Hello,
So i have been testing QFX5100 product for use as a core L3 switch/router
with BGP/OSPF. I have my standard RE filter blocking various things
including BGP from any unknown peer. I started to receive errors in my logs
showing BGP packets getting through from hosts that weren't allowed. After
digging around i found that Juniper apparently has built in ACL to allow
BGP, which bypasses my ACLs, probably for VCF or something.. Is there any
way to disable this behavior or does anyone have any other suggestions?
root@XXX% cprod -A fpc0 -c "show filter hw dynamic 47 show_terms"
Filter name : dyn-bgp-pkts
Filter enum : 47
Filter location : IFP
List of tcam entries : [(total entries: 2)
Entry: 37
- Unit 0
- Entry Priority 0x7FFFFFFC
- Matches:
PBMP 0x00000001fffffffffffffffc
PBMP xe
L4 SRC Port 0x000000B3 mask 0x0000FFFF
IP Protocol 0x00000006 mask 0x000000FF
L3DestHostHit 1 1
- Actions:
ChangeCpuQ
ColorIndependent param1: 1, param2: 0
CosQCpuNew cosq: 30
Implicit Counter
Entry: 38
- Unit 0
- Entry Priority 0x7FFFFFFC
- Matches:
PBMP 0x00000001fffffffffffffffc
PBMP xe
L4 DST Port 0x000000B3 mask 0x0000FFFF
IP Protocol 0x00000006 mask 0x000000FF
L3DestHostHit 1 1
- Actions:
ChangeCpuQ
ColorIndependent param1: 1, param2: 0
CosQCpuNew cosq: 30
Implicit Counter
]
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
