Try change apply-path to "protocols bgp group <*> neighbor <*.*.*.*>" for IPv4, and "protocols bgp group <*> neighbor <*:*>" for IPv6.
2018-04-19 15:49 GMT-03:00 Antti Ristimäki <[email protected]>: > Hi, > > It seems that in the HW the filter is programmed with addresses for the > relevant address family only: > > foo@bar> show configuration policy-options prefix-list BGP-NEIGHBORS > |display inheritance > ## > ## apply-path was expanded to: > ## 10.10.244.98/32; > ## 2001:db8:0:f001:0:fe08:0:2/128; > ## 10.10.255.1/32; > ## 2001:db8:0:bad:c0de::1/128; > ## > apply-path "protocols bgp group <*> neighbor <*>"; > > foo@bar> show configuration firewall filter RE-PROTECT term > ALLOW-BGP-SERVERS > from { > source-prefix-list { > BGP-NEIGHBORS; > } > protocol tcp; > source-port bgp; > destination-port 1024-65535; > } > then accept; > > SMPC0(bar vty)# show filter index 2 > Term Filters: > ------------ > Index Semantic Properties Name > -------- ---------- -------- ------ > 2 Classic - RE-PROTECT > > SMPC0(bar vty)# show filter index 2 program > ... > term ALLOW-BGP-SERVERS > ... > source-address > 10.10.255.1/32 > 10.10.244.98/32 > > And for the IPv6 filter only IPv6 addresses are programmed, > respectively. We use generic apply-path prefix-lists without any > protocol specific regex and haven't encountered any issues so far. In > the past we used to have IPv6 BGP group names prefixed with "IPV6-" and > used 'apply-path "protocols bgp group <IPV6-*> neighbor <*>"'. > > Antti > > On 19.04.2018 17:24, Andrew Gallo wrote: >> Greetings: >> >> Question about how folks are handling apply-paths with mixed v4 and v6 >> addresses. Specifically, if I want to use apply-paths to match all >> the BGP neighbors configured, is the best practice to use a protocol >> specific regex, or just match all neighbors? Does it matter if I >> match a v6 address and use the prefix list in a v4 firewall filter? >> >> I have three different apply-paths, one that matches v4 neighbors, one >> v6 neighbors, and one all neighbors: prefix-list pf_BGP-IPV4 { >> apply-path "protocols bgp group <*> neighbor <*[.]*>"; } prefix-list >> pf_BGP-IPV6 { apply-path "protocols bgp group <*> neighbor >> <*[:]*>"; } prefix-list pf_BGP-all { apply-path "protocols bgp >> group <*> neighbor <*>"; } >> >> I can use pf_BGP-all in a filter in a family inet filter and a family >> inet6 filter. >> >> My question is- does it matter that a v6 address is in a prefix list >> in a v4 filter? >> >> Thank you. >> >> >> _______________________________________________ >> juniper-nsp mailing list [email protected] >> https://puck.nether.net/mailman/listinfo/juniper-nsp > > _______________________________________________ > juniper-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/juniper-nsp -- Eduardo Schoedler _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
