[j-nsp] Using a QFX5100 without QFabric?
Vincent Bernat
bernat at luffy.cx
Tue Oct 24 18:30:01 EDT 2017
❦ 24 octobre 2017 14:29 -0400, Andrey Kostin <ankost at podolsk.ru> :
> QFX5100 are good as L2 devices for aggregation, we use them in
> virtual-chassis. But be careful with planning any L3 services on
> them. First, don't put public IPs on them because TCAM for filters is
> tiny and programmed in a tricky for understanding way. As a result
> everything that doesn't fit in TCAM is silently allowed. We observed
> that lo0 filters were "bypassed" this way and switch was exposed to
> continuous brute-force attack.
That's scary! I remember having a commit error when I set too many
filters (in fact, too many source/destination combination, solved by
removing either source or destination from the filter), so there are
some checks in place. Which version were you using when you got the
problem? Is there an easy way to check if we are hit by that?
> Second thing I can recall is that MPLS works only on physical
> interfaces, not irb. And finally I had very mixed results when tried
> to PIM multicast routing between irb interfaces and have to give up
> and pass L2 to a router, didn't try it on physical ports though.
I had also some bad experience with IRB on QFX5100. For example,
unnumbered interfaces don't work on IRB. Also, I have also already
related here my troubles with IRB, routing daemons and MC-LAG. For some
reasons, it seems many features don't play well with IRB (at least on
14.1X53 train). I am now using them as L2 switches and as BGP RR (but no
routing) and so far, no problems.
--
Don't go around saying the world owes you a living. The world owes you
nothing. It was here first.
-- Mark Twain
More information about the juniper-nsp
mailing list