[j-nsp] RSVP path messages and loopback firewall filters
Antoine Versini
antoine.versini at corp.nerim.net
Tue Apr 22 06:40:56 EDT 2014
Hi Rob,
RSVP messages transiting through a P-router go through the RE. If you have filters set on your loopback, you must allow the IP addresses of the PE's speaking to each other through that P-router.
Here is my configuration regarding transit RSVP. Term "Accept" is intended for router's local IP addresses and uses prefix-lists generated with apply-path, since "Accept-Other-Routers" is the one regarding transiting RSVP packets.
show configuration interfaces lo0
description "xxx";
unit 0 {
family inet {
filter {
input-list [ Fragments Accepted-Services BGP BFD VRRP OSPF RSVP TCP-Established DEFAULT ];
}
address xxx/32;
}
}
show configuration firewall family inet filter RSVP
apply-flags omit;
term Accept {
from {
destination-prefix-list {
Router-IPv4;
Router-IPv4-LogicalSystems;
Router-IPv4-VRRP;
}
protocol rsvp;
}
then {
count Accept-RSVP;
accept;
}
}
term Accept-Other-Routers {
from {
source-prefix-list {
ROUTERS-Nets;
}
destination-prefix-list {
ROUTERS-Nets;
}
protocol rsvp;
}
then {
count Accept-RSVP;
accept;
}
}
Cheers,
Antoine
Le 21 avr. 2014 à 22:54, Rob Foehl <rwf at loonybin.net> a écrit :
> A quick question: how are folks handling RSVP path messages in loopback firewall filters, particularly on MX? prefix-lists covering all RSVP speakers? Explicit IP options match? Ignoring them entirely and hoping the policer on a default accept term won't step on them too hard? ;)
>
> Thanks,
>
> -Rob
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list