 30
> > Implicit Counter
> > Entry: 38
> > - Unit 0
> > - Entry Priority 0x7FFFFFFC
> > - Matches:
> > PBMP 0x00000001fffffffffffffffc
> > PBMP xe
> > L4 DST Port 0x000000B3 mask 0x0000FFFF
> > IP Protocol 0x00000006 mask 0x000000FF
> > L3DestHostHit 1 1
> > - Actions:
> > ChangeCpuQ
> > ColorIndependent param1: 1, param2: 0
> > CosQCpuNew cosq: 30
> > Implicit Counter
> > ]
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
> --
> ++ytti
>
More information about the juniper-nsp
mailing list