nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BCP38 - Internet Death Penalty

From: Chris Adams <cmadams () hiwaay net>
Date: Thu, 28 Mar 2013 11:49:44 -0500
Once upon a time, Leo Bicknell <bicknell () ufp org> said:

The feature I would like is to set the _packet filter_ based on the
_received routes_ over BGP.


On JUNOS, you can use 

routing-options {
    forwarding-table {
        unicast-reverse-path feasible-paths;
    }
}

to get that behavior (although it is a global option, not
per-interface, I don't think there's any harm in using it).


Actually, received routes post prefix list.
Consider this syntax:

 neighbor 1.2.3.4 install-dynamic-filter Gig10/1/2 prefix-list customer-prefixes

Anything that was received would go through the prefix-list
customer-prefixes (probably the same list used to filter their
announcements), and then get turned into a dynamic ACL applied to
the inbound interface (Gig10/1/2 in this case).


JUNOS does that as well.  You can use the same prefix-list in both a BGP
policy filter and a firewall filter.

-- 
Chris Adams <cmadams () hiwaay net>
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.
Previous By Date Next
Previous By Thread Next

Current thread: