[j-nsp] family inet|inet6 - best practices

Jeroen Valcke jeroen.valcke at belnet.be
Mon Mar 10 12:22:58 EDT 2008


Hello,

We used to define our firewalls strait under the [firewall] level.
However our IPv6 firewalls have always been defined in the [firewall
family inet6 ] branch. Now that we're cleaning up the config we will
define the IPv4 firewalls under the [firewall family inet ] level,
because this will be more consistent.

But I was wondering is this the best practise? So leave the configs
under the [firewall] level or split them off to the [firewall family
inet|inet6] level like we plan to do?

Is there a difference if you define the same firewalls on the different
levels?

On the same note, it appears that the [ protocols bgp ] part of the
config has the same feature so [ protocols bgp family inet ] and [
protocols bgp family inet6 ] both exist. We used to define all our
peerings both IPv4 and IPv6 in the [ protocols bgp ] level, but that
seems to break some functionality. For instance using an apply-path for
the IPv6 peerings doesn't seem to work.

	[edit policy-options prefix-list bgp_peers apply-path]
	  'apply-path "protocols bgp group <*> neighbor <*>"'
	    Invalid inet6 addr: '193.191.0.130/32'
	error: configuration check-out failed

So again the question raises, what's the best thing to do? split off the
IPv4 and IPv6 peering configs completely?

I'd like to avoid unnecessary typing at the command line as much as
possible.


Best regards,
-Jeroen-

-- 
Jeroen Valcke
support at belnet.be
jeroen.valcke at belnet.be


More information about the juniper-nsp mailing list