[j-nsp] ACL for lo0 template/example comprehensive list of 'things to think about'?
Saku Ytti
saku at ytti.fi
Wed Jul 11 15:23:28 EDT 2018
Hey Chris,
On Wed, 11 Jul 2018 at 22:16, Chris Morrow <morrowc at ops-netman.net> wrote:
> > a) You can't just limit UDP to 2Mbps on every edge port
>
> it's really a limit of 2mbps on each PFE, so ... in some cases that's
> 2mbps on a port, in some cases not. This is a 'problem' because of the
> architecture of the MX though, right? not the filter itself... well... :)
They were doing this to transit traffic, high rate of UDP isn't
strange, good portion of youtube streaming is UDP.
> > b) LO filter matches on 'port'
>
> on 'port'.. meaning I can't do:
> destination-port ssh
> source-port 1024-65535
You can do that, you can't do 'port X', because then anyone setting
source port to X, allows them to reach any destination port you have.
I don't think source-port 1024-65534 matters, just additional resource
consumption. What does matter, is that you match destination-port
<ephemeral>, source-port <bgp,ssh,etc>, when you want to allow far-end
to respond to connection you opened.
> > c) LO filter has wide permit instead of accept 1,2,3,4 drop rest
>
> how do you mean? doesn't it just permit/deny what you ask in the filter?
In the relaxed one, they discard non allowed ssh etc, then have wide
accept. I.e. they don't know what they should accept and what not.
> > d) hardcore doesnt permit traceroute
>
> traceroute is permitted TO the box with the right config, and THROUGH
> the box on the MX without any holes in the loopback filter.
In this config it is not allowed to the box.
--
++ytti
More information about the juniper-nsp
mailing list