[j-nsp] "low route" with BGP examples?

Pedro Roque Marques roque at juniper.net
Tue Oct 18 18:21:16 EDT 2005 

Thomas Mangin wrote:
> Pedro Roque Marques wrote:
> 
> 
>>>However, I fail to see how flow are useful in that setup as we are not
>>>using them in filters but to tag routes.
>>
>>flow routes are used for traffic filtering.
> 
> 
> This can be done with scu, could someone give me the advantage of using
> flow against something like this.

You can indeed use SCU to do source-based filtering that is propagated 
via routing. And DCU for destination-based filtering...

Flow routes however allow you specify any criteria that you can 
configure in a (stateless firewall) and that is not "hop" specific (e.g. 
ttl).

Also, the inet flow address family implies a given validation procedure 
(which can be turned off). Essentially "flow" advertisements are only 
accepted if they have been advertised by the unicast next-hop of the 
destination prefix. The hope is that this will allow for automated 
filtering in a inter-as scenario.

Additionally there is also flow support for "inet-vpn" family. So you 
can propagate this flow filtering information on a per instance basis.

SCU and rpf-check are useful tools for a given set of applications. 
imho, inetflow has a slightly different application set.

   Pedro.

> 
> groups {
>     transit-interface {
>         interfaces {
>             <*> {
>                 unit <*> {
>                     family inet {
>                         rpf-check {
>                             mode loose;
>                         }
>                         filter {
>                             input external-incoming-transit;
>                         }
>                     }
>                 }
>             }
>         }
>     }
> }
> routing-options {
>     aggregate {
>         route 10.0.0.0/24 community 1234:1234;
>     }
>    forwarding-table {
>         export tag-to-scu;
>         unicast-reverse-path feasible-paths;
>     }
> }
> firewall {
>     filter external-incoming-transit {
>         ...
>         term originate-deny {
>             from {
>                 source-class originate;
>             }
>             then {
>                 count deny-spoof-originate;
>                 discard;
>             }
>         }
>         ...
>         term default-allow {
>             then accept;
>         }
>     }
> 
> policy-options {
>     policy-statement tag-to-scu {
>         term is-orginated-here {
>             from community originate;
>             then source-class originate;
>         }
>         ...
>     }
>     policy-statement originate {
>         term tag {
>             from {
>                 protocol aggregate;
>                 community originate;
>             }
>             then {
>                 community delete originate;
>                 accept;
>             }
>         }
>     }
>     community originate members 1234:1234;
> }
>

More information about the juniper-nsp mailing list