[j-nsp] RE filter BCP

James Bensley jwbensley at gmail.com
Sat Feb 2 05:02:36 EST 2019


On Thu, 3 Jan 2019 at 18:54, Jason Lixfeld <jason-jnsp at lixfeld.ca> wrote:
>
> Hi all,
>
> Would the Day-Zero Hardening JunOS, 2nd Edition publication be the defecto BCP for RE filter hardening?
>
> I’ve noticed that publication is a little more liberal in it's RE filtering suggestions vs. say, Juniper MX Series, O’Reilly.
>
> Having dug through both, the Juniper guide seems more platform agnostic, which probably contributes to why it’s more liberal (variations in cross-platform feature support).
>
> Of course, the O’Reilly guide is MX specific so you can’t really take a template and drop it onto a QFX.  However, if the day-zero guide provides practices that are suitable enough to use on an MX running as an Internet border router, how fair is it to say that the same template could be used for some other JunOS device that was acting as a customer ethernet access device, for example.
>
> Thanks!

Hi All,

Lo0 filters are a recurring query on this list. I’ve been thinking for
a while now that there is value in setting up a GitHub repo to host
tried and tested config templates. Anyone could contribute too it.

For “services” e.g. L3 VPN this would be really difficult, your L3
VPNs don’t have the same requirements or design constraints as mine,
so I’ve been thinking to start with something more generic such as a
lo0 filter template.

This would still have to be a somewhat generic/example template as
your management and control planes don’t look like mine but, lo0
filters are one of those things that there just aren’t any good
examples of on the Internet. If I set up a GitHub repo and put a rough
lo0 template on there as a starter, is anyone interested in (a)
refining the lo0 template and (b) adding more templates later for
other stuff?

Cheers,
James.


More information about the juniper-nsp mailing list