[j-nsp] Filtering people pointing default

Dmitri Kalintsev dek at hades.uz
Mon Aug 4 11:09:25 EDT 2003


Richard,

Unless I'm severely mistaken, you can do what you want by using CSU/DCU
destination-class and/or source-class in your firewall filters coupled with
policers.

Did you have a look at that? You'll have to have JunOS 5.6 or later to do
this.

I would be very interested to hear if this is indeed what you need and if it
isn't then why.

Good place to start is JunOS feature guide for SCU.

(not very related) example of using DCU for similar kind of thing:

[edit]
firewall {
    family inet {
        filter filter1 {
            policer police-class1
                if-exceeding {
                    bandwidth-limit 25;
                    burst-size-limit 1000;
                }
                then {
                    discard;
                }
            }
            term term1 {
                from {
                    destination-class class1;
                }
                then {
                    policer police-class1;
                }
            }
        }
    }
}

This example comes from here:

http://www.juniper.net/techpubs/software/junos/junos60/swconfig60-policy/html/firewall-config17.html

On Fri, Aug 01, 2003 at 08:49:10PM -0400, Richard A Steenbergen wrote:
> Has anyone actually implemented an "anti peers pointing default at you" 
> filter, specifically to discard any packet sent to a route which doesn't 
> belong to a customer?
> 
> A routing-instance populated by only customer/internal/interface routes
> should mostly work (except in the case where a non-customer is announcing
> a more specific route of a block announced by a customer, but how often 
> does that happen? :P), but it doesn't seem to have quite the results I 
> would expect (namely no bgp, no forwarding packets, etc).
> 
> How difficult would it be for Juniper to implement a dynamic prefix-list,
> which could be populated by matching from a policy-statement? The dynamic
> prefix-list could then be used in a firewall filter to do a wide variety
> of useful things. For example, you could create a dynamic prefix-list
> which contains all your customer routes matched via a BGP community, and
> then apply QoS/CoS/filtering/etc in a firewall statement. Would the 
> router need to recompile the firewall filters and transfer a large set of 
> prefixes with every routing change, or would the prefix-list be 
> maintained in a seperate piece of memory with only a reference pointing 
> to it from the firewall? Would the box be able to keep up with such a 
> large number of prefixes and frequent changes? The usefulness of such a 
> feature knows no bounds in my eyes...
---end quoted text---

SY,
-- 
D.K.


More information about the juniper-nsp mailing list