[j-nsp] Filter on lo0, MX80

Per Granath per.granath at gcc.com.cy
Thu Feb 2 02:55:20 EST 2012


> > However, I also need to accept OSPF and BGP.
> >
> > I dont want to allow BGP on ge-1/0/0. This should be done at lo0.
> >
> > But If I accept BGP on ge-1/0/0, I also need to accept it on lo0 to get it to
> work.
> >
> > Is it possible to have different rules for incomning interface and lo0?
> 
> BGP is a TCP connection to your routing engine, so the rule for that session
> only needs to be on the lo0 interface.
> 
> Whatever is on your "ge" interface would typically be for transit traffic - and
> not traffic to the router itself.
> 
> For BGP, use a new 'term' with a 'from' (which really is an "if" statement):
> 
> 'source-address' of your peer
> 'protocol tcp'
> 'port bgp'
> 

You can add a 'destination-address' of your lo0 to the term, to allow connections only to the address.

Note, this is applied as incoming direction to your lo0 interface, and you want those packets to have only the lo0 address as DA (destination address). With 'port', you allow any of the source or destination port to be BGP/179, which means any peer can open the connection.

Also BGP/TCP/179 connections sent to your physical GE address, will be sent to the routing engine, and evaluated by the filter applied to the lo0 interface.
 





More information about the juniper-nsp mailing list