[j-nsp] QFX5100 ACLs

Saku Ytti saku at ytti.fi
Mon Dec 11 09:45:59 EST 2017


Someone pointed this to me -
https://kb.juniper.net/InfoCenter/index?page=content&id=KB24145

No es bueno.

On 4 December 2017 at 18:02, Brendan Mannella <bmannella at teraswitch.com> wrote:
> Hello,
>
> So i have been testing QFX5100 product for use as a core L3 switch/router
> with BGP/OSPF. I have my standard RE filter blocking various things
> including BGP from any unknown peer. I started to receive errors in my logs
> showing BGP packets getting through from hosts that weren't allowed. After
> digging around i found that Juniper apparently has built in ACL to allow
> BGP, which bypasses my ACLs, probably for VCF or something.. Is there any
> way to disable this behavior or does anyone have any other suggestions?
>
> root at XXX% cprod -A fpc0 -c "show filter hw dynamic 47 show_terms"
>
> Filter name          : dyn-bgp-pkts
> Filter enum          : 47
> Filter location      : IFP
> List of tcam entries : [(total entries: 2)
> Entry: 37
>     - Unit 0
>     - Entry Priority 0x7FFFFFFC
>     - Matches:
>         PBMP 0x00000001fffffffffffffffc
>         PBMP xe
>         L4 SRC Port 0x000000B3 mask 0x0000FFFF
>         IP Protocol 0x00000006 mask 0x000000FF
>         L3DestHostHit 1 1
>     - Actions:
>         ChangeCpuQ
>             ColorIndependent param1: 1, param2: 0
>             CosQCpuNew cosq: 30
>         Implicit Counter
> Entry: 38
>     - Unit 0
>     - Entry Priority 0x7FFFFFFC
>     - Matches:
>         PBMP 0x00000001fffffffffffffffc
>         PBMP xe
>         L4 DST Port 0x000000B3 mask 0x0000FFFF
>         IP Protocol 0x00000006 mask 0x000000FF
>         L3DestHostHit 1 1
>     - Actions:
>         ChangeCpuQ
>             ColorIndependent param1: 1, param2: 0
>             CosQCpuNew cosq: 30
>         Implicit Counter
>                        ]
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



-- 
  ++ytti


More information about the juniper-nsp mailing list