Mailing List Archive

FlowSpec rules being installed, but not matching any traffic
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: FlowSpec rules being installed, but not matching any traffic [ In reply to ]
Hi,

I doubt that BGP Flow Spec is systested or supported on any QFX5k platform.

Feature Explorer (while not perfect :)) does support me in that
thinking:
https://apps.juniper.net/feature-explorer/parent-feature-info.html?pFKey=1541&pFName=BGP+Flow+Specification

regards
Tobias
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: FlowSpec rules being installed, but not matching any traffic [ In reply to ]
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: FlowSpec rules being installed, but not matching any traffic [ In reply to ]
Hi folks,

Thanks for taking the time to reply!

I was afraid that was the case, but wanted to check in with the experts
regardless =)

On Thu, Apr 14, 2022 at 6:25 PM Nathan Ward via juniper-nsp <
juniper-nsp@puck.nether.net> wrote:

>
>
>
> ---------- Forwarded message ----------
> From: Nathan Ward <juniper-nsp@daork.net>
> To: Tobias Heister <lists@tobias-heister.de>
> Cc: juniper-nsp@puck.nether.net
> Bcc:
> Date: Fri, 15 Apr 2022 00:08:50 +1200
> Subject: Re: [j-nsp] FlowSpec rules being installed, but not matching any
> traffic
>
> > On 14/04/2022, at 10:53 PM, Tobias Heister via juniper-nsp <
> juniper-nsp@puck.nether.net> wrote:
> >
> > Hi,
> >
> > I doubt that BGP Flow Spec is systested or supported on any QFX5k
> platform.
> >
> > Feature Explorer (while not perfect :)) does support me in that
> thinking:
> https://apps.juniper.net/feature-explorer/parent-feature-info.html?pFKey=1541&pFName=BGP+Flow+Specification
>
>
> Yeah… QFX5100 (and all the Broadcom boxes, AFACT) fail open when firewall
> filters get too complex - and that complexity limit is pretty low.
> Given that, having BGP be able to program those same firewall filters
> seems like a very bad idea on those boxes.
>
> I wonder if the flowspec rules aren’t matching because the whole thing is
> too complex and it’s failing open.
>
> --
> Nathan Ward
>
>
>
>
> ---------- Forwarded message ----------
> From: Nathan Ward via juniper-nsp <juniper-nsp@puck.nether.net>
> To: Tobias Heister <lists@tobias-heister.de>
> Cc:
> Bcc:
> Date: Fri, 15 Apr 2022 00:08:50 +1200
> Subject: Re: [j-nsp] FlowSpec rules being installed, but not matching any
> traffic
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp