[j-nsp] QFX5100 ACLs
Alain Hebert
ahebert at pubnix.net
Mon Dec 11 14:31:08 EST 2017
Hi,
FYI, using the command from the PR, it seem right.
PS: There was an issue with mixed mode that needed to be set to NO,
but the exact context is eluding me right now. But it is not relevant
to input-list.
-----
Model: qfx5100-48s-6q
Junos: 17.2R1.13
-----
Xyz> show virtual-chassis
Virtual Chassis ID: <snip>
Virtual Chassis Mode: Enabled
Mstr Mixed Route Neighbor List
Member ID Status Serial No Model prio Role Mode
Mode ID Interface
0 (FPC 0) Prsnt <snip> qfx5100-48s-6q 128 Master* N VC
------
+ BD ID : 230
+ Total TCAM entries available: 431
+ Total TCAM entries needed : 80
+ Term Expansion:
- Term 1: will expand to 1 term : Name
"ICMP-FI-NO-ICMP-Fragments"
- Term 2: will expand to 7 terms: Name "ICMP-FI-ACCEPT"
- Term 3: will expand to 2 terms: Name "BGP-UNDERLAY-FI-ACCEPT"
- Term 4: will expand to 1 term : Name "BGP-UNDERLAY-FI-DENY"
- Term 5: will expand to 2 terms: Name "LDP-UNDERLAY-FI-ACCEPT"
- Term 6: will expand to 1 term : Name "LDP-UNDERLAY-FI-DENY"
- Term 7: will expand to 5 terms: Name "<snip>-MGMT-FI-ACCEPT"
- Term 8: will expand to 1 term : Name "DISCARD-ALL-FI-DISCARD"
+ Term TCAM entry requirements:
- Term 1: needs 4 TCAM entries: Name "ICMP-FI-NO-ICMP-Fragments"
- Term 2: needs 28 TCAM entries: Name "ICMP-FI-ACCEPT"
- Term 3: needs 8 TCAM entries: Name "BGP-UNDERLAY-FI-ACCEPT"
- Term 4: needs 4 TCAM entries: Name "BGP-UNDERLAY-FI-DENY"
- Term 5: needs 8 TCAM entries: Name "LDP-UNDERLAY-FI-ACCEPT"
- Term 6: needs 4 TCAM entries: Name "LDP-UNDERLAY-FI-DENY"
- Term 7: needs 20 TCAM entries: Name "<snip>-MGMT-FI-ACCEPT"
- Term 8: needs 4 TCAM entries: Name "DISCARD-ALL-FI-DISCARD"
+ Total TCAM entries available: 431
+ Total TCAM entries needed : 80
-----
Alain Hebert ahebert at pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
On 12/11/17 13:28, Andrey Kostin wrote:
> Hi Alain,
>
> Good to know that now it works. It was way back in February 2016 with
> 13.2X51-D35.3 and below is the exempt from TAC case. We haven't been
> told however that a PR was raised to address the issue or there are
> plans to resolve it.
>
>
> Problem Description :
>
> We use common set of filters on all our juniper devices to protect
> control plane and it turnes out there is a strange problem with filter
> on QFX switches.
>
> When that input filter list is applied then at least ports tcp/22 and
> tcp/179 are world-wide open.
>
> Issue: Filter was not getting programmed in TCAM:
>
> Action taken:
>
> As per our latest communication, we have identified two reasons behind
> the filters not getting programmed First, the filter entries exceeded
> the maximum TCAM entries. Second, we observed the the QFX platforms do
> not support input-list. Although the config gets committed without any
> error, only the first filter gets programmed in TCAM. We also provided a
> sample configuration to demonstrate the ssh filter.
>
> JTAC engineer's examples provided:
>
>
> I have tried the following configs in the lab under 13.2X51-D35 and
> 14.1X53-D30 and have observed the following:
>
> Config independent of the group:
>
> set interfaces lo0 unit 0 family inet filter input-list [ accept-ftp
> accept-ssh ]
>
> Config within group:
>
> set groups common:lo-filter interfaces lo0 unit 0 family inet filter
> input-list accept-ftp
> set groups common:lo-filter interfaces lo0 unit 0 family inet filter
> input-list accept-ssh
> In both cases, the configuration goes through without any error but
> only the first filter (accept-ftp) actually gets programmed in
> the PFE programs as can observed below:
>
>
>
> TFXPC0(vty)# show filter
> Program Filters:
> ---------------
> Index Dir Cnt Text Bss Name
> -------- ------ ------ ------ ------ --------
>
>
> Term Filters:
> ------------
> Index Semantic Name
> -------- ---------- ------
> 1 Classic accept-ftp
> 2 Classic accept-ssh
> 3 Classic lo0.0-i
> 17000 Classic __default_arp_policer__
> 16777216 Classic fnp-filter-level-all
>
>
>
>
>
> TFXPC0(vty)# show filter hw 3 show_term_info
> ======================
> Filter index : 3
> ======================
>
>
> - Filter name : lo0.0-i
> + Programmed: YES
> + BD ID : 184
> + Total TCAM entries available: 1528
> + Total TCAM entries needed : 8
> + Term Expansion:
> - Term 1: will expand to 1 term : Name "accept-ftp-0"
> - Term 2: will expand to 1 term : Name "accept-ftp-1"
> + Term TCAM entry requirements:
> - Term 1: needs 4 TCAM entries: Name "accept-ftp-0"
> - Term 2: needs 4 TCAM entries: Name "accept-ftp-1"
> + Total TCAM entries available: 1528
> + Total TCAM entries needed : 8
>
>
> Even the counters only show the counters for the first filter
> (accept-filter) and not those for the following filters (accept-ssh)
> in the input-list. The following is missing count-accept-ssh-lo0.0-i .
>
>
>
> Alain Hebert писал 11.12.2017 08:23:
>> Hi,
>>
>> Odd.
>>
>> Model: qfx5100-48s-6q
>> Junos: 17.2R1.13
>>
>> I've verified with both the "pfe shell" and a Nessus scan
>> TCP+UDP+Ports 1 thru 65535 and this input-list
>>
>> [ ICMP-FI OSPF-PEERS-FI LDP-PEERS-FI BGP-PEERS-FI
>> BFD-PEERS-FI VRRP-FI DHCP-FI <snip>-MGMT-FI DROP-FI ]
>>
>> Worked as advertised (for once).
>>
>> -----
>> Alain Hebert ahebert at pubnix.net
>> PubNIX Inc.
>> 50 boul. St-Charles
>> P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
>> Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
>>
>> On 12/10/17 12:39, Andrey Kostin wrote:
>>> Hi Brendan,
>>>
>>> If you use filter-list on Lo0 interface as per "securing RE guide"
>>> then it's not supported. Only first filter in list is programmed and
>>> everything else is ignored. We ran into the same issue and had to
>>> pull it out from JTAC to confirm.
>>>
>>> Brendan Mannella писал 04.12.2017 15:51:
>>>> + Programmed: YES
>>>> + Total TCAM entries available: 1788
>>>> + Total TCAM entries installed : 516
>>>>
>>>> Brendan Mannella
>>>>
>>>> TeraSwitch Inc.
>>>> Main - 1.412.945.7045
>>>> Direct - 1.412.945.7049
>>>> eFax - 1.412.945.7049
>>>> Colocation . Cloud . Connectivity
>>>>
>>>>
>>>> ----
>>>>
>>>> This email and any files transmitted with it are confidential and
>>>> intended solely for the use of the individual or entity to whom they
>>>> are addressed. If you have received this email in error please notify
>>>> the sender. Please note that any views or opinions presented in this
>>>> email are solely those of the author and do not necessarily represent
>>>> those of the company. Finally, the recipient should check this email
>>>> and any attachments for the presence of viruses. The company accepts
>>>> no liability for any damage caused by any virus transmitted by this
>>>>
>>>> On Mon, Dec 4, 2017 at 11:57 AM, Saku Ytti <saku at ytti.fi> wrote:
>>>>
>>>>> Hey Brendan,
>>>>>
>>>>> This is news to me, but plausible. Can you do this for me
>>>>>
>>>>> start shell pfe network fpc0
>>>>> show filter
>>>>> <pick your lo0 filter from above>
>>>>> show filter hw <from above> show_term_info
>>>>>
>>>>> Compare how many TCAM entries are needed, and how many are available.
