Hi,
FYI, using the command from the PR, it seem right.
PS: There was an issue with mixed mode that needed to be set to NO,
but the exact context is eluding me right now. But it is not relevant
to input-list.
-----
Model: qfx5100-48s-6q
Junos: 17.2R1.13
-----
Xyz> show virtual-chassis
Virtual Chassis ID: <snip>
Virtual Chassis Mode: Enabled
Mstr Mixed Route Neighbor List
Member ID Status Serial No Model prio Role Mode
Mode ID Interface
0 (FPC 0) Prsnt <snip> qfx5100-48s-6q 128 Master* N VC
------
+ BD ID : 230
+ Total TCAM entries available: 431
+ Total TCAM entries needed : 80
+ Term Expansion:
- Term 1: will expand to 1 term : Name
"ICMP-FI-NO-ICMP-Fragments"
- Term 2: will expand to 7 terms: Name "ICMP-FI-ACCEPT"
- Term 3: will expand to 2 terms: Name "BGP-UNDERLAY-FI-ACCEPT"
- Term 4: will expand to 1 term : Name "BGP-UNDERLAY-FI-DENY"
- Term 5: will expand to 2 terms: Name "LDP-UNDERLAY-FI-ACCEPT"
- Term 6: will expand to 1 term : Name "LDP-UNDERLAY-FI-DENY"
- Term 7: will expand to 5 terms: Name "<snip>-MGMT-FI-ACCEPT"
- Term 8: will expand to 1 term : Name "DISCARD-ALL-FI-DISCARD"
+ Term TCAM entry requirements:
- Term 1: needs 4 TCAM entries: Name "ICMP-FI-NO-ICMP-Fragments"
- Term 2: needs 28 TCAM entries: Name "ICMP-FI-ACCEPT"
- Term 3: needs 8 TCAM entries: Name "BGP-UNDERLAY-FI-ACCEPT"
- Term 4: needs 4 TCAM entries: Name "BGP-UNDERLAY-FI-DENY"
- Term 5: needs 8 TCAM entries: Name "LDP-UNDERLAY-FI-ACCEPT"
- Term 6: needs 4 TCAM entries: Name "LDP-UNDERLAY-FI-DENY"
- Term 7: needs 20 TCAM entries: Name "<snip>-MGMT-FI-ACCEPT"
- Term 8: needs 4 TCAM entries: Name "DISCARD-ALL-FI-DISCARD"
+ Total TCAM entries available: 431
+ Total TCAM entries needed : 80
-----
Alain Hebert aheb...@pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
On 12/11/17 13:28, Andrey Kostin wrote:
Hi Alain,
Good to know that now it works. It was way back in February 2016 with
13.2X51-D35.3 and below is the exempt from TAC case. We haven't been
told however that a PR was raised to address the issue or there are
plans to resolve it.
Problem Description :
We use common set of filters on all our juniper devices to protect
control plane and it turnes out there is a strange problem with filter
on QFX switches.
When that input filter list is applied then at least ports tcp/22 and
tcp/179 are world-wide open.
Issue: Filter was not getting programmed in TCAM:
Action taken:
As per our latest communication, we have identified two reasons behind
the filters not getting programmed First, the filter entries exceeded
the maximum TCAM entries. Second, we observed the the QFX platforms do
not support input-list. Although the config gets committed without any
error, only the first filter gets programmed in TCAM. We also provided a
sample configuration to demonstrate the ssh filter.
JTAC engineer's examples provided:
I have tried the following configs in the lab under 13.2X51-D35 and
14.1X53-D30 and have observed the following:
Config independent of the group:
set interfaces lo0 unit 0 family inet filter input-list [ accept-ftp
accept-ssh ]
Config within group:
set groups common:lo-filter interfaces lo0 unit 0 family inet filter
input-list accept-ftp
set groups common:lo-filter interfaces lo0 unit 0 family inet filter
input-list accept-ssh
In both cases, the configuration goes through without any error but
only the first filter (accept-ftp) actually gets programmed in
the PFE programs as can observed below:
TFXPC0(vty)# show filter
Program Filters:
---------------
Index Dir Cnt Text Bss Name
-------- ------ ------ ------ ------ --------
Term Filters:
------------
Index Semantic Name
-------- ---------- ------
1 Classic accept-ftp
2 Classic accept-ssh
3 Classic lo0.0-i
17000 Classic __default_arp_policer__
16777216 Classic fnp-filter-level-all
TFXPC0(vty)# show filter hw 3 show_term_info
======================
Filter index : 3
======================
- Filter name : lo0.0-i
+ Programmed: YES
+ BD ID : 184
+ Total TCAM entries available: 1528
+ Total TCAM entries needed : 8
+ Term Expansion:
- Term 1: will expand to 1 term : Name "accept-ftp-0"
- Term 2: will expand to 1 term : Name "accept-ftp-1"
+ Term TCAM entry requirements:
- Term 1: needs 4 TCAM entries: Name "accept-ftp-0"
- Term 2: needs 4 TCAM entries: Name "accept-ftp-1"
+ Total TCAM entries available: 1528
+ Total TCAM entries needed : 8
Even the counters only show the counters for the first filter
(accept-filter) and not those for the following filters (accept-ssh)
in the input-list. The following is missing count-accept-ssh-lo0.0-i .
