[j-nsp] group re0 routing-options
Felix Schueren
felix.schueren at hosteurope.de
Mon Feb 16 08:40:47 EST 2009
>> Incidentally, I highly recommend placing a spoof-protect filter on your
>> fxp0 interface (something like: from source-address fxp0-network;
>> dest-addr fxp0-network; then accept; rest then reject), because all
>> packets entering fxp0 (e.g., broadcasts) with a non-fxp0-network
>> destination will be sent to the PFE and be forwarded there.
>
> So probably its is better to set up a virtual router instance and move
> the fxp0 interface into it and use that for management and get the
> rib/fib separated from the global instance?
>
might be - I've never used virtual routers. a firewall input filter on
fxp0 is just in the kernel (obviously not in the PFE ASICs), but it
works well. :)
-felix
--
Felix Schüren
Head of NOC
------------------------------------------------------------------
Host Europe GmbH - http://www.hosteurope.de
Welserstraße 14 - D-51149 Köln - Germany
Telefon: (0800) 4 67 83 87 - Telefax: (01805) 66 32 33
HRB 28495 Amtsgericht Köln - UST ID DE187370678
Geschäftsführer:
Uwe Braun - Alex Collins - Mark Joseph - Patrick Pulvermüller
More information about the juniper-nsp
mailing list