[j-nsp] RE filter BCP

Anderson, Charles R cra at wpi.edu
Thu Jan 3 15:29:06 EST 2019

On Thu, Jan 03, 2019 at 03:23:34PM -0500, Jason Lixfeld wrote:
> > At least the O'Reilly RE filter example is not only poor design but
> > also broken, for using stuff like 'match port bgp’.
> If you match on specific source (and presumably specific destination) addresses, why is a directionally agnostic port match bad?  Or is it not so much bad as it is being too lazy to create a second term or an established filter/term?

Your BGP peer could SSH to your router by using a source port of bgp/179 and a destinatino port of ssh/22.

> > c) always match destination-address if you're running L3 MPLS VPNs
> I must be misunderstanding because I’m sure you’re not suggesting that in the absence of L3VPNs, omitting destination address matching is acceptable?

I would like to learn more about this particular BCP.  Why is it that with L3 MPLS VPNs is it important to specify destination-address?

More information about the juniper-nsp mailing list