Re: [j-nsp] QFX5100 ACLs

Mon, 11 Dec 2017 07:14:36 -0800 

    I highly recommend to not use VCF for any L3/MPLS/etc.

        We had a year long battle with it.  And it won.
    Now that we're back into MPLS territory they're working fine as hell.  And it will only cost us some training for the juniors. 

------
    But I can confirm that the input-list works with a non VCF setup, using the entire MPLS Alphabet stack (IS-IS and OSPF based) 

-----
Alain Hebert                                aheb...@pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
Tel: 514-990-5911  http://www.pubnix.net    Fax: 514-990-9443

On 12/11/17 09:45, Saku Ytti wrote:

Someone pointed this to me -
https://kb.juniper.net/InfoCenter/index?page=content&id=KB24145

No es bueno.

On 4 December 2017 at 18:02, Brendan Mannella <bmanne...@teraswitch.com> wrote:

Hello,

So i have been testing QFX5100 product for use as a core L3 switch/router
with BGP/OSPF. I have my standard RE filter blocking various things
including BGP from any unknown peer. I started to receive errors in my logs
showing BGP packets getting through from hosts that weren't allowed. After
digging around i found that Juniper apparently has built in ACL to allow
BGP, which bypasses my ACLs, probably for VCF or something.. Is there any
way to disable this behavior or does anyone have any other suggestions?

root@XXX% cprod -A fpc0 -c "show filter hw dynamic 47 show_terms"

Filter name          : dyn-bgp-pkts
Filter enum          : 47
Filter location      : IFP
List of tcam entries : [(total entries: 2)
Entry: 37
     - Unit 0
     - Entry Priority 0x7FFFFFFC
     - Matches:
         PBMP 0x00000001fffffffffffffffc
         PBMP xe
         L4 SRC Port 0x000000B3 mask 0x0000FFFF
         IP Protocol 0x00000006 mask 0x000000FF
         L3DestHostHit 1 1
     - Actions:
         ChangeCpuQ
             ColorIndependent param1: 1, param2: 0
             CosQCpuNew cosq: 30
         Implicit Counter
Entry: 38
     - Unit 0
     - Entry Priority 0x7FFFFFFC
     - Matches:
         PBMP 0x00000001fffffffffffffffc
         PBMP xe
         L4 DST Port 0x000000B3 mask 0x0000FFFF
         IP Protocol 0x00000006 mask 0x000000FF
         L3DestHostHit 1 1
     - Actions:
         ChangeCpuQ
             ColorIndependent param1: 1, param2: 0
             CosQCpuNew cosq: 30
         Implicit Counter
                        ]
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp





_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Reply via email to