On Wed, 18 Mar 2020 at 18:30, John Kristoff <j...@depaul.edu> wrote: > Yep, I get all that. I can tighten that up. Care to show us how you > do loopback filters?
It is situational, it's hard to come up with one-size-fits-all. One approach would be basic skeleton, on top of which people then expand what they need, which would likely be also then broken. Another option would be to write exhaustive one, but exhaustive one necessarily has compromises, so then people who don't need everything still take those compromises. Really Juniper would be in the best position to automatically generate lo0 filter when none is provided, which would be really really good, not optimal, but really good. Bit of like generated-LPTS. I'm not sure if there is a utility in public template. But it's something that I do occasionally think about, not just Junos or just firewall, but also BGP, to show how to normalise BGP behaviour (no one knows what their BGP policy is very accurately, as in almost every case BGP policy is 'what ever is vendor default', and when you have multivendor network, you have different policy in different devices). -- ++ytti _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp