[j-nsp] How to maintain scripts

Benny Lyne Amorsen benny+usenet at amorsen.dk
Mon Jul 16 12:03:13 EDT 2018


Saku Ytti <saku at ytti.fi> writes:

> Generally yes. But then there are some debatable things like IP
> options and DHCP snooping.  Which are transit, but subject to RE. So
> should they be subject to LO0, or should you just police them in
> forwarding-filters? I believe latter, Juniper seems to think former.

I must admit I don't care much either way. My problem is that RE traffic
is subject to BOTH interface ingress filters AND lo0 ingress filters,
and similarly on egress you have to permit RE traffic outbound.

I often need an ACL that says "this interface cannot talk to/receive
traffic from RFC1918". Easily implemented for ingress traffic in two
terms with something like:

term reject-rfc1918 {
  from {
    destination-address 10.0.0.0/8;
    destination-address 172.16.0.0/12;
    destination-address 192.168.0.0/16;
  }
  then discard;
}
term accept-all {
  then accept;
}

(plus the obvious reverse for the egress filter).

Unfortunately that breaks DHCP, ping to the router interfaces, dynamic
routing, and undoubtedly other things, if the interface address is in
RFC1918 space.

This is a needless pain, since it means I have to implement the same
rules twice: Once in lo0, and once in the interface filter. And I cannot
even do it with apply-groups, I have to actually build the appropriate
filter with the right set of interface addresses, and update it when the
list changes.


/Benny


More information about the juniper-nsp mailing list