[j-nsp] apply-paths and address families

Antti Ristimäki antti.ristimaki at csc.fi
Thu Apr 19 14:49:34 EDT 2018 

Hi,

It seems that in the HW the filter is programmed with addresses for the
relevant address family only:

foo at bar> show configuration policy-options prefix-list BGP-NEIGHBORS
|display inheritance
##
## apply-path was expanded to:
##     10.10.244.98/32;
##     2001:db8:0:f001:0:fe08:0:2/128;
##     10.10.255.1/32;
##     2001:db8:0:bad:c0de::1/128;
##
apply-path "protocols bgp group <*> neighbor <*>";

foo at bar> show configuration firewall filter RE-PROTECT term
ALLOW-BGP-SERVERS               
from {
    source-prefix-list {
        BGP-NEIGHBORS;
    }
    protocol tcp;
    source-port bgp;
    destination-port 1024-65535;
}
then accept;

SMPC0(bar vty)# show filter index 2   
Term Filters:
------------
   Index    Semantic  Properties   Name
--------  ---------- --------  ------
       2  Classic    -         RE-PROTECT

SMPC0(bar vty)# show filter index 2 program    
...
term ALLOW-BGP-SERVERS
...
    source-address 
    10.10.255.1/32
    10.10.244.98/32

And for the IPv6 filter only IPv6 addresses are programmed,
respectively. We use generic apply-path prefix-lists without any
protocol specific regex and haven't encountered any issues so far. In
the past we used to have IPv6 BGP group names prefixed with "IPV6-" and
used 'apply-path "protocols bgp group <IPV6-*> neighbor <*>"'.

Antti

On 19.04.2018 17:24, Andrew Gallo wrote:
> Greetings:
>
> Question about how folks are handling apply-paths with mixed v4 and v6
> addresses.  Specifically, if I want to use apply-paths to match all
> the BGP neighbors configured, is the best practice to use a protocol
> specific regex, or just match all neighbors?  Does it matter if I
> match a v6 address and use the prefix list in a v4 firewall filter?
>
> I have three different apply-paths, one that matches v4 neighbors, one
> v6 neighbors, and one all neighbors: prefix-list pf_BGP-IPV4 {    
> apply-path "protocols bgp group <*> neighbor <*[.]*>"; } prefix-list
> pf_BGP-IPV6 {     apply-path "protocols bgp group <*> neighbor
> <*[:]*>"; } prefix-list pf_BGP-all {     apply-path "protocols bgp
> group <*> neighbor <*>"; }
>
> I can use pf_BGP-all in a filter in a family inet filter and a family
> inet6 filter.
>
> My question is- does it matter that a v6 address is in a prefix list
> in a v4 filter?
>
> Thank you.
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list