Juniper QFX5100 VLAN flood input filter doesn't work
Stanislaw
me at nek0.net
Tue Nov 7 22:06:50 UTC 2017
Hello, list (again),
I've been trying to use VLAN BUM traffic filter on QFX5100. The
configuration on the test VLAN was quite trivial:
Model: qfx5100-48s-6q
Junos: 17.2R2.8
# show vlans Testvlan
vlan-id 4030;
forwarding-options {
filter {
input Testvlan-ingress;
}
flood {
input Testvlan-flood;
}
}
I connected two linux hosts to the test VLAN:
# show interfaces ge-0/0/42
unit 0 {
family ethernet-switching {
vlan {
members Testvlan;
}
}
}
# show interfaces ge-0/0/43
unit 0 {
family ethernet-switching {
vlan {
members Testvlan;
}
}
}
The firewall filter wwas quite simple:
# show firewall family ethernet-switching filter Testvlan-ingress
term accept {
then accept;
}
The flood input filter I was trying to use.
According to the documentation, only Broadcast, Unknown unicast and
Multicast (BUM) traffic goes here. The regular unicast traffic should be
left intact by it.
# show firewall family ethernet-switching filter Testvlan-flood
term allow_arp {
from {
ether-type arp;
}
then accept;
}
term allow_ipv6_ns {
from {
destination-mac-address {
33:33:ff:00:00:00/24;
}
ether-type 0x86dd;
}
then accept;
}
term discard_all {
then discard;
}
I started hosts to ping (and snif) each other.. And I saw only ARP
requests/responses.
"show ethernet-switching table" displayed that both hosts MAC were
successfully learned, thus traffic between them should be considered as
regular unicast.
However, the last term in Testvlan-flood filter was blocking it.
If I replace it with "accept" - traffic begins to flow.
Are any Juniper QFX gurus here? I would really appreciate some advice.
More information about the NANOG
mailing list