Someone pointed this to me - https://kb.juniper.net/InfoCenter/index?page=content&id=KB24145
No es bueno. On 4 December 2017 at 18:02, Brendan Mannella <bmanne...@teraswitch.com> wrote: > Hello, > > So i have been testing QFX5100 product for use as a core L3 switch/router > with BGP/OSPF. I have my standard RE filter blocking various things > including BGP from any unknown peer. I started to receive errors in my logs > showing BGP packets getting through from hosts that weren't allowed. After > digging around i found that Juniper apparently has built in ACL to allow > BGP, which bypasses my ACLs, probably for VCF or something.. Is there any > way to disable this behavior or does anyone have any other suggestions? > > root@XXX% cprod -A fpc0 -c "show filter hw dynamic 47 show_terms" > > Filter name : dyn-bgp-pkts > Filter enum : 47 > Filter location : IFP > List of tcam entries : [(total entries: 2) > Entry: 37 > - Unit 0 > - Entry Priority 0x7FFFFFFC > - Matches: > PBMP 0x00000001fffffffffffffffc > PBMP xe > L4 SRC Port 0x000000B3 mask 0x0000FFFF > IP Protocol 0x00000006 mask 0x000000FF > L3DestHostHit 1 1 > - Actions: > ChangeCpuQ > ColorIndependent param1: 1, param2: 0 > CosQCpuNew cosq: 30 > Implicit Counter > Entry: 38 > - Unit 0 > - Entry Priority 0x7FFFFFFC > - Matches: > PBMP 0x00000001fffffffffffffffc > PBMP xe > L4 DST Port 0x000000B3 mask 0x0000FFFF > IP Protocol 0x00000006 mask 0x000000FF > L3DestHostHit 1 1 > - Actions: > ChangeCpuQ > ColorIndependent param1: 1, param2: 0 > CosQCpuNew cosq: 30 > Implicit Counter > ] > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp -- ++ytti _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp