[j-nsp] RE filter BCP

Anderson, Charles R cra at wpi.edu
Thu Jan 3 15:48:35 EST 2019

On Thu, Jan 03, 2019 at 10:38:50PM +0200, Saku Ytti wrote:
> On Thu, 3 Jan 2019 at 22:32, Anderson, Charles R <cra at wpi.edu> wrote:
> > > > c) always match destination-address if you're running L3 MPLS VPNs
> > >
> > > I must be misunderstanding because I’m sure you’re not suggesting that in the absence of L3VPNs, omitting destination address matching is acceptable?
> >
> > I would like to learn more about this particular BCP.  Why is it that with L3 MPLS VPNs is it important to specify destination-address?
> Because otherwise you have to rely that no L3 MPLS VPN customer
> anywhere can advertise your internal infrastructure addresses. If you
> have 1 customer not properly filtered, then they can advertise your
> NMS station inside their L3 MPLS VPN, no biggy.
> And be accepted as your NMS. If you ensure that DADDR must be loop or
> BB link, this trick does not work. And obviously the L3 MPLS VPN can't
> send packet to those, as they're not in the table.

Thanks.  I assume the same problem exists if you have VRF loopback
interfaces inside the VPN as well (e.g. OSPF router-id loopbacks for
the customer's VPN).  So the idea is to restrict the destinations to
ones that will never exist inside a customer-visible VRF.

More information about the juniper-nsp mailing list