[j-nsp] FlowSpec rules being installed, but not matching any traffic
Paul S.
contact at winterei.se
Fri Apr 15 11:01:14 EDT 2022
Hi folks,
Thanks for taking the time to reply!
I was afraid that was the case, but wanted to check in with the experts
regardless =)
On Thu, Apr 14, 2022 at 6:25 PM Nathan Ward via juniper-nsp <
juniper-nsp at puck.nether.net> wrote:
>
>
>
> ---------- Forwarded message ----------
> From: Nathan Ward <juniper-nsp at daork.net>
> To: Tobias Heister <lists at tobias-heister.de>
> Cc: juniper-nsp at puck.nether.net
> Bcc:
> Date: Fri, 15 Apr 2022 00:08:50 +1200
> Subject: Re: [j-nsp] FlowSpec rules being installed, but not matching any
> traffic
>
> > On 14/04/2022, at 10:53 PM, Tobias Heister via juniper-nsp <
> juniper-nsp at puck.nether.net> wrote:
> >
> > Hi,
> >
> > I doubt that BGP Flow Spec is systested or supported on any QFX5k
> platform.
> >
> > Feature Explorer (while not perfect :)) does support me in that
> thinking:
> https://apps.juniper.net/feature-explorer/parent-feature-info.html?pFKey=1541&pFName=BGP+Flow+Specification
>
>
> Yeah… QFX5100 (and all the Broadcom boxes, AFACT) fail open when firewall
> filters get too complex - and that complexity limit is pretty low.
> Given that, having BGP be able to program those same firewall filters
> seems like a very bad idea on those boxes.
>
> I wonder if the flowspec rules aren’t matching because the whole thing is
> too complex and it’s failing open.
>
> --
> Nathan Ward
>
>
>
>
> ---------- Forwarded message ----------
> From: Nathan Ward via juniper-nsp <juniper-nsp at puck.nether.net>
> To: Tobias Heister <lists at tobias-heister.de>
> Cc:
> Bcc:
> Date: Fri, 15 Apr 2022 00:08:50 +1200
> Subject: Re: [j-nsp] FlowSpec rules being installed, but not matching any
> traffic
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list