Re: [j-nsp] apply-paths and address families

Thu, 19 Apr 2018 12:16:07 -0700 

Thank you, Antti. This is helpful.


On 4/19/2018 2:49 PM, Antti Ristimäki wrote:

Hi,

It seems that in the HW the filter is programmed with addresses for the
relevant address family only:

foo@bar> show configuration policy-options prefix-list BGP-NEIGHBORS
|display inheritance
##
## apply-path was expanded to:
##     10.10.244.98/32;
##     2001:db8:0:f001:0:fe08:0:2/128;
##     10.10.255.1/32;
##     2001:db8:0:bad:c0de::1/128;
##
apply-path "protocols bgp group <*> neighbor <*>";

foo@bar> show configuration firewall filter RE-PROTECT term
ALLOW-BGP-SERVERS
from {
     source-prefix-list {
         BGP-NEIGHBORS;
     }
     protocol tcp;
     source-port bgp;
     destination-port 1024-65535;
}
then accept;

SMPC0(bar vty)# show filter index 2
Term Filters:
------------
    Index    Semantic  Properties   Name
--------  ---------- --------  ------
        2  Classic    -         RE-PROTECT

SMPC0(bar vty)# show filter index 2 program
...
term ALLOW-BGP-SERVERS
...
     source-address
     10.10.255.1/32
     10.10.244.98/32

And for the IPv6 filter only IPv6 addresses are programmed,
respectively. We use generic apply-path prefix-lists without any
protocol specific regex and haven't encountered any issues so far. In
the past we used to have IPv6 BGP group names prefixed with "IPV6-" and
used 'apply-path "protocols bgp group <IPV6-*> neighbor <*>"'.

Antti

On 19.04.2018 17:24, Andrew Gallo wrote:

Greetings:

Question about how folks are handling apply-paths with mixed v4 and v6
addresses.  Specifically, if I want to use apply-paths to match all
the BGP neighbors configured, is the best practice to use a protocol
specific regex, or just match all neighbors?  Does it matter if I
match a v6 address and use the prefix list in a v4 firewall filter?

I have three different apply-paths, one that matches v4 neighbors, one
v6 neighbors, and one all neighbors: prefix-list pf_BGP-IPV4 {
apply-path "protocols bgp group <*> neighbor <*[.]*>"; } prefix-list
pf_BGP-IPV6 {     apply-path "protocols bgp group <*> neighbor
<*[:]*>"; } prefix-list pf_BGP-all {     apply-path "protocols bgp
group <*> neighbor <*>"; }

I can use pf_BGP-all in a filter in a family inet filter and a family
inet6 filter.

My question is- does it matter that a v6 address is in a prefix list
in a v4 filter?

Thank you.


_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp




_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp

Reply via email to