[j-nsp] Securing management access to Juniper gear
Mark Tinka
mtinka at globaltransit.net
Sat Sep 3 09:38:21 EDT 2011
On Saturday, September 03, 2011 09:18:51 PM Richard A Steenbergen wrote:
> 2) EX lo0 filters don't actually work correctly for DoS
> prevention, they get applied *AFTER* the packets have
> already destroyed the RE, and thus are completely
> ineffective at defending the boxes from attack. The only
> way to correctly block control plane traffic on EX is
> with ingress filters on "real" intefaces (or RVIs).
Just to add, in case you're planning to perform any
egress filtering on an RVI for IPv6, it won't work if
one of your match conditions is a destination address:
[edit interfaces vlan unit 998 family inet6]
'filter'
Referenced filter 'filter-outgoing6' can not be used as destination-address not supported on egress IRB
error: configuration check-out failed
This is Junos 10.4R4.5. Don't know if anything later
fixes this.
Ingress filtering with that match condition is fine,
however.
Cheers,
Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20110903/62677b56/attachment.pgp>
More information about the juniper-nsp
mailing list