[j-nsp] Using a QFX5100 without QFabric?
Chris Wopat
me at falz.net
Wed Oct 25 13:00:46 EDT 2017
On 10/24/2017 05:30 PM, Vincent Bernat wrote:
> ❦ 24 octobre 2017 14:29 -0400, Andrey Kostin <ankost at podolsk.ru> :
>
>> QFX5100 are good as L2 devices for aggregation, we use them in
>> virtual-chassis. But be careful with planning any L3 services on
>> them. First, don't put public IPs on them because TCAM for filters is
>> tiny and programmed in a tricky for understanding way. As a result
>> everything that doesn't fit in TCAM is silently allowed. We observed
>> that lo0 filters were "bypassed" this way and switch was exposed to
>> continuous brute-force attack.
>
> That's scary! I remember having a commit error when I set too many
> filters (in fact, too many source/destination combination, solved by
> removing either source or destination from the filter), so there are
> some checks in place. Which version were you using when you got the
> problem? Is there an easy way to check if we are hit by that?
Straight up saying "don't put public IPs on them" doesn't seem like the
best advice to me. You can certainly do this, we do and it's fine. When
you craft your RE protection filter you just have to squeeze a bit more
space here or there compared to say, an MX filter. You should have this
enabled weather you're using public IPs or not.
Regarding TCAM programming, it's loud and clear when this happens via a
console message and a sev0 syslog message.
You can check current TCAM levels with `show pfe filter hw summary`. If
you need to know details you can find them via fpc shell:
> start shell
% vty fpc0
TFXPC0(vty)# show filter
Program Filters:
---------------
Index Dir Cnt Text Bss Name
-------- ------ ------ ------ ------ --------
Term Filters:
------------
Index Semantic Name
-------- ----------------
1 Classic accept-only
2 Classic classify-accept
3 Classic protect-re
<snip>
TFXPC0(vty)# show filter hw 3 show_term_info
======================
Filter index : 3
======================
<snip, details of each term will be here>
--Chris
More information about the juniper-nsp
mailing list