[j-nsp] Re: Re: Interfaces, deactivate vs disable

[Douglas Marschke]

I think the behavior is consistent though.  No from statement in a term
matches all.  So an empty prefix list to me, would be like having no
from statement which would match all.

 

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Lars Erik
Gullerud
Sent: Wednesday, June 08, 2005 4:11 PM
To: Daniel Roesen
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] Re: Re: Interfaces, deactivate vs disable

On Wed, 8 Jun 2005, Daniel Roesen wrote:

> On Wed, Jun 08, 2005 at 01:15:18PM -0400, Eric Van Tol wrote:
>> This begs the question, if using a standardized config, such as a 
>> firewall filter, what should be done when the packets hit that term 
>> which references the empty prefix-list?  should they be accepted or 
>> denied?
>
> That depends on the context in which the prefix-list is used. And I 
> disagree with IOS' semantics here.
>
> A prefix-list specifies prefixes which do match when the prefix-list 
> is being referenced. The natural no-surprises outcome of an empty 
> prefix-list is (should be) that no prefix matches. If I give you an 
> empty shopping list you don't come back with all the goods the shop 
> had to offer, do you? :-)

I couldn't agree more - I actually prefer the OLD JunOS behaviour that
would not let you commit a configuration with an empty prefix-list over
the current behaviour that allows empty lists, having been bit by the
same problem as the previous poster.

Firewall term referencing a prefix-list, with a discard-action. Remove
the last IP in the prefix-list and it suddenly matches ANY, not NONE -
whoops, there goes all your traffic into the big bitbucket in the sky.
I'd rather take the "checkout failed" message any day. :-/

/leg
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp