[j-nsp] Help - Filter on Juniper M7i router
Michael Loftis
mloftis at wgops.com
Sat Jul 1 00:51:43 EDT 2006
No. The M7i does filtering in hardware. However if you want to 'protect'
the RE the right way to do it is via lo0, exactly as in the documentation.
--On June 18, 2006 11:51:41 PM -0700 ganesh nagpure
<gnagpure_mtnl at yahoo.com> wrote:
> Hi,
>
> I have configured follwoing filter on Juniper M7i
> router. Will it create any impact on Traffic flowing /
> slow performance via Gi_VRF.
>
>
>
> interfaces {
> fe-0/0/0 {
> description "Gi - port ";
> vlan-tagging;
> link-mode full-duplex;
> unit 0 {
> description "Gi to GiR1 CGSN";
> vlan-id 20;
> family inet {
> address 10.110.0.4/29;
> }
> }
> unit 1 {
> vlan-id 25;
> family inet {
> address 10.112.2.17/29;
> }
> }
>
>
>
> routing-instances {
> Gi_VRF {
> instance-type virtual-router;
> interface fe-0/0/0.0;
> interface fe-0/0/0.1;
> routing-options {
> autonomous-system 65010;
> }
> forwarding-options {
> family inet {
> filter {
> input protect_RE_from_apn;
> }
> }
> }
> protocols {
> bgp {
> description "Peers with CGSN GiR1 and
> GiR2";
> log-updown;
> export advertise-default-route;
> peer-as 65001;
> group CGSN_GiR1/2 {
> type external;
> neighbor 10.110.0.1;
> }
> group CGSN_GiFirewall1/2 {
> type external;
> description "Peers with GiFw1 and
> GiFw2";
> log-updown;
> peer-as 65005;
> neighbor 10.112.2.19;
> }
> }
> }
> }
> }
>
>
> policy-options {
> prefix-list apn-ip-ranges {
> 10.100.0.0/16;
> 10.101.0.0/16;
> 10.102.0.0/16;
> 10.103.0.0/16;
> }
> prefix-list interface-ip {
> 10.112.2.4/32;
> 10.112.2.17/32;
> 10.112.2.43/32;
> }
> prefix-list except-src-list {
> 10.111.0.16/28;
> 10.112.0.0/24;
> }
> prefix-list fxp-ip {
> 10.112.0.9/32;
> 10.112.2.2/32;
> }
>
>
>
>
> firewall {
> filter protect_RE_from_apn {
> term deny-all-from-apn {
> from {
> source-prefix-list {
> apn-ip-ranges;
> }
> destination-prefix-list {
> interface-ip;
> }
> }
> then {
> count count-deny-apn;
> reject;
> }
> }
> term allow-all-else {
> then accept;
> }
>
>
>
>
> If yes please suggest best possible option.
>
> Thanks & Regards
> Ganesh
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam
> protection around
> http://mail.yahoo.com
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>
--
"Genius might be described as a supreme capacity for getting its possessors
into trouble of all kinds."
-- Samuel Butler
More information about the juniper-nsp
mailing list