>> Incidentally, I highly recommend placing a spoof-protect filter on your >> fxp0 interface (something like: from source-address fxp0-network; >> dest-addr fxp0-network; then accept; rest then reject), because all >> packets entering fxp0 (e.g., broadcasts) with a non-fxp0-network >> destination will be sent to the PFE and be forwarded there. > > So probably its is better to set up a virtual router instance and move > the fxp0 interface into it and use that for management and get the > rib/fib separated from the global instance? > might be - I've never used virtual routers. a firewall input filter on fxp0 is just in the kernel (obviously not in the PFE ASICs), but it works well. :)
-felix -- Felix Schüren Head of NOC ------------------------------------------------------------------ Host Europe GmbH - http://www.hosteurope.de Welserstraße 14 - D-51149 Köln - Germany Telefon: (0800) 4 67 83 87 - Telefax: (01805) 66 32 33 HRB 28495 Amtsgericht Köln - UST ID DE187370678 Geschäftsführer: Uwe Braun - Alex Collins - Mark Joseph - Patrick Pulvermüller _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp