[j-nsp] QFX5100 ACLs
Saku Ytti
saku at ytti.fi
Mon Dec 4 16:49:53 EST 2017
My version words bit differently:
+ Total TCAM entries available: 566
+ Total TCAM entries needed : 424
Even when it is not programmed, it does say 'Programmed: YES', at
least for me. But for me if needed > available, it has been accurate
to predict if or not it's been correctly programmed. So indeed does
not seem to be TCAM exhaustion issue in your case.
On 4 December 2017 at 22:51, Brendan Mannella <bmannella at teraswitch.com> wrote:
> + Programmed: YES
> + Total TCAM entries available: 1788
> + Total TCAM entries installed : 516
>
> Brendan Mannella
>
> TeraSwitch Inc.
> Main - 1.412.945.7045
> Direct - 1.412.945.7049
> eFax - 1.412.945.7049
> Colocation . Cloud . Connectivity
>
>
> ----
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the sender. Please note that any views or opinions presented in this
> email are solely those of the author and do not necessarily represent
> those of the company. Finally, the recipient should check this email
> and any attachments for the presence of viruses. The company accepts
> no liability for any damage caused by any virus transmitted by this
>
> On Mon, Dec 4, 2017 at 11:57 AM, Saku Ytti <saku at ytti.fi> wrote:
>>
>> Hey Brendan,
>>
>> This is news to me, but plausible. Can you do this for me
>>
>> start shell pfe network fpc0
>> show filter
>> <pick your lo0 filter from above>
>> show filter hw <from above> show_term_info
>>
>> Compare how many TCAM entries are needed, and how many are available.
>>
>> Also if you can take a risk of reloading the FPC run:
>> show filter hw <from above> show_terms_brcm
>>
>> This may crash your PFE, if you actually did not have all of the
>> entries programmed in HW.
>>
>>
>> commit will succeed if you build filter which will not fit in HW,
>> there should be syslog entry, but no complain during commit. You will
>> end up having no filter or some mangled version of it. So it's just
>> alternative theory on why you may be accepting something you thought
>> you aren't.
>>
>>
>> On 4 December 2017 at 18:02, Brendan Mannella <bmannella at teraswitch.com>
>> wrote:
>> > Hello,
>> >
>> > So i have been testing QFX5100 product for use as a core L3
>> > switch/router
>> > with BGP/OSPF. I have my standard RE filter blocking various things
>> > including BGP from any unknown peer. I started to receive errors in my
>> > logs
>> > showing BGP packets getting through from hosts that weren't allowed.
>> > After
>> > digging around i found that Juniper apparently has built in ACL to allow
>> > BGP, which bypasses my ACLs, probably for VCF or something.. Is there
>> > any
>> > way to disable this behavior or does anyone have any other suggestions?
>> >
>> > root at XXX% cprod -A fpc0 -c "show filter hw dynamic 47 show_terms"
>> >
>> > Filter name : dyn-bgp-pkts
>> > Filter enum : 47
>> > Filter location : IFP
>> > List of tcam entries : [(total entries: 2)
>> > Entry: 37
>> > - Unit 0
>> > - Entry Priority 0x7FFFFFFC
>> > - Matches:
>> > PBMP 0x00000001fffffffffffffffc
>> > PBMP xe
>> > L4 SRC Port 0x000000B3 mask 0x0000FFFF
>> > IP Protocol 0x00000006 mask 0x000000FF
>> > L3DestHostHit 1 1
>> > - Actions:
>> > ChangeCpuQ
>> > ColorIndependent param1: 1, param2: 0
>> > CosQCpuNew cosq: 30
>> > Implicit Counter
>> > Entry: 38
>> > - Unit 0
>> > - Entry Priority 0x7FFFFFFC
>> > - Matches:
>> > PBMP 0x00000001fffffffffffffffc
>> > PBMP xe
>> > L4 DST Port 0x000000B3 mask 0x0000FFFF
>> > IP Protocol 0x00000006 mask 0x000000FF
>> > L3DestHostHit 1 1
>> > - Actions:
>> > ChangeCpuQ
>> > ColorIndependent param1: 1, param2: 0
>> > CosQCpuNew cosq: 30
>> > Implicit Counter
>> > ]
>> > _______________________________________________
>> > juniper-nsp mailing list juniper-nsp at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>>
>>
>> --
>> ++ytti
>
>
--
++ytti
More information about the juniper-nsp
mailing list