[j-nsp] Using a QFX5100 without QFabric?

Chris Wopat me at falz.net
Wed Oct 25 13:00:46 EDT 2017


On 10/24/2017 05:30 PM, Vincent Bernat wrote:
>   ❦ 24 octobre 2017 14:29 -0400, Andrey Kostin <ankost at podolsk.ru> :
> 
>> QFX5100 are good as L2 devices for aggregation, we use them in
>> virtual-chassis. But be careful with planning any L3 services on
>> them. First, don't put public IPs on them because TCAM for filters is
>> tiny and programmed in a tricky for understanding way. As a result
>> everything that doesn't fit in TCAM is silently allowed. We observed
>> that lo0 filters were "bypassed" this way and switch was exposed to
>> continuous brute-force attack.
> 
> That's scary! I remember having a commit error when I set too many
> filters (in fact, too many source/destination combination, solved by
> removing either source or destination from the filter), so there are
> some checks in place. Which version were you using when you got the
> problem? Is there an easy way to check if we are hit by that?


Straight up saying "don't put public IPs on them" doesn't seem like the 
best advice to me. You can certainly do this, we do and it's fine. When 
you craft your RE protection filter you just have to squeeze a bit more 
space here or there compared to say, an MX filter. You should have this 
enabled weather you're using public IPs or not.

Regarding TCAM programming, it's loud and clear when this happens via a 
console message and a sev0 syslog message.

You can check current TCAM levels with `show pfe filter hw summary`. If 
you need to know details you can find them via fpc shell:

 > start shell
% vty fpc0


TFXPC0(vty)# show filter
Program Filters:
---------------
    Index     Dir     Cnt    Text     Bss  Name
--------  ------  ------  ------  ------  --------

Term Filters:
------------
    Index    Semantic    Name
--------  ----------------
        1  Classic   accept-only
        2  Classic   classify-accept
        3  Classic   protect-re
<snip>


TFXPC0(vty)# show filter hw 3 show_term_info
======================
Filter index   : 3
======================

<snip, details of each term will be here>



--Chris


More information about the juniper-nsp mailing list