On Sep 27, 2012, at 1:21 PM, Kevin Wormington wrote:
> I haven't tested this but I think:
>
> term term1 {
> from {
> protocol [ direct static ];
> interface fxp0.0;
> }
> then reject;
> }
Nice, thanks.
> In our policies we explicitly allow prefixes we want in BGP and deny
> everything else by default so it's not really an issue. In my experience
> that is pretty much standard practice for BGP...otherwise you could
> accidentally leak all sorts of nasty things.
Externally of course we do. I'm not in love with the way iBGP was set up here,
but they apparently wanted "all routes everything" kind of internal sharing.
Obviously however it's much better to share "everything I will route a packet
to", of which fxp0 doesn't qualify.
--
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet projects.
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
