Mailing List Archive

Routing Engine Protection
Hi
I am trying to create a firewall filter to protect the routing engine
only in a routing-instance, and with that I apply the firewall filter
in the lo0.1 interface.
I noticed that when applying the filter that in theory should only
apply to the routing-instance, it also ends up dropping packets that
come to lo0.0, is Junos supposed to work that way?

Best Regards
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Routing Engine Protection [ In reply to ]
I forgot to mention, that I'm using the QFX5120 equipment in this scenario

Em qui., 17 de set. de 2020 às 10:19, Cristian Cardoso
<cristian.cardoso11@gmail.com> escreveu:
>
> Hi
> I am trying to create a firewall filter to protect the routing engine
> only in a routing-instance, and with that I apply the firewall filter
> in the lo0.1 interface.
> I noticed that when applying the filter that in theory should only
> apply to the routing-instance, it also ends up dropping packets that
> come to lo0.0, is Junos supposed to work that way?
>
> Best Regards
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Routing Engine Protection [ In reply to ]
Hi Cristian,

did you try to apply a filter on both interfaces, i.e. add some accept-all
filter for lo0.0?

I read that the lo0.0 filter is also used in the other instances if there
is no own filter set, but not if this applies vice-versa (at least it
seams to be the case).

kind regards
Rolf

> Hi
> I am trying to create a firewall filter to protect the routing engine
> only in a routing-instance, and with that I apply the firewall filter
> in the lo0.1 interface.
> I noticed that when applying the filter that in theory should only
> apply to the routing-instance, it also ends up dropping packets that
> come to lo0.0, is Junos supposed to work that way?
>


_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Routing Engine Protection [ In reply to ]
Hi

Here's the general behaviour in Junos: (routing)
https://kb.juniper.net/InfoCenter/index?page=content&id=KB23547

<https://kb.juniper.net/InfoCenter/index?page=content&id=KB23547>However,
QFX5k is different:
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/bridging-vrf-qfx-series-cli.html

Note: The QFX5100, QFX5110, and QFX5200 switches do not depend on the VRF
match for loopback filters configured at different routing instances.
Loopback filters per routing instance (such as lo0.100, lo0.103, lo0.105)
are not supported and may cause unpredictable behavior. We recommend that
you apply the loopback filter to the lo0.0 (master routing instance) only.

Regards
Roger

On Thu, Sep 17, 2020 at 3:22 PM Cristian Cardoso <
cristian.cardoso11@gmail.com> wrote:

> Hi
> I am trying to create a firewall filter to protect the routing engine
> only in a routing-instance, and with that I apply the firewall filter
> in the lo0.1 interface.
> I noticed that when applying the filter that in theory should only
> apply to the routing-instance, it also ends up dropping packets that
> come to lo0.0, is Junos supposed to work that way?
>
> Best Regards
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Routing Engine Protection [ In reply to ]
Hello
Rolf, I followed your suggestion and it worked as expected.

Thank you very much

Em qui., 17 de set. de 2020 às 14:24, Roger Wiklund
<roger.wiklund@gmail.com> escreveu:
>
> Hi
>
> Here's the general behaviour in Junos: (routing)
> https://kb.juniper.net/InfoCenter/index?page=content&id=KB23547
>
> However, QFX5k is different:
> https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/bridging-vrf-qfx-series-cli.html
>
> Note: The QFX5100, QFX5110, and QFX5200 switches do not depend on the VRF match for loopback filters configured at different routing instances. Loopback filters per routing instance (such as lo0.100, lo0.103, lo0.105) are not supported and may cause unpredictable behavior. We recommend that you apply the loopback filter to the lo0.0 (master routing instance) only.
>
> Regards
> Roger
>
> On Thu, Sep 17, 2020 at 3:22 PM Cristian Cardoso <cristian.cardoso11@gmail.com> wrote:
>>
>> Hi
>> I am trying to create a firewall filter to protect the routing engine
>> only in a routing-instance, and with that I apply the firewall filter
>> in the lo0.1 interface.
>> I noticed that when applying the filter that in theory should only
>> apply to the routing-instance, it also ends up dropping packets that
>> come to lo0.0, is Junos supposed to work that way?
>>
>> Best Regards
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp