[j-nsp] Re: Re: Interfaces, deactivate vs disable
Lars Erik Gullerud
lerik at nolink.net
Wed Jun 8 19:10:40 EDT 2005
On Wed, 8 Jun 2005, Daniel Roesen wrote:
> On Wed, Jun 08, 2005 at 01:15:18PM -0400, Eric Van Tol wrote:
>> This begs the question, if using a standardized config, such as a
>> firewall filter, what should be done when the packets hit that term
>> which references the empty prefix-list? should they be accepted or
>> denied?
>
> That depends on the context in which the prefix-list is used. And
> I disagree with IOS' semantics here.
>
> A prefix-list specifies prefixes which do match when the prefix-list
> is being referenced. The natural no-surprises outcome of an empty
> prefix-list is (should be) that no prefix matches. If I give you an
> empty shopping list you don't come back with all the goods the shop
> had to offer, do you? :-)
I couldn't agree more - I actually prefer the OLD JunOS behaviour that
would not let you commit a configuration with an empty prefix-list over
the current behaviour that allows empty lists, having been bit by the same
problem as the previous poster.
Firewall term referencing a prefix-list, with a discard-action. Remove the
last IP in the prefix-list and it suddenly matches ANY, not NONE - whoops,
there goes all your traffic into the big bitbucket in the sky. I'd rather
take the "checkout failed" message any day. :-/
/leg
More information about the juniper-nsp
mailing list