[j-nsp] family inet|inet6 - best practices

[Chuck Anderson]

On Mon, Mar 10, 2008 at 05:22:58PM +0100, Jeroen Valcke wrote:
> But I was wondering is this the best practise? So leave the configs
> under the [firewall] level or split them off to the [firewall family
> inet|inet6] level like we plan to do?
> Is there a difference if you define the same firewalls on the different
> levels?

I've always used family inet.  It seems to me to be the best way.  
I've not tried defining some under firewall and others under firewall 
family inet.

> On the same note, it appears that the [ protocols bgp ] part of the
> config has the same feature so [ protocols bgp family inet ] and [
> protocols bgp family inet6 ] both exist. We used to define all our
> peerings both IPv4 and IPv6 in the [ protocols bgp ] level, but that
> seems to break some functionality. For instance using an apply-path for
> the IPv6 peerings doesn't seem to work.

Under protocols bgp, faminet inet/inet6 aren't used for configuring 
neighbors.  They simply define the address families that are 
advertised and negotiated with the peers.

> 	[edit policy-options prefix-list bgp_peers apply-path]
> 	  'apply-path "protocols bgp group <*> neighbor <*>"'
> 	    Invalid inet6 addr: '193.191.0.130/32'
> 	error: configuration check-out failed
> 
> So again the question raises, what's the best thing to do? split off the
> IPv4 and IPv6 peering configs completely?

I haven't tried it, but maybe something like this will work by 
splitting the prefix-list into two separate ones:

[edit policy-options prefix-list bgp_ipv4_peers ]
apply-path "protocols bgp group <*> neighbor <*.*.*.*>"

[edit policy-options prefix-list bgp_ipv6_peers ]
apply-path "protocols bgp group <*> neighbor <*:*>"

Then you can apply them separately to specific firewall stanzas under 
inet or inet6.