BFD holddown is the right feature for this.
WARNING: BFD holddown is known to be problematic between Juniper and Cisco
implementations due to where each start their state machines for BFD vs. BGP.
It was a partial motivation for BGP BFD strict:
I personally love the "apply path" commands with wildcards
Therefore it ONLY looks for peers in your configuration
set policy-options prefix-list bgp-addresses apply-path \"protocols bgp
group <*> neighbor <*>\"
set policy-options prefix-list dns-addresses apply-path \"system
name-server
Martin,
Saku is illuminating how difficult it can be to effectively protected the
control plane. If I were to post our production RE filter I would likely be
humbled with what I've overlooked as well. Thanks for sharing for commentary
and discussion.
Saku's comment about using router-ipv4
Some comments from quick read of just IPv4.
- I don't like the level of abstraction, seems it just ensures no one
will bother reading it up and reuse of the filters and terms wont
happen anyhow. It feels like first time learning OO language, and
making everything modular, while adding overhead
Thanks for sharing Martin. As a word of advice, we have a challenge with BGP
Session security. It seems that operators are not applying filters like these
to protect the router, the control plane, and BGP. They are not common, but we
are seeing BGP session attacks. This spurred this post after
Hi.
> In practical life IOS-XR control-plane is better protected than JunOS,
> as configuring JunOS securely is very involved, considering that MX
> book gets it wrong, offering horrible lo0 filter as does Cymru, what
> chance the rest of us have?
I recently worked on a RE protection filter
On 2024-04-27 09:44, Lee Starnes via juniper-nsp wrote:
> Having difficulty finding a way to prevent BGP from re-establishing after a
> BFD down detect. I am looking for a way to keep the session from
> re-establishing for a configured amount of time (say 5 minutes) to ensure
> we don't have a
On Sat, 27 Apr 2024 at 14:29, Rolf Hanßen via juniper-nsp
wrote:
> at least for link flapping issues (but not other session flapping reasons)
> you could set the hold-time:
> set interfaces xy hold-time up 30
Since Junos 14.1 it has caught up with Cisco, and it has implemented
exponential
8 matches
Mail list logo
