Hello- Sorry if this is remedial, but are packets sent to the base address of a directly connected subnet always punted to RE and if so, why? Historic compatibility? I couldn't determine any bucket under the ddos-protection protocol statistics such traffic ends up in, either. I haven't seen any negative side effects of this, only noticing this after I followed up on a high pps drop rate for one of our routing engines. This seems to happen regardless of what I have 'targeted-broadcast' configured with [absent, forward-only].
For example, in below I ran "telnet X.Y.0.0 16888" and "telnet X.Y.0.0 55555" from A.B.254.29, resulting in the firewall logs as follows. Time of Log: 2015-08-24 12:53:38 CDT, Filter: pfe, Filter action: discard, Name of interface: ae1.3416 Name of protocol: TCP, Packet Length: 52, Source address: A.B.254.29:34776, Destination address: X.Y.0.0:16888 Time of Log: 2015-08-24 12:57:17 CDT, Filter: pfe, Filter action: discard, Name of interface: ae1.3416 Name of protocol: TCP, Packet Length: 52, Source address: A.B.254.29:31968, Destination address: X.Y.0.0:55555 I have a 'then log' at the bottom of my protect-re filter in lo0.0 family inet. As you can see X.Y.0.0/21 is directly connected on the given chassis, but the local address is not the X.Y.0.0/32 address. # run show route X.Y.0.0 table inet.0 inet.0: 396 destinations, 417 routes (395 active, 0 holddown, 1 hidden) + = Active Route, - = Last Active, * = Both X.Y.0.0/21 *[Direct/0] 39w3d 18:24:03 > via irb.157 For what it's worth, the above is an MX104, but I also see this on other MX MPC hardware. -Michael _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp