[j-nsp] QFX5100 ACLs

Alain Hebert ahebert at pubnix.net
Mon Dec 11 10:13:52 EST 2017 

     I highly recommend to not use VCF for any L3/MPLS/etc.

         We had a year long battle with it.  And it won.

     Now that we're back into MPLS territory they're working fine as 
hell.  And it will only cost us some training for the juniors.

------

     But I can confirm that the input-list works with a non VCF setup, 
using the entire MPLS Alphabet stack (IS-IS and OSPF based)

-----
Alain Hebert                                ahebert at pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
Tel: 514-990-5911  http://www.pubnix.net    Fax: 514-990-9443

On 12/11/17 09:45, Saku Ytti wrote:
> Someone pointed this to me -
> https://kb.juniper.net/InfoCenter/index?page=content&id=KB24145
>
> No es bueno.
>
> On 4 December 2017 at 18:02, Brendan Mannella <bmannella at teraswitch.com> wrote:
>> Hello,
>>
>> So i have been testing QFX5100 product for use as a core L3 switch/router
>> with BGP/OSPF. I have my standard RE filter blocking various things
>> including BGP from any unknown peer. I started to receive errors in my logs
>> showing BGP packets getting through from hosts that weren't allowed. After
>> digging around i found that Juniper apparently has built in ACL to allow
>> BGP, which bypasses my ACLs, probably for VCF or something.. Is there any
>> way to disable this behavior or does anyone have any other suggestions?
>>
>> root at XXX% cprod -A fpc0 -c "show filter hw dynamic 47 show_terms"
>>
>> Filter name          : dyn-bgp-pkts
>> Filter enum          : 47
>> Filter location      : IFP
>> List of tcam entries : [(total entries: 2)
>> Entry: 37
>>      - Unit 0
>>      - Entry Priority 0x7FFFFFFC
>>      - Matches:
>>          PBMP 0x00000001fffffffffffffffc
>>          PBMP xe
>>          L4 SRC Port 0x000000B3 mask 0x0000FFFF
>>          IP Protocol 0x00000006 mask 0x000000FF
>>          L3DestHostHit 1 1
>>      - Actions:
>>          ChangeCpuQ
>>              ColorIndependent param1: 1, param2: 0
>>              CosQCpuNew cosq: 30
>>          Implicit Counter
>> Entry: 38
>>      - Unit 0
>>      - Entry Priority 0x7FFFFFFC
>>      - Matches:
>>          PBMP 0x00000001fffffffffffffffc
>>          PBMP xe
>>          L4 DST Port 0x000000B3 mask 0x0000FFFF
>>          IP Protocol 0x00000006 mask 0x000000FF
>>          L3DestHostHit 1 1
>>      - Actions:
>>          ChangeCpuQ
>>              ColorIndependent param1: 1, param2: 0
>>              CosQCpuNew cosq: 30
>>          Implicit Counter
>>                         ]
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>

More information about the juniper-nsp mailing list