[j-nsp] Firewall filters based on BGP communities.

Mark Tinka mtinka at globaltransit.net
Fri May 9 21:37:47 EDT 2008


On Saturday 10 May 2008, Joe Metzger wrote:

> Does anybody have any suggestions about the best way to
> manage a firewall
> filter that is based on BGP community attributes?

Sounds like what you need is SCU (Source Class Usage) or DCU 
(Destination Class Usage).

We do something like this, but for DCU; we have only tried 
it with firewall policers, though, but you should be able 
to accept and discard packets accordingly.

Our requirement was to restrictively police traffic destined 
to a particular set of routes, while policing at a 
different rate for the rest of the routes. These routes 
were identified using BGP communities.

Cheers,

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: This is a digitally signed message part.
Url : https://puck.nether.net/pipermail/juniper-nsp/attachments/20080510/327d5362/attachment.bin 


More information about the juniper-nsp mailing list