[j-nsp] dsc interface on qfx5100

Jason Healy jhealy at logn.net
Thu Oct 11 21:36:57 EDT 2018 

I'm more of a layer-2 guy, but I'm trying to tighten up a few things on our qfx5100 that acts as our l3 core here at our campus.  We use RFC1918 space internally, but I'd like to discard any traffic to these ranges if they aren't one of our known subnets.  I have that working with standard "discard" routes.

I've seen some best-practice documents where you can set up the discard (dsc) interface to blackhole traffic, rather than using a direct "discard" route.  I thought it might be nice to use that so I could analyze the stuff that's getting discarded (count packets, maybe even mirror or analyze the traffic).

TL;DR: I got dsc working and it is discarding, but the counters aren't incrementing.  I need to know if I'm doing it wrong or if this is a "feature" of the qfx5100 similar to its inability to count ipv6 packets...

I've created the interface and assigned an IP with a "destination" I can route to, and a filter to count packets:

dsc {
    unit 0 {
        family inet {
            filter {
                output sa-discard-v4;
            }
            address 10.255.254.2/32 {
                destination 10.255.254.1;
            }
        }
    }
}


The filter just counts:

filter sa-discard-v4 {
    term default-discard {
        then {
            count discard-v4-default;
            /* Not supported on egress on this platform */
            inactive: log;
        }
    }
}


And I've added some rules to discard the traffic:

[edit routing-options rib inet.0 static]
+     route 10.0.32.64/32 next-hop 10.255.254.1;


That's a live IP on my network, and I've confirmed that traffic is discarded with that route active.  Alas, the counters on the interface don't budge:

qfx> show interfaces dsc   
Physical interface: dsc, Enabled, Physical link is Up
  Interface index: 5, SNMP ifIndex: 5
  Type: Software-Pseudo, MTU: Unlimited
  Device flags   : Present Running
  Interface flags: Point-To-Point SNMP-Traps
  Link flags     : None
  Last flapped   : Never
    Input packets : 0
    Output packets: 0

  Logical interface dsc.0 (Index 548) (SNMP ifIndex 709)
    Flags: Down Point-To-Point SNMP-Traps Encapsulation: Unspecified
    Protocol inet, MTU: Unlimited
      Flags: Sendbcast-pkt-to-re
      Addresses, Flags: Is-Preferred Is-Primary
        Destination: 10.255.254.1, Local: 10.255.254.2


Nor do the firewall counters:

qfx> show firewall filter sa-discard-v4 counter discard-v4-default 

Filter: sa-discard-v4                                          
Counters:
Name                                                Bytes              Packets
discard-v4-default                                      0                    0



Has anyone set this up with static routing?  All the examples use BGP, but I can't imagine why that would make a difference for the reporting if the traffic is correctly discarded.

Thanks,

Jason

More information about the juniper-nsp mailing list