Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX/PTX] RE Protect Filter counters configured for BFD increment for Distributed BFD sessions

0

0

Article ID: KB36982 KB Last Updated: 25 May 2021Version: 1.0
Summary:

The RE protect filter is configured on the loopback filter to restrict unwanted traffic to the RE. When a term for BFD is added to the firewall filter to restrict the rate of traffic to the RE using a policer, with all the BFD sessions distributed to the PFE, the packet count is almost equal to cumulative receive pps on the device. This is expected behavior.

Symptoms:
mx480-re0> show firewall filter REPROTECT | match "BFD|Name"
Name                                                Bytes Packets
BFD_PERMITTED                                      179868 3459
Cause:

All control packets are captured by the loopback filter.

Solution:

Example:

mx480-re0> show configuration firewall family inet filter REPROTECT term BFD_PERMIT | display set
set firewall family inet filter REPROTECT term BFD from protocol udp
set firewall family inet filter REPROTECT term BFD from ttl 255
set firewall family inet filter REPROTECT term BFD from port 3784
set firewall family inet filter REPROTECT term BFD then policer POLICER
set firewall family inet filter REPROTECT term BFD then count BFD_PERMIT
set firewall family inet filter REPROTECT term BFD then accept
set firewall family inet filter REPROTECT term OTHERS then accept

 
mx480-re0> show bfd session | match "sessions|Cumulative"
490 sessions, 490 clients
Cumulative transmit rate 1592.3 pps, cumulative receive rate 1592.4 pps

 
mx480-re0> show firewall filter REPROTECT | match "BFD|Name"
Name                                                Bytes Packets
BFD_PERMITTED                                      179868 3459

mx480-re0> show firewall filter REPROTECT | match "BFD|Name"
Name                                                Bytes Packets
BFD_PERMITTED                                      262652 5051


This is because the firewall filter configured on the loopback filter will be copied to all the PFE's and all the control packets are captured by this loopback filter.

FPC is installed in slot 5 and the filter can be verified:

 
 NPC5(mx480-re0 vty)# show filter index 2  
Term Filters:
------------
   Index    Semantic  Properties   Name
--------  ---------- --------  ------
       2  Classic    -         REPROTECT

In this case, it is expected that all the BFD packets are captured irrespective of them being centralized or distributed.

Note: The policer for the BFD traffic should be configured considering the actual BFD sessions so that the legitimate traffic is not policed.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search