[j-nsp] Selective packet mode & local traffic

Fri Aug 10 11:55:11 EDT 2012

On 8/10/12 11:33 AM, "Wayne Tucker" <wayne at tuckerlabs.com> wrote:

>You can probably achieve that using apply-path.  This book has several
>good examples:
>
>http://www.juniper.net/us/en/community/junos/training-certification/day-on
>e/fundamentals-series/securing-routing-engine/
>
>:w
>
>
>On Thu, Aug 9, 2012 at 7:37 AM, Mark Menzies <mark at deimark.net> wrote:
>> Yup, we can do selective packet mode using firewall filters.
>>
>> Its normally applied in the input direction however, note, it needs to
>>be
>> on all interfaces where we will see packets that we dont want to send to
>> the flow module, ie the reply packets as well
>>
>> As for a script, sadly dont have one, however if you do get one, I would
>> like to have a copy.  :)
>>
>> On 9 August 2012 15:13, Phil Mayers <p.mayers at imperial.ac.uk> wrote:
>>
>>> All,
>>>
>>> On the J-series and branch SRX, if you want to use selective packet
>>>mode
>>> (because you want to do IPSec at the same time as MPLS, for example)
>>>then,
>>> as I understand it, you need to exclude traffic *to* the box itself
>>>from
>>> packet mode.
>>>
>>> Is this correct?
>>>
>>> Does anyone have a handy op-script that will build a prefix list of all
>>> local IPs, to help with automating this?
>>> ______________________________**_________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> 
>>>https://puck.nether.net/**mailman/listinfo/juniper-nsp<https://puck.neth
>>>er.net/mailman/listinfo/juniper-nsp>
>>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>_______________________________________________
>juniper-nsp mailing list juniper-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/juniper-nsp

Try this and see if it works/is acceptable:

+  policy-options {
+      prefix-list interfaces {
+          apply-path "interfaces <*> unit <*> family inet address <*>";
+      }
+  }

Here's the output that you'll get (note that it will take the entire
subnet that the interface/unit is configured for):

chaynes at srx100-1# show | compare | display inheritance
[edit]
+  policy-options {
+      prefix-list interfaces {
          ##
          ## apply-path was expanded to:
          ##     172.16.1.0/24;
          ##     172.16.100.0/24;
          ##     10.0.0.0/24;
          ##
+          apply-path "interfaces <*> unit <*> family inet address <*>";
+      }
+  }

- Clay