[j-nsp] Question about filter input in lo0

Smith W. Stacy stacy at acm.org
Fri Sep 3 20:43:10 EDT 2010


See the following rules about how lo0 filters are applied to routing instances.

http://www.juniper.net/techpubs/software/junos/junos85/swconfig85-vpns/id-10956637.html#id-10956637

"You can also configure a firewall filter for the logical unit on the loopback interface; this configuration allows you to filter traffic for the VRF routing instance associated with it.

The following describes how firewall filters affect the VRF routing instance depending on whether they are configured on the default loopback interface, the VRF routing instance, or some combination of the two. The “default loopback interface” refers to lo0.0 (associated with the default routing table), and the “VRF loopback interface” refers to lo0.n, which is configured in the VRF routing instance.

• If you configure Filter A on the default loopback interface and Filter B on the VRF loopback interface, the VRF routing instance uses Filter B.

• If you configure Filter A on the default loopback interface but do not configure a filter on the VRF loopback interface, the VRF routing instance does not use a filter.

• If you configure Filter A on the default loopback interface but do not even configure a VRF loopback interface, the VRF routing instance uses Filter A."

--Stacy


On Sep 3, 2010, at 5:57 PM, luis barrios wrote:

> Hello,
> When in a Juniper i apply an input filter in the lo0 interface this
> protection apply for the routing-instance too ??
> For example ..
> In the filter ... named protectRE i have one term to protect the bgp session
> , the term looks like this:
> 
> term bgp {
>    from {
>        source-prefix-list {
>            neighbor.bgp;
>        }
>        protocol tcp;
>        port bgp;
>    }
>    then accept;
> 
> 
> so ..  in the list "neighbor.bgp"  are all the ip prefix  that the router
> will accept for establish a bgp session.
> My question is, if i have a routing-instance  (type vrf ) and i want to
> configure a bgp session in this vrf to the peer a.b.c.d ,  do i need to add
> in the "neighbor.bgp" list  the addreess of this peer a.b.c.d  ???
> 
> the filter protectRE is applied in the lo0
> 
> interfaces lo0
> unit 0 {
>    family inet {
>        filter {
>            input protectRE;
>        }
>        address x
>        address y
>    }
> }
> 
> 
> thanks  for  your help ..
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp




More information about the juniper-nsp mailing list