On 03/05/2010 10:17 AM, Phil Mayers wrote:
On 03/05/2010 10:15 AM, Phil Mayers wrote:
Damn... wait a minute.
I recall something about screen options and vlan sub-ints, in the
release notes.
Hmm.
Blast.
Yes - it was the UDP screen. Even though it's applied on a zone bound to
a sub-int, evidently it works on a per-physical-interface basis.
In fact, the ScreenOS 6.2r4 release notes state:
"""Flood Screens — On ISG 1000, ISG 2000, NetScreen-5000 Series devices,
the UDP and ICMP flood screens apply to the physical interface and
therefore require that the zone be bound to a physical interface. The
following limitations apply:
* When zones are bound to a sub-interface, the ICMP and UDP flood
screen are not enforced unless the zone is also bound to a physical
interface.
* When ICMP and UDP flood screen options are configured for different
zones and on the same physical interface, the flood threshold is applied
based on the last configured zone threshold.
"""
I would argue this is misleading wording and it does not in fact
represent our exact config - but disabling the "UDP Flood" option on the
"Foo" zone does indeed allow UDP traffic between "Trust" and "Untrust"
zones whose sub-ints are on the same physical int as "Foo".
One wonders why the screen options are configured on a zone basis if
they apply to physical ints on this platform...
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
