[j-nsp] family inet|inet6 - best practices
Chuck Anderson
cra at WPI.EDU
Mon Mar 10 13:19:38 EDT 2008
On Mon, Mar 10, 2008 at 05:22:58PM +0100, Jeroen Valcke wrote:
> But I was wondering is this the best practise? So leave the configs
> under the [firewall] level or split them off to the [firewall family
> inet|inet6] level like we plan to do?
> Is there a difference if you define the same firewalls on the different
> levels?
I've always used family inet. It seems to me to be the best way.
I've not tried defining some under firewall and others under firewall
family inet.
> On the same note, it appears that the [ protocols bgp ] part of the
> config has the same feature so [ protocols bgp family inet ] and [
> protocols bgp family inet6 ] both exist. We used to define all our
> peerings both IPv4 and IPv6 in the [ protocols bgp ] level, but that
> seems to break some functionality. For instance using an apply-path for
> the IPv6 peerings doesn't seem to work.
Under protocols bgp, faminet inet/inet6 aren't used for configuring
neighbors. They simply define the address families that are
advertised and negotiated with the peers.
> [edit policy-options prefix-list bgp_peers apply-path]
> 'apply-path "protocols bgp group <*> neighbor <*>"'
> Invalid inet6 addr: '193.191.0.130/32'
> error: configuration check-out failed
>
> So again the question raises, what's the best thing to do? split off the
> IPv4 and IPv6 peering configs completely?
I haven't tried it, but maybe something like this will work by
splitting the prefix-list into two separate ones:
[edit policy-options prefix-list bgp_ipv4_peers ]
apply-path "protocols bgp group <*> neighbor <*.*.*.*>"
[edit policy-options prefix-list bgp_ipv6_peers ]
apply-path "protocols bgp group <*> neighbor <*:*>"
Then you can apply them separately to specific firewall stanzas under
inet or inet6.
More information about the juniper-nsp
mailing list