On Fri, Sep 02, 2011 at 02:37:11PM -0400, Mark Kamichoff wrote: > > I'm not an EX guru, but I believe the same concepts can be applied.
With the caveats that: 1) lo0 filters *WILL* (quite incorrectly) match data plane exception packets that get punted to the RE for further processing as well, such as TTL expiring traceroute packets routing THROUGH the box. Mostly this issue applies to EX, which seems to punt a whole bunch of everything to the RE rather than deal with it on the FPC CPU like traditional Juniper hardware, but the same thing actually still happens with TTL expiring packets being popped out of an LSP on MX Trio hardware too. You need to make exceptions for this in your lo0 filter, or else you'll find your control plane filters matching more than just control plane packets, breaking traceroute/etc, and generally pissing everyone off. I believe there was also a related ongoing issue on EX where an lo0 filter with an explicit deny of all traffic at the end would actually match ARP traffic too, so you should probably be careful with those as well. :) 2) EX lo0 filters don't actually work correctly for DoS prevention, they get applied *AFTER* the packets have already destroyed the RE, and thus are completely ineffective at defending the boxes from attack. The only way to correctly block control plane traffic on EX is with ingress filters on "real" intefaces (or RVIs). -- Richard A Steenbergen <r...@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp