[j-nsp] ACL for lo0 template/example comprehensive list of 'things to think about'?
adamv0025 at netconsultings.com
adamv0025 at netconsultings.com
Thu Jul 12 16:46:39 EDT 2018
> Of Jay Ford
> Sent: Thursday, July 12, 2018 9:26 PM
>
> On Thu, 12 Jul 2018, Jason Healy wrote:
> > On Jul 12, 2018, at 10:09 AM, Benny Amorsen
> <benny+usenet at amorsen.dk>
> wrote:
> > > Saku Ytti <saku at ytti.fi> writes:
> > >
> > > > I think best compromise would be, that JNPR would offer good
> > > > filter, dynamically built based on data available in config and
> > > > referring to empty prefix-lists when not possible to infer and
> > > > customer can fill those prefix-lists if needed. And also have
> > > > functional ddos-protection configuration out-of-the-box. People
> > > > who want and can could override and configure themselves.
> > >
> > > That would be really wonderful. A great start would be if there was
> > > a way to get just the /32 (or /128) interface IP addresses in
> > > apply-groups.
> >
> > I started working on a commit script that would harvest all the local
> > interface addresses and dump them in a prefix list so you could do
> > just this. Never got around to finishing it, but it's on my
> > ever-growing todo list.
>
> This type of thing gets most of the way there, depending on what you want
it
> for:
>
> prefix-list PL-directly-connected-nets-v4 {
> apply-path "interfaces <*> unit <*> family inet address <*>";
> }
> prefix-list PL-directly-connected-nets-v6 {
> apply-path "interfaces <*> unit <*> family inet6 address <*>";
> }
>
This gets you the whole subnet not just the local end /32 /128 that OP is
after.
adam
netconsultings.com
::carrier-class solutions for the telecommunications industry::
More information about the juniper-nsp
mailing list