[j-nsp] MX480 RE-S-2000 IGMP flood

Saku Ytti saku at ytti.fi
Sat Feb 1 03:24:30 EST 2014


On (2014-02-01 11:16 +0400), Misak Khachatryan wrote:

> Should I write filters specific for each lo and routing instance
> unit or lo0.0 is catch all for everything?

I recommend applying same filter in each loopback. Security posture of VPN is
mostly same as INET, except source address is not to be trusted (there may be
INET behind customer VPN and you may not know how it's managed)
Critically make sure you verify destination address in firewall filter
especially for non-customer protocols like ssh, http, snmp, ntp, igp etc.

-- 
  ++ytti


More information about the juniper-nsp mailing list