Hi Saku,
On Thu, 20 Dec 2018 at 14:24, Alex D.<listensamm...@gmx.de> wrote:
Hey Alex,
i tried that, but as mentioned, it didn't work. For testing purposes, i
configured a "log all" as first term:
term log-all-re-traffic {
then log;
}
DHCP packets from routing-engine to the DHCP-server and DHCP packets
from client to the router are logged as expected. But mysteriously, I
Sorry for my confusion, where did you put the filter? lo0.0 egress
should not show you packets from client to the router.
Sorry, my fault. My firewall filter is configured as an egress filter on
lo0.0 and (and some other units which are part of an L3 VPN) and i
wrongly said "from client to the router". Actually i meant from client
to the dhcp server. In case of a DHCP renewal sent directly to the
server, traffic is punted to the RE and the outgoing packet is logged
with src address of the client.
1. It punts all transit DHCP in all interfaces, and lo0.0 FW filter
must allow these punted packets, otherwise you kill customers' dhcp
I am aware of that. In another setup, I have already painfully stumbled
over it
2. It encapsulates the punted traffic with another set of IP headers
(if you do 'monitor traffic ... write-file dhcp.pcap' you'll see the
encapsulation, without 'write-file' you'll just see the bottom headers
you expect to see, as the inline parser will hide the encapsulation
headers
3. lo0 filter does not see the original headers but the encapsulation headers
Okay, that's quite interesting. I'll take a closer look how the
encapsulated header looks like.
I wouldn't be surprised if for some reason it is not subject to normal
rules in CoS either, but I've not specifically tried to set or observe
their QoS.
Do i understand correctly, that you also not tried to change anything in
outbound DHCP traffic using a firewall filter yet?
I think i try to do some further testing in lab and if i do not get it
running, i will open a TAC case.
If you have any further hints, I would be grateful if you would tell me
Many thanks.
Regards,
Alex
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp