On Saturday, September 03, 2011 09:18:51 PM Richard A Steenbergen wrote: > 2) EX lo0 filters don't actually work correctly for DoS > prevention, they get applied *AFTER* the packets have > already destroyed the RE, and thus are completely > ineffective at defending the boxes from attack. The only > way to correctly block control plane traffic on EX is > with ingress filters on "real" intefaces (or RVIs).
Just to add, in case you're planning to perform any
egress filtering on an RVI for IPv6, it won't work if
one of your match conditions is a destination address:
[edit interfaces vlan unit 998 family inet6]
'filter'
Referenced filter 'filter-outgoing6' can not be used as destination-address
not supported on egress IRB
error: configuration check-out failed
This is Junos 10.4R4.5. Don't know if anything later
fixes this.
Ingress filtering with that match condition is fine,
however.
Cheers,
Mark.
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
