Mailing List Archive

On Wed, 23 Apr 2003, Adam Szymajda wrote:
> Do you know any way to implement filters on all the interfaces
> simultaneously? I mean sth like cisco's "ip receive acl".

That's not what "ip receive acl" is, AFAIR.

The equivalent behaviour can be achieved using input filter on lo0.0
interface, though.

--
Pekka Savola "You each name yourselves king, yet the
Netcore Oy kingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

Please note that a lo0 filter will take effect only for traffic
terminating (input) or originating output) on the local RE, i.e.,
transit traffic is unaffected.

You can use groups to apply filters to "groups" of interfaces:

[edit]
lab@r2# show groups
test {
interfaces {
<*> { <<< catches all, I suggest something more like <fe-*>,
<so-*>, etc.
unit <*> {
family inet {
filter {
input test;
}
}
}
}
}
}

[edit]
lab@r2# show interfaces fe-0/0/0 | display inheritance
unit 0 {
family inet {
##
## 'filter' was inherited from group 'test'
##
filter {
##
## 'test' was inherited from group 'test'
##
input test;
}
address 3.2.1.2/24;
}





> -----Original Message-----
> From: juniper-nsp-bounces@puck.nether.net
> [mailto:juniper-nsp-bounces@puck.nether.net]On Behalf Of
> Pekka Savola
> Sent: Wednesday, April 23, 2003 2:22 AM
> To: Adam Szymajda
> Cc: juniper-nsp@puck.nether.net
> Subject: Re: [j-nsp] implementing filters on all interfaces
>
>
> On Wed, 23 Apr 2003, Adam Szymajda wrote:
> > Do you know any way to implement filters on all the interfaces
> > simultaneously? I mean sth like cisco's "ip receive acl".
>
> That's not what "ip receive acl" is, AFAIR.
>
> The equivalent behaviour can be achieved using input
> filter on lo0.0
> interface, though.
>
> --
> Pekka Savola "You each name yourselves
> king, yet the
> Netcore Oy kingdom bleeds."
> Systems. Networks. Security. -- George R.R. Martin: A
> Clash of Kings
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp

Greetings,


--On Wednesday, April 23, 2003 08:07 -0700 Harry Reynolds
<harry@juniper.net> wrote:

...

> You can use groups to apply filters to "groups" of interfaces:
>
> [edit]
> lab@r2# show groups
> test {
> interfaces {
> <*> { <<< catches all, I suggest something more like <fe-*>,
> <so-*>, etc.


Nice trick -- will that also work for vlans? That is <ge-*.56> to match
any GigE interface that has vlan 56 defined within?


Scott

Note sure that I follow; the approach I demonstrated catches all
logical units, which should in turn catch all VLAN IDs as there is a
one to one mapping between the two.

Something like:

test {
interfaces {
<fe-*> {
unit <512-526> {
family inet {
filter {
input test;
}
}
}
}
}
}

Should catch all FEs with units in the range of 512-526. If these
units are associated with VLANs, then all the better, I say.


HTHs



> -----Original Message-----
> From: juniper-nsp-bounces@puck.nether.net
> [mailto:juniper-nsp-bounces@puck.nether.net]On Behalf Of Scott A.
> McIntyre
> Sent: Wednesday, April 23, 2003 8:15 AM
> To: juniper-nsp@puck.nether.net
> Subject: RE: [j-nsp] implementing filters on all interfaces
>
>
> Greetings,
>
>
> --On Wednesday, April 23, 2003 08:07 -0700 Harry Reynolds
> <harry@juniper.net> wrote:
>
> ...
>
> > You can use groups to apply filters to "groups" of interfaces:
> >
> > [edit]
> > lab@r2# show groups
> > test {
> > interfaces {
> > <*> { <<< catches all, I suggest something more
> like <fe-*>,
> > <so-*>, etc.
>
>
> Nice trick -- will that also work for vlans? That is
> <ge-*.56> to match
> any GigE interface that has vlan 56 defined within?
>
>
> Scott
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp

On Wed, Apr 23, 2003 at 05:15:06PM +0200, Scott A. McIntyre wrote:
> Nice trick -- will that also work for vlans? That is <ge-*.56> to match
> any GigE interface that has vlan 56 defined within?

