Mailing List Archive: nsp: juniper

Input firewall on lo0 of EX --> ARP issue

Index | Next | Previous | View Threaded

dennis at tilaa

Jun 14, 2012, 12:02 AM

Post #1 of 4 (622 views)
Permalink

Input firewall on lo0 of EX --> ARP issue

Hello list,

We've been having a weird issue on our ex4200-24t's (all running 10.4R8.5). We use them for both L2 and L3. Gateways are configured on the vlan interface of the ex. So what happens is this:

- A new host enters the network
- I connect to the host (with ssh, but protocol doesn't matter as long as it's tcp) from another subnet/vlan, nothing happens (no arp requests on the target host, nothing in the arp cache on the ex)
- I send 1 icmp packet to the host, I get a reply
- We now see arp requests, the ex shows an arp entry
- Next connection succeeds

This issue exists both ways: It also happens if the first connection is attempted from this host to the outside world

This only happens with new hosts. Once they are learned by the EX everything keeps on working. It's easy to reproduce by manually clearing the arp entries and starting over. (The same happens with IPv6 ND.)

So after days of tcpdumping and excluding possible causes we finally learned that it was caused by our input filters on the loopback interface. We disabled the firewall on lo0 and everything started working.

The way I understand it firewall rules on the lo0 should only be protecting the RE and not interfere with forwarded traffic. So I guess the RE is somehow involved in the ARP learning process.

I've been reading a lot of JunOS docs over the last couple of days, but I'm unable to figure out why this is happening.

Does anybody recognize this behavior? Could someone enlighten me about why this is happening (and perhaps recommend a way to protect our RE without breaking ARP on our network)?

Any feedback would be much appreciated.

Regards,

--
Dennis Krul
Tilaa

e: dennis [at] tilaa
w: http://www.tilaa.nl

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

Ralph.Smit at nxs

Jun 14, 2012, 1:07 AM

Post #2 of 4 (591 views)
Permalink

Re: Input firewall on lo0 of EX --> ARP issue [In reply to]

Hi Dennis,

We've run into the same issue. I've been told that the architecture of the EX switches requires a packet for an 'unknown' destination to be sent to the Routing-engine for further processing (creating an arp request?), however this packet is filtered by the firewall placed in front of it. So your firewall filter for the routing engine should be so that to also accepts the packets for hosts attached to the switch.

Regards,

Ralph Smit

On 14 jun. 2012, at 09:42, "Dennis Krul | Tilaa" <dennis [at] tilaa> wrote:

> Hello list,
>
> We've been having a weird issue on our ex4200-24t's (all running 10.4R8.5). We use them for both L2 and L3. Gateways are configured on the vlan interface of the ex. So what happens is this:
>
> - A new host enters the network
> - I connect to the host (with ssh, but protocol doesn't matter as long as it's tcp) from another subnet/vlan, nothing happens (no arp requests on the target host, nothing in the arp cache on the ex)
> - I send 1 icmp packet to the host, I get a reply
> - We now see arp requests, the ex shows an arp entry
> - Next connection succeeds
>
> This issue exists both ways: It also happens if the first connection is attempted from this host to the outside world
>
> This only happens with new hosts. Once they are learned by the EX everything keeps on working. It's easy to reproduce by manually clearing the arp entries and starting over. (The same happens with IPv6 ND.)
>
> So after days of tcpdumping and excluding possible causes we finally learned that it was caused by our input filters on the loopback interface. We disabled the firewall on lo0 and everything started working.
>
> The way I understand it firewall rules on the lo0 should only be protecting the RE and not interfere with forwarded traffic. So I guess the RE is somehow involved in the ARP learning process.
>
> I've been reading a lot of JunOS docs over the last couple of days, but I'm unable to figure out why this is happening.
>
> Does anybody recognize this behavior? Could someone enlighten me about why this is happening (and perhaps recommend a way to protect our RE without breaking ARP on our network)?
>
> Any feedback would be much appreciated.
>
> Regards,
>
> --
> Dennis Krul
> Tilaa
>
> e: dennis [at] tilaa
> w: http://www.tilaa.nl
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp [at] puck
> https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

dennis at tilaa

Jun 14, 2012, 2:28 AM

Post #3 of 4 (589 views)
Permalink

Re: Input firewall on lo0 of EX --> ARP issue [In reply to]

On 14 jun. 2012, at 10:07, Ralph Smit wrote:

> Hi Dennis,
>
> We've run into the same issue. I've been told that the architecture of the EX switches requires a packet for an 'unknown' destination to be sent to the Routing-engine for further processing (creating an arp request?), however this packet is filtered by the firewall placed in front of it. So your firewall filter for the routing engine should be so that to also accepts the packets for hosts attached to the switch.
>
> Regards,
>
> Ralph Smit

Hello Ralph,

Thanks for responding :)

Can you think of a way to match traffic for unknown destinations without explicitly specifying all the RE ip's in the input filter?

Regards,

--
Dennis Krul
Tilaa

e: dennis [at] tilaa
w: http://www.tilaa.nl

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

dennis at tilaa

Jun 14, 2012, 3:27 AM

Post #4 of 4 (607 views)
Permalink

Re: Input firewall on lo0 of EX --> ARP issue [In reply to]

On 14 jun. 2012, at 12:11, Georgios Vlachos wrote:

> Hello Dennis,
>
> Could you post the FF on lo0 for us?
>
> Thanks,
> George

Hello George,

As Ralph said, it's a known issue on EX switches. Oh and we just found PR486443, which confirms it:

EX is not generating local ARPs for transit traffic when loopback firewall filters are used
On EX switches, when a firewall filter is applied on the loopback (lo0) interface, the switch stops generating local ARP requests for transit traffic. As a workaround, do the following:
- Create firewall filters to block known unwanted traffic to the Routing Engine, and then accept all other traffic.
- Create firewall filters for specific hosts and all local subnets, and then discard all other traffic.
Severity Major
Status Closed
Last Modified 2012-02-15 22:33:31 PST

So yeah, I guess we'll have to implement that work-around.. It's not pretty, but unfortunately there doesn't seem to be another way.

Regards,

--
Dennis Krul
Tilaa

e: dennis [at] tilaa
w: http://www.tilaa.nl

_______________________________________________
juniper-nsp mailing list juniper-nsp [at] puck
https://puck.nether.net/mailman/listinfo/juniper-nsp

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads