[j-nsp] apply-paths and address families

Andrew Gallo akg1330 at gmail.com
Thu Apr 19 15:14:16 EDT 2018


Thank you, Antti. This is helpful.


On 4/19/2018 2:49 PM, Antti Ristimäki wrote:
> Hi,
>
> It seems that in the HW the filter is programmed with addresses for the
> relevant address family only:
>
> foo at bar> show configuration policy-options prefix-list BGP-NEIGHBORS
> |display inheritance
> ##
> ## apply-path was expanded to:
> ##     10.10.244.98/32;
> ##     2001:db8:0:f001:0:fe08:0:2/128;
> ##     10.10.255.1/32;
> ##     2001:db8:0:bad:c0de::1/128;
> ##
> apply-path "protocols bgp group <*> neighbor <*>";
>
> foo at bar> show configuration firewall filter RE-PROTECT term
> ALLOW-BGP-SERVERS
> from {
>      source-prefix-list {
>          BGP-NEIGHBORS;
>      }
>      protocol tcp;
>      source-port bgp;
>      destination-port 1024-65535;
> }
> then accept;
>
> SMPC0(bar vty)# show filter index 2
> Term Filters:
> ------------
>     Index    Semantic  Properties   Name
> --------  ---------- --------  ------
>         2  Classic    -         RE-PROTECT
>
> SMPC0(bar vty)# show filter index 2 program
> ...
> term ALLOW-BGP-SERVERS
> ...
>      source-address
>      10.10.255.1/32
>      10.10.244.98/32
>
> And for the IPv6 filter only IPv6 addresses are programmed,
> respectively. We use generic apply-path prefix-lists without any
> protocol specific regex and haven't encountered any issues so far. In
> the past we used to have IPv6 BGP group names prefixed with "IPV6-" and
> used 'apply-path "protocols bgp group <IPV6-*> neighbor <*>"'.
>
> Antti
>
> On 19.04.2018 17:24, Andrew Gallo wrote:
>> Greetings:
>>
>> Question about how folks are handling apply-paths with mixed v4 and v6
>> addresses.  Specifically, if I want to use apply-paths to match all
>> the BGP neighbors configured, is the best practice to use a protocol
>> specific regex, or just match all neighbors?  Does it matter if I
>> match a v6 address and use the prefix list in a v4 firewall filter?
>>
>> I have three different apply-paths, one that matches v4 neighbors, one
>> v6 neighbors, and one all neighbors: prefix-list pf_BGP-IPV4 {
>> apply-path "protocols bgp group <*> neighbor <*[.]*>"; } prefix-list
>> pf_BGP-IPV6 {     apply-path "protocols bgp group <*> neighbor
>> <*[:]*>"; } prefix-list pf_BGP-all {     apply-path "protocols bgp
>> group <*> neighbor <*>"; }
>>
>> I can use pf_BGP-all in a filter in a family inet filter and a family
>> inet6 filter.
>>
>> My question is- does it matter that a v6 address is in a prefix list
>> in a v4 filter?
>>
>> Thank you.
>>
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



More information about the juniper-nsp mailing list