Yes, but different syntax:

groups {
interface-defaults {
interfaces {
<ge-*> {
unit <56> {
....
}
}
}
}
}


Best regards,
Daniel

Of course, "unit 56" doesn't necessarily mean VLAN-ID 56 unless
you ensure it by convention... :)


-----Original Message-----
From: juniper-nsp-bounces@puck.nether.net
[mailto:juniper-nsp-bounces@puck.nether.net]On Behalf Of Daniel Roesen
Sent: Wednesday, April 23, 2003 8:41 AM
To: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] implementing filters on all interfaces


On Wed, Apr 23, 2003 at 05:15:06PM +0200, Scott A. McIntyre wrote:
> Nice trick -- will that also work for vlans? That is <ge-*.56> to match
> any GigE interface that has vlan 56 defined within?

Yes, but different syntax:

groups {
interface-defaults {
interfaces {
<ge-*> {
unit <56> {
....
}
}
}
}
}


Best regards,
Daniel
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
http://puck.nether.net/mailman/listinfo/juniper-nsp

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Scott,

The answer is yes. However, you'd have to do it something like this.

groups {
test {
interfaces {
<fe-*> {
unit 56 {
vlan-id 56;
family inet {
filter {
input test;
}
}
}
}
}
}
}

This would set the vlan-id of unit 56 on every FE port to be 56 and apply
the filter test to that vlan inbound. You must actually create the specific
interface and unit under the main interfaces section (i.e. this doesn't
create the unit if it's not there - but that doesn't matter because each
interface/unit requires a unique IP address :-)

Regards,

Guy

> -----Original Message-----
> From: Harry Reynolds [mailto:harry@juniper.net]
> Sent: Wednesday, April 23, 2003 4:32 PM
> To: Scott A. McIntyre; juniper-nsp@puck.nether.net
> Subject: RE: [j-nsp] implementing filters on all interfaces
>
>
> Note sure that I follow; the approach I demonstrated catches all
> logical units, which should in turn catch all VLAN IDs as there is a
> one to one mapping between the two.
>
> Something like:
>
> test {
> interfaces {
> <fe-*> {
> unit <512-526> {
> family inet {
> filter {
> input test;
> }
> }
> }
> }
> }
> }
>
> Should catch all FEs with units in the range of 512-526. If these
> units are associated with VLANs, then all the better, I say.
>
>
> HTHs
>
>
>
> > -----Original Message-----
> > From: juniper-nsp-bounces@puck.nether.net
> > [mailto:juniper-nsp-bounces@puck.nether.net]On Behalf Of Scott A.
> > McIntyre
> > Sent: Wednesday, April 23, 2003 8:15 AM
> > To: juniper-nsp@puck.nether.net
> > Subject: RE: [j-nsp] implementing filters on all interfaces
> >
> >
> > Greetings,
> >
> >
> > --On Wednesday, April 23, 2003 08:07 -0700 Harry Reynolds
> > <harry@juniper.net> wrote:
> >
> > ...
> >
> > > You can use groups to apply filters to "groups" of interfaces:
> > >
> > > [edit]
> > > lab@r2# show groups
> > > test {
> > > interfaces {
> > > <*> { <<< catches all, I suggest something more
> > like <fe-*>,
> > > <so-*>, etc.
> >
> >
> > Nice trick -- will that also work for vlans? That is
> > <ge-*.56> to match
> > any GigE interface that has vlan 56 defined within?
> >
> >
> > Scott
> >
> >
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > http://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPqa57o3dwu/Ss2PCEQI6BwCghuze8CIbZkrZisipfeIuPqinpSQAoKP2
FK1ebmFa9k2cfJWVadciG/xX
=SEBc
-----END PGP SIGNATURE-----

On Wed, Apr 23, 2003 at 08:59:43AM -0700, Paul Goyette wrote:
> Of course, "unit 56" doesn't necessarily mean VLAN-ID 56 unless
> you ensure it by convention... :)

Erm yes, I took that as "best practice". I was overgeneralizing. :-)


Best regards,
Daniel