[j-nsp] ACL for lo0 template/example comprehensive list of 'things to think about'?
Jay Ford
jnford at uiowa.net
Thu Jul 12 16:26:09 EDT 2018
On Thu, 12 Jul 2018, Jason Healy wrote:
> On Jul 12, 2018, at 10:09 AM, Benny Amorsen <benny+usenet at amorsen.dk>
wrote:
> > Saku Ytti <saku at ytti.fi> writes:
> >
> > > I think best compromise would be, that JNPR would offer good filter,
> > > dynamically built based on data available in config and referring to
> > > empty prefix-lists when not possible to infer and customer can fill
> > > those prefix-lists if needed. And also have functional ddos-protection
> > > configuration out-of-the-box. People who want and can could override
> > > and configure themselves.
> >
> > That would be really wonderful. A great start would be if there was a
> > way to get just the /32 (or /128) interface IP addresses in
> > apply-groups.
>
> I started working on a commit script that would harvest all the local
> interface addresses and dump them in a prefix list so
> you could do just this. Never got around to finishing it, but it's on my
> ever-growing todo list.
This type of thing gets most of the way there, depending on what you want it
for:
prefix-list PL-directly-connected-nets-v4 {
apply-path "interfaces <*> unit <*> family inet address <*>";
}
prefix-list PL-directly-connected-nets-v6 {
apply-path "interfaces <*> unit <*> family inet6 address <*>";
}
________________________________________________________________________
Jay Ford, Network Engineering Group, Information Technology Services
University of Iowa, Iowa City, IA 52242
email: jay-ford at uiowa.edu, phone: 319-335-5555
More information about the juniper-nsp
mailing list