[j-nsp] FlowSpec rules being installed, but not matching any traffic
Nathan Ward
juniper-nsp at daork.net
Thu Apr 14 08:08:50 EDT 2022
> On 14/04/2022, at 10:53 PM, Tobias Heister via juniper-nsp <juniper-nsp at puck.nether.net> wrote:
>
> Hi,
>
> I doubt that BGP Flow Spec is systested or supported on any QFX5k platform.
>
> Feature Explorer (while not perfect :)) does support me in that thinking: https://apps.juniper.net/feature-explorer/parent-feature-info.html?pFKey=1541&pFName=BGP+Flow+Specification
Yeah… QFX5100 (and all the Broadcom boxes, AFACT) fail open when firewall filters get too complex - and that complexity limit is pretty low.
Given that, having BGP be able to program those same firewall filters seems like a very bad idea on those boxes.
I wonder if the flowspec rules aren’t matching because the whole thing is too complex and it’s failing open.
--
Nathan Ward
More information about the juniper-nsp
mailing list