[j-nsp] family inet|inet6 - best practices
cra at WPI.EDU
Mon Mar 10 13:19:38 EDT 2008
On Mon, Mar 10, 2008 at 05:22:58PM +0100, Jeroen Valcke wrote:
> But I was wondering is this the best practise? So leave the configs
> under the [firewall] level or split them off to the [firewall family
> inet|inet6] level like we plan to do?
> Is there a difference if you define the same firewalls on the different
I've always used family inet. It seems to me to be the best way.
I've not tried defining some under firewall and others under firewall
> On the same note, it appears that the [ protocols bgp ] part of the
> config has the same feature so [ protocols bgp family inet ] and [
> protocols bgp family inet6 ] both exist. We used to define all our
> peerings both IPv4 and IPv6 in the [ protocols bgp ] level, but that
> seems to break some functionality. For instance using an apply-path for
> the IPv6 peerings doesn't seem to work.
Under protocols bgp, faminet inet/inet6 aren't used for configuring
neighbors. They simply define the address families that are
advertised and negotiated with the peers.
> [edit policy-options prefix-list bgp_peers apply-path]
> 'apply-path "protocols bgp group <*> neighbor <*>"'
> Invalid inet6 addr: '18.104.22.168/32'
> error: configuration check-out failed
> So again the question raises, what's the best thing to do? split off the
> IPv4 and IPv6 peering configs completely?
I haven't tried it, but maybe something like this will work by
splitting the prefix-list into two separate ones:
[edit policy-options prefix-list bgp_ipv4_peers ]
apply-path "protocols bgp group <*> neighbor <*.*.*.*>"
[edit policy-options prefix-list bgp_ipv6_peers ]
apply-path "protocols bgp group <*> neighbor <*:*>"
Then you can apply them separately to specific firewall stanzas under
inet or inet6.
More information about the juniper-nsp