[j-nsp] RE filter BCP
Anderson, Charles R
cra at wpi.edu
Thu Jan 3 15:29:06 EST 2019
On Thu, Jan 03, 2019 at 03:23:34PM -0500, Jason Lixfeld wrote:
> > At least the O'Reilly RE filter example is not only poor design but
> > also broken, for using stuff like 'match port bgp’.
>
> If you match on specific source (and presumably specific destination) addresses, why is a directionally agnostic port match bad? Or is it not so much bad as it is being too lazy to create a second term or an established filter/term?
Your BGP peer could SSH to your router by using a source port of bgp/179 and a destinatino port of ssh/22.
> > c) always match destination-address if you're running L3 MPLS VPNs
>
> I must be misunderstanding because I’m sure you’re not suggesting that in the absence of L3VPNs, omitting destination address matching is acceptable?
I would like to learn more about this particular BCP. Why is it that with L3 MPLS VPNs is it important to specify destination-address?
More information about the juniper-nsp
mailing list