On Thu, Jan 03, 2019 at 03:23:34PM -0500, Jason Lixfeld wrote: > > At least the O'Reilly RE filter example is not only poor design but > > also broken, for using stuff like 'match port bgp’. > > If you match on specific source (and presumably specific destination) > addresses, why is a directionally agnostic port match bad? Or is it not so > much bad as it is being too lazy to create a second term or an established > filter/term?
Your BGP peer could SSH to your router by using a source port of bgp/179 and a destinatino port of ssh/22. > > c) always match destination-address if you're running L3 MPLS VPNs > > I must be misunderstanding because I’m sure you’re not suggesting that in the > absence of L3VPNs, omitting destination address matching is acceptable? I would like to learn more about this particular BCP. Why is it that with L3 MPLS VPNs is it important to specify destination-address? _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