Alain Hebert писал 11.12.2017 08:23:
Hi,
Odd.
Model: qfx5100-48s-6q
Junos: 17.2R1.13
I've verified with both the "pfe shell" and a Nessus scan
TCP+UDP+Ports 1 thru 65535 and this input-list
[ ICMP-FI OSPF-PEERS-FI LDP-PEERS-FI BGP-PEERS-FI
BFD-PEERS-FI VRRP-FI DHCP-FI <snip>-MGMT-FI DROP-FI ]
Worked as advertised (for once).
-----
Alain Hebert aheb...@pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443
On 12/10/17 12:39, Andrey Kostin wrote:
Hi Brendan,
If you use filter-list on Lo0 interface as per "securing RE guide"
then it's not supported. Only first filter in list is programmed and
everything else is ignored. We ran into the same issue and had to
pull it out from JTAC to confirm.
Brendan Mannella писал 04.12.2017 15:51:
+ Programmed: YES
+ Total TCAM entries available: 1788
+ Total TCAM entries installed : 516
Brendan Mannella
TeraSwitch Inc.
Main - 1.412.945.7045
Direct - 1.412.945.7049
eFax - 1.412.945.7049
Colocation . Cloud . Connectivity
----
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the sender. Please note that any views or opinions presented in this
email are solely those of the author and do not necessarily represent
those of the company. Finally, the recipient should check this email
and any attachments for the presence of viruses. The company accepts
no liability for any damage caused by any virus transmitted by this
On Mon, Dec 4, 2017 at 11:57 AM, Saku Ytti <s...@ytti.fi> wrote:
Hey Brendan,
This is news to me, but plausible. Can you do this for me
start shell pfe network fpc0
show filter
<pick your lo0 filter from above>
show filter hw <from above> show_term_info
Compare how many TCAM entries are needed, and how many are available.
Also if you can take a risk of reloading the FPC run:
show filter hw <from above> show_terms_brcm
This may crash your PFE, if you actually did not have all of the
entries programmed in HW.
commit will succeed if you build filter which will not fit in HW,
there should be syslog entry, but no complain during commit. You will
end up having no filter or some mangled version of it. So it's just
alternative theory on why you may be accepting something you thought
you aren't.
On 4 December 2017 at 18:02, Brendan Mannella
<bmanne...@teraswitch.com>
wrote:
> Hello,
>
> So i have been testing QFX5100 product for use as a core L3
switch/router
> with BGP/OSPF. I have my standard RE filter blocking various things
> including BGP from any unknown peer. I started to receive errors
in my
logs
> showing BGP packets getting through from hosts that weren't
allowed.
After
> digging around i found that Juniper apparently has built in ACL
to allow
> BGP, which bypasses my ACLs, probably for VCF or something.. Is
there any
> way to disable this behavior or does anyone have any other
suggestions?
>
> root@XXX% cprod -A fpc0 -c "show filter hw dynamic 47 show_terms"
>
> Filter name : dyn-bgp-pkts
> Filter enum : 47
> Filter location : IFP
> List of tcam entries : [(total entries: 2)
> Entry: 37
> - Unit 0
> - Entry Priority 0x7FFFFFFC
> - Matches:
> PBMP 0x00000001fffffffffffffffc
> PBMP xe
> L4 SRC Port 0x000000B3 mask 0x0000FFFF
> IP Protocol 0x00000006 mask 0x000000FF
> L3DestHostHit 1 1
> - Actions:
> ChangeCpuQ
> ColorIndependent param1: 1, param2: 0
> CosQCpuNew cosq: 30
> Implicit Counter
> Entry: 38
> - Unit 0
> - Entry Priority 0x7FFFFFFC
> - Matches:
> PBMP 0x00000001fffffffffffffffc
> PBMP xe
> L4 DST Port 0x000000B3 mask 0x0000FFFF
> IP Protocol 0x00000006 mask 0x000000FF
> L3DestHostHit 1 1
> - Actions:
> ChangeCpuQ
> ColorIndependent param1: 1, param2: 0
> CosQCpuNew cosq: 30
> Implicit Counter
> ]
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
-- ++ytti
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp