David Ball wrote:
Hey folks. They say the definition of insanity is repeating the
same thing over and over and expecting different results, and again I
found myself trying to use routing policy in a firewall filter,
unsuccessfully.
We have 4 upstream ISPs, 2 on 1 router and 2 on another. Until now
we've had to maintain large prefix-lists including all customer blocks
on both routers such that they can be applied to firewall filters to
perform anti-spoofing. I'm trying to find a way to simplify this,
such that if my provisioning guys add a new customer who has their own
block, the anti-spoofing rules filtering inbound internet traffic will
allow it.
What are other folks doing? Prefix-list maintenance is the only way
? I get the feeling this question has been asked before, but I
couldn't find it.
Isn't it enough for you to enable unicat reverse path verify on the
routers so that clients can't spoof packets ?
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
