My version words bit differently: + Total TCAM entries available: 566 + Total TCAM entries needed : 424
Even when it is not programmed, it does say 'Programmed: YES', at least for me. But for me if needed > available, it has been accurate to predict if or not it's been correctly programmed. So indeed does not seem to be TCAM exhaustion issue in your case. On 4 December 2017 at 22:51, Brendan Mannella <bmanne...@teraswitch.com> wrote: > + Programmed: YES > + Total TCAM entries available: 1788 > + Total TCAM entries installed : 516 > > Brendan Mannella > > TeraSwitch Inc. > Main - 1.412.945.7045 > Direct - 1.412.945.7049 > eFax - 1.412.945.7049 > Colocation . Cloud . Connectivity > > > ---- > > This email and any files transmitted with it are confidential and > intended solely for the use of the individual or entity to whom they > are addressed. If you have received this email in error please notify > the sender. Please note that any views or opinions presented in this > email are solely those of the author and do not necessarily represent > those of the company. Finally, the recipient should check this email > and any attachments for the presence of viruses. The company accepts > no liability for any damage caused by any virus transmitted by this > > On Mon, Dec 4, 2017 at 11:57 AM, Saku Ytti <s...@ytti.fi> wrote: >> >> Hey Brendan, >> >> This is news to me, but plausible. Can you do this for me >> >> start shell pfe network fpc0 >> show filter >> <pick your lo0 filter from above> >> show filter hw <from above> show_term_info >> >> Compare how many TCAM entries are needed, and how many are available. >> >> Also if you can take a risk of reloading the FPC run: >> show filter hw <from above> show_terms_brcm >> >> This may crash your PFE, if you actually did not have all of the >> entries programmed in HW. >> >> >> commit will succeed if you build filter which will not fit in HW, >> there should be syslog entry, but no complain during commit. You will >> end up having no filter or some mangled version of it. So it's just >> alternative theory on why you may be accepting something you thought >> you aren't. >> >> >> On 4 December 2017 at 18:02, Brendan Mannella <bmanne...@teraswitch.com> >> wrote: >> > Hello, >> > >> > So i have been testing QFX5100 product for use as a core L3 >> > switch/router >> > with BGP/OSPF. I have my standard RE filter blocking various things >> > including BGP from any unknown peer. I started to receive errors in my >> > logs >> > showing BGP packets getting through from hosts that weren't allowed. >> > After >> > digging around i found that Juniper apparently has built in ACL to allow >> > BGP, which bypasses my ACLs, probably for VCF or something.. Is there >> > any >> > way to disable this behavior or does anyone have any other suggestions? >> > >> > root@XXX% cprod -A fpc0 -c "show filter hw dynamic 47 show_terms" >> > >> > Filter name : dyn-bgp-pkts >> > Filter enum : 47 >> > Filter location : IFP >> > List of tcam entries : [(total entries: 2) >> > Entry: 37 >> > - Unit 0 >> > - Entry Priority 0x7FFFFFFC >> > - Matches: >> > PBMP 0x00000001fffffffffffffffc >> > PBMP xe >> > L4 SRC Port 0x000000B3 mask 0x0000FFFF >> > IP Protocol 0x00000006 mask 0x000000FF >> > L3DestHostHit 1 1 >> > - Actions: >> > ChangeCpuQ >> > ColorIndependent param1: 1, param2: 0 >> > CosQCpuNew cosq: 30 >> > Implicit Counter >> > Entry: 38 >> > - Unit 0 >> > - Entry Priority 0x7FFFFFFC >> > - Matches: >> > PBMP 0x00000001fffffffffffffffc >> > PBMP xe >> > L4 DST Port 0x000000B3 mask 0x0000FFFF >> > IP Protocol 0x00000006 mask 0x000000FF >> > L3DestHostHit 1 1 >> > - Actions: >> > ChangeCpuQ >> > ColorIndependent param1: 1, param2: 0 >> > CosQCpuNew cosq: 30 >> > Implicit Counter >> > ] >> > _______________________________________________ >> > juniper-nsp mailing list juniper-nsp@puck.nether.net >> > https://puck.nether.net/mailman/listinfo/juniper-nsp >> >> >> >> -- >> ++ytti > > -- ++ytti _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp