[j-nsp] ACL for lo0 template/example comprehensive list of 'things to think about'?

Chris Morrow morrowc at ops-netman.net
Wed Jul 11 15:34:22 EDT 2018

On Wed, 11 Jul 2018 15:23:28 -0400,
Saku Ytti <saku at ytti.fi> wrote:
> Hey Chris,
> On Wed, 11 Jul 2018 at 22:16, Chris Morrow <morrowc at ops-netman.net> wrote:
> > > a) You can't just limit UDP to 2Mbps on every edge port
> >
> > it's really a limit of 2mbps on each PFE, so ... in some cases that's
> > 2mbps on a port, in some cases not. This is a 'problem' because of the
> > architecture of the MX though, right? not the filter itself... well... :)
> They were doing this to transit traffic, high rate of UDP isn't
> strange, good portion of youtube streaming is UDP.

sorry, i think 'they' here is confusing :( or at least confusing me :)
'they' means: "juniper docs/engineers/etc"
'they' means: "team cymru and their docs"

which ? I was answering in the case of the first ;( which may have
lead us astray here...

> > > b) LO filter matches on 'port'
> >
> > on 'port'.. meaning I can't do:
> >   destination-port ssh
> >   source-port 1024-65535
> You can do that, you can't do 'port X', because then anyone setting
> source port to X, allows them to reach any destination port you have.
> I don't think source-port 1024-65534 matters, just additional resource
> consumption. What does matter, is that you match destination-port
> <ephemeral>, source-port <bgp,ssh,etc>, when you want to allow far-end
> to respond to connection you opened.

i think that /port/ is a crutch :( and best avoided in the case of
loopback filters.  you know exactly what's ok, permit that, drop all

> > > c) LO filter has wide permit instead of accept 1,2,3,4 drop rest
> >
> > how do you mean? doesn't it just permit/deny what you ask in the filter?
> In the relaxed one, they discard non allowed ssh etc, then have wide
> accept. I.e. they don't know what they should accept and what not.

i sense you are talking about the 'they' that is cymru.

> > > d) hardcore doesnt permit traceroute
> >
> > traceroute is permitted TO the box with the right config, and THROUGH
> > the box on the MX without any holes in the loopback filter.
> In this config it is not allowed to the box.

ah-ha! that's kooky :) (again this is with respect to the cymru doc) I
think the cymru guide is still good, it certainly gives you a leg up
on 'how do I even start?' and PROBABLY is "ok" for an enterprise
deployment. SP deployment will need more .... thought, but the
structure is there to build from.

More information about the juniper-nsp mailing list