--- Begin Message ---
Charles-
This may be off mark but you have tried removing and re-adding the filter to
your lo0.0 or doing a commit full?
I have seen apply-groups inheritance issues in 16.1 that match the sort of
issues you are having. I have experienced them both in BGP and firewall
filters. For example, I used an apply-group for iBGP and I have seen changes
inside the config group result in a mismatch between config and operational
behavior after a commit. Same deal with firewall filters. I've seen it across
all of my MX gear and I didn't see this behavior in 14.1.
At some point JTAC pointed me to this the following PR.
https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1357802
I have seen the description of this PR change over time. When I was first
pointed to the PR it was all about vrf-import but now I see it has been
expanded to other types of inheritance. Personally I have NOT seen an RPD core
with respect to this issue.
I have been using 18.3R3 in my lab and haven't seen inheritance issues (yet?)
-Michael
> -Original Message-
> From: juniper-nsp On Behalf Of
> Anderson, Charles R
> Sent: Monday, December 9, 2019 3:13 PM
> To: juniper-nsp@puck.nether.net
> Subject: Re: [j-nsp] [EXT] firewall filter misses connected interface
> addresses
>
> I use something like this so the same firewall filter is applied on all lo0.*
> interfaces of all VRFs and logical-systems:
>
> set groups RE-FILTER logical-systems <*> interfaces lo0 unit <*> family inet
> filter input ROUTING-ENGINE
> set groups RE-FILTER logical-systems <*> interfaces lo0 unit <*> family inet6
> filter input ROUTING-ENGINE6
> set groups RE-FILTER interfaces lo0 unit <*> family inet filter input ROUTING-
> ENGINE
> set groups RE-FILTER interfaces lo0 unit <*> family inet6 filter input
> ROUTING-ENGINE6
> set apply-groups RE-FILTER
>
> On Mon, Dec 09, 2019 at 05:10:01PM +0100, Andreas wrote:
> > Hello Mike,
> >
> > if you're using that lo0.0 in a routing-instance or use more than one
> > loopback you could also run into these restrictions:
> >
> > - If you configure Filter A on the default loopback interface and
> > Filter B on the VRF loopback interface, the VRF routing instance uses
> > Filter B.
> >
> > - If you configure Filter A on the default loopback interface but do
> > not configure a filter on the VRF loopback interface, the VRF routing
> > instance does not use a filter.
> >
> > - If you configure Filter A on the default loopback interface but do
> > not even configure a VRF loopback interface, the VRF routing instance
> > uses Filter A.
> >
> > See
> > https://www.juniper.net/documentation/en_US/junos/topics/usage-
> guidelines/vpns-configuring-logical-units-on-the-loopback-interface-for-
> routing-instances-in-layer-3-vpns.html
> >
> >
> > BR
> > Andreas
> >
> > On Mon, 9 Dec 2019 15:46:38 +, Anderson, Charles R wrote:
> > > What hardware and software version? There were some
> bugs/limitations
> > > with certain combinations.
> > >
> > > On Mon, Dec 09, 2019 at 07:42:02AM -0800, Mike wrote:
> > >> Hello,
> > >>
> > >> I have a problem getting junos to filter out admin access to my
> > >> router
> > >> from unauthorized addresses.
> > >>
> > >> I have some addresses bound to lo0.0 which I am advertising
> > >> internally
> > >> in my igp, and which are the 'official' addresses used for SNMP, SSH
> > >> and
> > >> BGP to the router.
> > >>
> > >> I have firewall filters also that limit access to these protocols
> > >> using
> > >> prefix lists and such, and these filters are applied to lo0.0. The
> > >> filters work and I can observe log messages for invalid accesses to
> > >> the
> > >> protocols from unauthorized ip addresses. HOWEVER, snmp/ssh/bgp
> > >> access
> > >> to other ip addresses bound on the router, such as ethernet
> > >> interface
> > >> addresses, are still being allowed. I thought, according to various
> > >> junos docs, that applying a filter to lo0.0 filters out packets
> > >> destined
> > >> locally to the box regardless of actual interface. Could use some
> > >> help.
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
--- End Message ---
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
