[j-nsp] How to maintain scripts

Saku Ytti saku at ytti.fi
Mon Jul 16 09:40:40 EDT 2018


On Mon, 16 Jul 2018 at 16:32, Benny Lyne Amorsen
<benny+usenet at amorsen.dk> wrote:

> Ideally JunOS should offer another way of distinguishing between forward
> traffic and locally-terminated/originated traffic in ACL's, without
> having to rely on getting lists of IP addresses correct. The box knows
> whether it is terminating the traffic or not. Just let me filter based
> on that... (I know, it is not that easy to implement in practice.)

Generally yes. But then there are some debatable things like IP
options and DHCP snooping.  Which are transit, but subject to RE. So
should they be subject to LO0, or should you just police them in
forwarding-filters? I believe latter, Juniper seems to think former.

-- 
  ++ytti


More information about the juniper-nsp mailing list