Hi Paul, Flowspec and ExaBGP?
You probably can get JUNOS to build dynamically but have never tried that specific case.. the most we do is to have a commit script that searches for all BGP peer addresses and then opens them up automatically on the control plane filter. I doubt you could get it to change on every routing update change (e.g. only during config commit) as that would lead to a possible control plane DoS situation from a flood of updates. Rich. Network Engineering Manager Exa Networks Ltd :: AS30740 [email protected] On 31 May 2018 at 11:37, Simon Woodhead <[email protected]> wrote: > Hi Paul > > Loose uRPF and ExaBGP are your friends here presuming uRPF behaves the > same on Junos as others. > > W > > -- > > SIMON WOODHEAD > > Founder and CEO > > [email protected] > <[email protected]> > > <[email protected]> +44 330 122 3000 > > www.simwood.com > <https://www.simwood.com> > > Simwood eSMS Limited, Simwood House, Cube M4 Business Park, Old > Gloucester Road, Bristol, BS16 1FX, United Kingdom > > Registered in England 03379831 > > Simwood Inc., 301 Union St. #21445, Seattle, WA 98111, United States > <https://maps.google.com/?q=301+Union+St.+%2321445,+Seattle,+WA+98111,+United+States&entry=gmail&source=g> > [image: Simwood] > > On Thu, May 31, 2018 at 11:31, Paul Thornton <[email protected]> wrote: > > Hi folks, > > I'm wondering if it is possible to dynamically build a firewall filter > from routes learned via BGP, based on a community or just routes learned > from a peer. > > The use case here is to take a Team Cymru BGP bogons feed and build a > "deny anything from these sources" firewall that can then be applied to > both customer and peer interfaces. > > This could, of course, be scripted but I'm wondering if there isn't some > kind of magic that we can use to get the router to do it natively. > > Thanks > > Paul. > > -- > Paul Thornton > > >
