[j-nsp] Re: Re: Interfaces, deactivate vs disable

Lars Erik Gullerud lerik at nolink.net
Wed Jun 8 19:10:40 EDT 2005


On Wed, 8 Jun 2005, Daniel Roesen wrote:

> On Wed, Jun 08, 2005 at 01:15:18PM -0400, Eric Van Tol wrote:
>> This begs the question, if using a standardized config, such as a
>> firewall filter, what should be done when the packets hit that term
>> which references the empty prefix-list?  should they be accepted or
>> denied?
>
> That depends on the context in which the prefix-list is used. And
> I disagree with IOS' semantics here.
>
> A prefix-list specifies prefixes which do match when the prefix-list
> is being referenced. The natural no-surprises outcome of an empty
> prefix-list is (should be) that no prefix matches. If I give you an
> empty shopping list you don't come back with all the goods the shop
> had to offer, do you? :-)

I couldn't agree more - I actually prefer the OLD JunOS behaviour that 
would not let you commit a configuration with an empty prefix-list over 
the current behaviour that allows empty lists, having been bit by the same 
problem as the previous poster.

Firewall term referencing a prefix-list, with a discard-action. Remove the 
last IP in the prefix-list and it suddenly matches ANY, not NONE - whoops, 
there goes all your traffic into the big bitbucket in the sky. I'd rather 
take the "checkout failed" message any day. :-/

/leg


More information about the juniper-nsp mailing list