[j-nsp] QFX5100 ACLs

Alain Hebert ahebert at pubnix.net
Mon Dec 11 08:23:52 EST 2017 

     Hi,

     Odd.

     Model: qfx5100-48s-6q
     Junos: 17.2R1.13

     I've verified with both the "pfe shell" and a Nessus scan 
TCP+UDP+Ports 1 thru 65535 and this input-list

          [ ICMP-FI OSPF-PEERS-FI LDP-PEERS-FI BGP-PEERS-FI BFD-PEERS-FI 
VRRP-FI DHCP-FI <snip>-MGMT-FI DROP-FI ]

     Worked as advertised (for once).

-----
Alain Hebert                                ahebert at pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
Tel: 514-990-5911  http://www.pubnix.net    Fax: 514-990-9443

On 12/10/17 12:39, Andrey Kostin wrote:
> Hi Brendan,
>
> If you use filter-list on Lo0 interface as per "securing RE guide" 
> then it's not supported. Only first filter in list is programmed and 
> everything else is ignored. We ran into the same issue and had to pull 
> it out from JTAC to confirm.
>
> Brendan Mannella писал 04.12.2017 15:51:
>> + Programmed: YES
>>   + Total TCAM entries available: 1788
>>   + Total TCAM entries installed  : 516
>>
>> Brendan Mannella
>>
>> TeraSwitch Inc.
>> Main - 1.412.945.7045
>> Direct - 1.412.945.7049
>> eFax - 1.412.945.7049
>> Colocation . Cloud . Connectivity
>>
>>
>> ----
>>
>> This email and any files transmitted with it are confidential and
>> intended solely for the use of the individual or entity to whom they
>> are addressed. If you have received this email in error please notify
>> the sender. Please note that any views or opinions presented in this
>> email are solely those of the author and do not necessarily represent
>> those of the company. Finally, the recipient should check this email
>> and any attachments for the presence of viruses. The company accepts
>> no liability for any damage caused by any virus transmitted by this
>>
>> On Mon, Dec 4, 2017 at 11:57 AM, Saku Ytti <saku at ytti.fi> wrote:
>>
>>> Hey Brendan,
>>>
>>> This is news to me, but plausible. Can you do this for me
>>>
>>> start shell pfe network fpc0
>>> show filter
>>> <pick your lo0 filter from above>
>>> show filter hw <from above> show_term_info
>>>
>>> Compare how many TCAM entries are needed, and how many are available.
>>>
>>> Also if you can take a risk of reloading the FPC run:
>>> show filter hw <from above> show_terms_brcm
>>>
>>> This may crash your PFE, if you actually did not have all of the
>>> entries programmed in HW.
>>>
>>>
>>> commit will succeed if you build filter which will not fit in HW,
>>> there should be syslog entry, but no complain during commit. You will
>>> end up having no filter or some mangled version of it. So it's just
>>> alternative theory on why you may be accepting something you thought
>>> you aren't.
>>>
>>>
>>> On 4 December 2017 at 18:02, Brendan Mannella 
>>> <bmannella at teraswitch.com>
>>> wrote:
>>> > Hello,
>>> >
>>> > So i have been testing QFX5100 product for use as a core L3 
>>> switch/router
>>> > with BGP/OSPF. I have my standard RE filter blocking various things
>>> > including BGP from any unknown peer. I started to receive errors 
>>> in my
>>> logs
>>> > showing BGP packets getting through from hosts that weren't allowed.
>>> After
>>> > digging around i found that Juniper apparently has built in ACL to 
>>> allow
>>> > BGP, which bypasses my ACLs, probably for VCF or something.. Is 
>>> there any
>>> > way to disable this behavior or does anyone have any other 
>>> suggestions?
>>> >
>>> > root at XXX% cprod -A fpc0 -c "show filter hw dynamic 47 show_terms"
>>> >
>>> > Filter name          : dyn-bgp-pkts
>>> > Filter enum          : 47
>>> > Filter location      : IFP
>>> > List of tcam entries : [(total entries: 2)
>>> > Entry: 37
>>> >     - Unit 0
>>> >     - Entry Priority 0x7FFFFFFC
>>> >     - Matches:
>>> >         PBMP 0x00000001fffffffffffffffc
>>> >         PBMP xe
>>> >         L4 SRC Port 0x000000B3 mask 0x0000FFFF
>>> >         IP Protocol 0x00000006 mask 0x000000FF
>>> >         L3DestHostHit 1 1
>>> >     - Actions:
>>> >         ChangeCpuQ
>>> >             ColorIndependent param1: 1, param2: 0
>>> >             CosQCpuNew cosq: 30
>>> >         Implicit Counter
>>> > Entry: 38
>>> >     - Unit 0
>>> >     - Entry Priority 0x7FFFFFFC
>>> >     - Matches:
>>> >         PBMP 0x00000001fffffffffffffffc
>>> >         PBMP xe
>>> >         L4 DST Port 0x000000B3 mask 0x0000FFFF
>>> >         IP Protocol 0x00000006 mask 0x000000FF
>>> >         L3DestHostHit 1 1
>>> >     - Actions:
>>> >         ChangeCpuQ
>>> >             ColorIndependent param1: 1, param2: 0
>>> >             CosQCpuNew cosq: 30
>>> >         Implicit Counter
>>> >                        ]
>>> > _______________________________________________
>>> > juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>>
>>>
>>> -- 
>>>   ++ytti
>>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list