[j-nsp] ACL for lo0 template/example comprehensive list of 'things to think about'?

adamv0025 at netconsultings.com adamv0025 at netconsultings.com
Thu Jul 12 16:46:39 EDT 2018


> Of Jay Ford
> Sent: Thursday, July 12, 2018 9:26 PM
> 
> On Thu, 12 Jul 2018, Jason Healy wrote:
> > On Jul 12, 2018, at 10:09 AM, Benny Amorsen
> <benny+usenet at amorsen.dk>
> wrote:
> > > Saku Ytti <saku at ytti.fi> writes:
> > >
> > > > I think best compromise would be, that JNPR would offer good
> > > > filter, dynamically built based on data available in config and
> > > > referring to empty prefix-lists when not possible to infer and
> > > > customer can fill those prefix-lists if needed. And also have
> > > > functional ddos-protection configuration out-of-the-box. People
> > > > who want and can could override and configure themselves.
> > >
> > > That would be really wonderful. A great start would be if there was
> > > a way to get just the /32 (or /128) interface IP addresses in
> > > apply-groups.
> >
> > I started working on a commit script that would harvest all the local
> > interface addresses and dump them in a prefix list so you could do
> > just this.  Never got around to finishing it, but it's on my
> > ever-growing todo list.
> 
> This type of thing gets most of the way there, depending on what you want
it
> for:
> 
>      prefix-list PL-directly-connected-nets-v4 {
>          apply-path "interfaces <*> unit <*> family inet address <*>";
>      }
>      prefix-list PL-directly-connected-nets-v6 {
>          apply-path "interfaces <*> unit <*> family inet6 address <*>";
>      }
> 
This gets you the whole subnet not just the local end /32 /128 that OP is
after.

adam

netconsultings.com
::carrier-class solutions for the telecommunications industry::



More information about the juniper-nsp mailing list