Hello,
On 07/07/2016 23:07, Clinton Work wrote:
JunOS doesn't have an explicit control-plane interface
Not exactly true. It does but You cannot attach filters directly to it.
It is called fxp1/em1.
and you attach
your control-plane filter to lo0.0 instead.
Depending on platform and expected load, lo0 may not be the best place.
I.e. in branch SRX, lo0 filter evaluation comes AFTER incoming interface
filter & policy evaluations,
and as a result, the flows are established even for those packets that
are eventually denied by lo0 filter.
Therefore, on branch SRX the best place is a control-plane filter
attached as incoming interface filter.
HTH
Thx
Alex
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
