[j-nsp] MX480 RE-S-2000 IGMP flood
Mark Tinka
mark.tinka at seacom.mu
Sat Feb 1 03:42:26 EST 2014
On Saturday, February 01, 2014 10:24:30 AM Saku Ytti wrote:
> On (2014-02-01 11:16 +0400), Misak Khachatryan wrote:
> > Should I write filters specific for each lo and routing
> > instance unit or lo0.0 is catch all for everything?
>
> I recommend applying same filter in each loopback.
> Security posture of VPN is mostly same as INET, except
> source address is not to be trusted (there may be INET
> behind customer VPN and you may not know how it's
> managed) Critically make sure you verify destination
> address in firewall filter especially for non-customer
> protocols like ssh, http, snmp, ntp, igp etc.
For my NG-MVPN setup, I had a group that covers filtering to
lo0 and all units under it:
protect-re-group {
interfaces {
lo0 {
unit <*> {
family inet {
filter {
input protect-re;
}
}
family inet6 {
filter {
input protect-re6;
}
}
}
}
}
I then had a lo0.1 service instantiation unit which was
applied to my NG-MVPN VRF. It was important to have
appropriate filtering against this because for the NG-MVPN
deployment, things like PIM, IGMP and DHCP are all part of
the VRF, and those hit the router control plane, and as
such, need adequate protection.
If you're also doing BGP in the VRF to handle the RPF route
to the Multicast source, you need to have the appropriate
filter enabled.
Cheers,
Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20140201/eb73de96/attachment.sig>
More information about the juniper-nsp
mailing list