[j-nsp] RE: bgp config changes (was: autonomous-system N loops L)
Richard A Steenbergen
ras at e-gerbil.net
Fri Dec 12 21:51:04 EST 2003
On Sat, Dec 13, 2003 at 03:28:04AM +0100, Daniel Roesen wrote:
> On Fri, Dec 12, 2003 at 04:18:22PM -0500, Richard A Steenbergen wrote:
> > You cannot use a Juniper "prefix-list" for this either, since jnpr's
> > prefix lists are actually... lists of prefixes... and don't let you do any
> > "orlonger" type processing. I always found this an incredibly annoying
> > damper in the otherwise handy ability to use use a prefix-list in a
> > firewall term, since you still have to duplicate the entire list in both a
> > policy route-filter list and a prefix-list...
> $ fgrep prefix-list vendor/juniper/JunOS-featurerequests
> - "from prefix-list bla exact" && ""from prefix-list bla orlonger" etc.
You wouldn't want the ability to mix "exact" and "orlonger" or even a
specific range in the same prefix-list?
I do agree that putting it outside the prefix-list has some advantages
though. For example, one application which pops to mind that I've had
users hounding me about is the null route community, and the ability to
announce it on any IP in their set of registered routes all the way up to
a /32 without compromising the security of my network or others by
allowing /32s to be announced as "non-null route".
Thus you might have regular import for BGP routes which is done:
from prefix-list blah upto /24;
And then for null route community imports (which you would probably want
to set no-export, or say change next-hop to something aimed at a dsc
interface with a filter that automatically forwards of a policied amount
of packets over a pre-configured LSP to an analysis box for DoS tracking,
or any number of other things):
from prefix-list blah upto /32;
Personally I'd like to have the modifiers available both inside and
outside the prefix-list, with a value outside the list overriding.
> - ability to use prefix-lists for snmp access control
On a completely unrelated subject, if you don't already have it (though
somehow I suspect you do :P), make sure to add automatically tuning prefix
limits which track the normal number of prefixes + some configurable
amount or percentage of burst, and block anything past that as "abnormal"
without the need to constantly scan peer prefix-limits adjusting for
> juniper-nsp mailing list juniper-nsp at puck.nether.net
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
More information about the juniper-nsp