>>>>>
>>>>> Also if you can take a risk of reloading the FPC run:
>>>>> show filter hw <from above> show_terms_brcm
>>>>>
>>>>> This may crash your PFE, if you actually did not have all of the
>>>>> entries programmed in HW.
>>>>>
>>>>>
>>>>> commit will succeed if you build filter which will not fit in HW,
>>>>> there should be syslog entry, but no complain during commit. You will
>>>>> end up having no filter or some mangled version of it. So it's just
>>>>> alternative theory on why you may be accepting something you thought
>>>>> you aren't.
>>>>>
>>>>>
>>>>> On 4 December 2017 at 18:02, Brendan Mannella
>>>>> <bmannella at teraswitch.com>
>>>>> wrote:
>>>>> > Hello,
>>>>> >
>>>>> > So i have been testing QFX5100 product for use as a core L3
>>>>> switch/router
>>>>> > with BGP/OSPF. I have my standard RE filter blocking various things
>>>>> > including BGP from any unknown peer. I started to receive errors
>>>>> in my
>>>>> logs
>>>>> > showing BGP packets getting through from hosts that weren't
>>>>> allowed.
>>>>> After
>>>>> > digging around i found that Juniper apparently has built in ACL
>>>>> to allow
>>>>> > BGP, which bypasses my ACLs, probably for VCF or something.. Is
>>>>> there any
>>>>> > way to disable this behavior or does anyone have any other
>>>>> suggestions?
>>>>> >
>>>>> > root at XXX% cprod -A fpc0 -c "show filter hw dynamic 47 show_terms"
>>>>> >
>>>>> > Filter name : dyn-bgp-pkts
>>>>> > Filter enum : 47
>>>>> > Filter location : IFP
>>>>> > List of tcam entries : [(total entries: 2)
>>>>> > Entry: 37
>>>>> > - Unit 0
>>>>> > - Entry Priority 0x7FFFFFFC
>>>>> > - Matches:
>>>>> > PBMP 0x00000001fffffffffffffffc
>>>>> > PBMP xe
>>>>> > L4 SRC Port 0x000000B3 mask 0x0000FFFF
>>>>> > IP Protocol 0x00000006 mask 0x000000FF
>>>>> > L3DestHostHit 1 1
>>>>> > - Actions:
>>>>> > ChangeCpuQ
>>>>> > ColorIndependent param1: 1, param2: 0
>>>>> > CosQCpuNew cosq: 30
>>>>> > Implicit Counter
>>>>> > Entry: 38
>>>>> > - Unit 0
>>>>> > - Entry Priority 0x7FFFFFFC
>>>>> > - Matches:
>>>>> > PBMP 0x00000001fffffffffffffffc
>>>>> > PBMP xe
>>>>> > L4 DST Port 0x000000B3 mask 0x0000FFFF
>>>>> > IP Protocol 0x00000006 mask 0x000000FF
>>>>> > L3DestHostHit 1 1
>>>>> > - Actions:
>>>>> > ChangeCpuQ
>>>>> > ColorIndependent param1: 1, param2: 0
>>>>> > CosQCpuNew cosq: 30
>>>>> > Implicit Counter
>>>>> > ]
>>>>> > _______________________________________________
>>>>> > juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>>> > https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>>>
>>>>>
>>>>>
>>>>> -- ++ytti
>>>>>
>>>> _______________________________________________
>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list