[j-nsp] QFX5100 ACLs
Saku Ytti
saku at ytti.fi
Mon Dec 11 09:45:59 EST 2017
Someone pointed this to me -
https://kb.juniper.net/InfoCenter/index?page=content&id=KB24145
No es bueno.
On 4 December 2017 at 18:02, Brendan Mannella <bmannella at teraswitch.com> wrote:
> Hello,
>
> So i have been testing QFX5100 product for use as a core L3 switch/router
> with BGP/OSPF. I have my standard RE filter blocking various things
> including BGP from any unknown peer. I started to receive errors in my logs
> showing BGP packets getting through from hosts that weren't allowed. After
> digging around i found that Juniper apparently has built in ACL to allow
> BGP, which bypasses my ACLs, probably for VCF or something.. Is there any
> way to disable this behavior or does anyone have any other suggestions?
>
> root at XXX% cprod -A fpc0 -c "show filter hw dynamic 47 show_terms"
>
> Filter name : dyn-bgp-pkts
> Filter enum : 47
> Filter location : IFP
> List of tcam entries : [(total entries: 2)
> Entry: 37
> - Unit 0
> - Entry Priority 0x7FFFFFFC
> - Matches:
> PBMP 0x00000001fffffffffffffffc
> PBMP xe
> L4 SRC Port 0x000000B3 mask 0x0000FFFF
> IP Protocol 0x00000006 mask 0x000000FF
> L3DestHostHit 1 1
> - Actions:
> ChangeCpuQ
> ColorIndependent param1: 1, param2: 0
> CosQCpuNew cosq: 30
> Implicit Counter
> Entry: 38
> - Unit 0
> - Entry Priority 0x7FFFFFFC
> - Matches:
> PBMP 0x00000001fffffffffffffffc
> PBMP xe
> L4 DST Port 0x000000B3 mask 0x0000FFFF
> IP Protocol 0x00000006 mask 0x000000FF
> L3DestHostHit 1 1
> - Actions:
> ChangeCpuQ
> ColorIndependent param1: 1, param2: 0
> CosQCpuNew cosq: 30
> Implicit Counter
> ]
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
--
++ytti
More information about the juniper-nsp
mailing list