Hello, So i have been testing QFX5100 product for use as a core L3 switch/router with BGP/OSPF. I have my standard RE filter blocking various things including BGP from any unknown peer. I started to receive errors in my logs showing BGP packets getting through from hosts that weren't allowed. After digging around i found that Juniper apparently has built in ACL to allow BGP, which bypasses my ACLs, probably for VCF or something.. Is there any way to disable this behavior or does anyone have any other suggestions?
root@XXX% cprod -A fpc0 -c "show filter hw dynamic 47 show_terms" Filter name : dyn-bgp-pkts Filter enum : 47 Filter location : IFP List of tcam entries : [(total entries: 2) Entry: 37 - Unit 0 - Entry Priority 0x7FFFFFFC - Matches: PBMP 0x00000001fffffffffffffffc PBMP xe L4 SRC Port 0x000000B3 mask 0x0000FFFF IP Protocol 0x00000006 mask 0x000000FF L3DestHostHit 1 1 - Actions: ChangeCpuQ ColorIndependent param1: 1, param2: 0 CosQCpuNew cosq: 30 Implicit Counter Entry: 38 - Unit 0 - Entry Priority 0x7FFFFFFC - Matches: PBMP 0x00000001fffffffffffffffc PBMP xe L4 DST Port 0x000000B3 mask 0x0000FFFF IP Protocol 0x00000006 mask 0x000000FF L3DestHostHit 1 1 - Actions: ChangeCpuQ ColorIndependent param1: 1, param2: 0 CosQCpuNew cosq: 30 Implicit Counter ] _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp