Mailing List Archive: Firewall filter: Allow ISIS

Firewall filter: Allow ISIS

Aug 27, 2003, 7:07 AM

Post #1 of 5 (2530 views)

All,

I'm being a little lazy, but need to know what parameter 'from' is set for
matching all ISIS packets in a firewall filter.
This is obviously applied to the lo0 interface.

An OSPF example;

term allow-ospf {
from {
source-address {
192.168.2.0/24;
192.168.3.0/24;
}
protocol ospf;
}
then accept;
}

There is NO 'protocol isis' or 'iso' in release 6.0R1.3.

Thanks, Neil.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/juniper-nsp/attachments/20030827/547095b8/attachment.htm

Firewall filter: Allow ISIS [ In reply to ]

michael at lyngbol

Aug 27, 2003, 7:31 AM

Post #2 of 5 (2485 views)

Permalink

On 27.08.2003 12:06:42 +0000, Neil Stirling wrote:
> All,
>
> I'm being a little lazy, but need to know what parameter 'from' is set for
> matching all ISIS packets in a firewall filter.
> This is obviously applied to the lo0 interface.
>
> An OSPF example;
>
> term allow-ospf {
> from {
> source-address {
> 192.168.2.0/24;
> 192.168.3.0/24;
> }
> protocol ospf;
> }
> then accept;
> }
>
> There is NO 'protocol isis' or 'iso' in release 6.0R1.3.

As IS-IS isn't an IP protocol I'm not sure if you're able to filter
these kind of packets at all.

What are you trying to achieve?

/Michael

--
Michael Lyngb?l -- michael at lyngbol dot dk
Network Architect, AS3292 TDC, IP?backbone

Firewall filter: Allow ISIS [ In reply to ]

mourad.berkane at lambdanet

Aug 27, 2003, 7:33 AM

Post #3 of 5 (2492 views)

Permalink

OSPF run over IP, ISIS not.

Do you need to do an ISO filtering?

-----Message d'origine-----
De : Neil Stirling [mailto:neil.stirling@nortelnetworks.com]
Envoy? : mercredi 27 ao?t 2003 13:07
? : juniper-nsp@puck.nether.net
Objet : [j-nsp] Firewall filter: Allow ISIS

All,

I'm being a little lazy, but need to know what parameter 'from' is set for
matching all ISIS packets in a firewall filter.

This is obviously applied to the lo0 interface.

An OSPF example;

term allow-ospf {
from {
source-address {
192.168.2.0/24;
192.168.3.0/24;
}
protocol ospf;
}
then accept;
}

There is NO 'protocol isis' or 'iso' in release 6.0R1.3.

Thanks, Neil.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://puck.nether.net/pipermail/juniper-nsp/attachments/20030827/4caa120f/attachment.htm

Firewall filter: Allow ISIS [ In reply to ]

Guy.Davies at telindus

Aug 27, 2003, 8:05 AM

Post #4 of 5 (2526 views)

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

iso filtering is simple. Just don't enable family iso on an interface and
no iso packets will cross the interface :-)

Regards,

Guy

- -----Original Message-----
From: Mourad BERKANE [ mailto:mourad.berkane@lambdanet.fr
<mailto:mourad.berkane@lambdanet.fr> ]
Sent: Wednesday, August 27, 2003 12:35 PM
To: 'Neil Stirling'
Cc: juniper-nsp@puck.nether.net
Subject: RE: [j-nsp] Firewall filter: Allow ISIS

OSPF run over IP, ISIS not.

Do you need to do an ISO filtering?

-----Message d'origine-----
De : Neil Stirling [ mailto:neil.stirling@nortelnetworks.com
<mailto:neil.stirling@nortelnetworks.com> ]
Envoy? : mercredi 27 ao?t 2003 13:07
? : juniper-nsp@puck.nether.net
Objet : [j-nsp] Firewall filter: Allow ISIS

All,

I'm being a little lazy, but need to know what parameter 'from' is set for
matching all ISIS packets in a firewall filter.

This is obviously applied to the lo0 interface.

An OSPF example;

term allow-ospf {
from {
source-address {
192.168.2.0/24;
192.168.3.0/24;
}
protocol ospf;
}
then accept;
}

There is NO 'protocol isis' or 'iso' in release 6.0R1.3.

Thanks, Neil.

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBP0yekI3dwu/Ss2PCEQKEhwCg25P7k0NaWduGYfZrSY/pYxeH340AoO96
RG9lgSggRP945yjpcrBEafnG
=+xfo
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGPexch.rtf.pgp
Type: application/octet-stream
Size: 1884 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/juniper-nsp/attachments/20030827/0b87bead/PGPexch.rtf.obj

Firewall filter: Allow ISIS [ In reply to ]

harry at juniper

Aug 27, 2003, 1:31 PM

Post #5 of 5 (2532 views)

Permalink

AFAIK, we do not support filtering of ISO PDUs.

> -----Original Message-----
> From: juniper-nsp-bounces@puck.nether.net
> [mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of Guy Davies
> Sent: Wednesday, August 27, 2003 5:06 AM
> To: 'Mourad BERKANE'; 'Neil Stirling'
> Cc: juniper-nsp@puck.nether.net
> Subject: RE: [j-nsp] Firewall filter: Allow ISIS
>
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> iso filtering is simple. Just don't enable family iso on an
> interface and no iso packets will cross the interface :-)
>
> Regards,
>
> Guy
>
> - -----Original Message-----
> From: Mourad BERKANE [ mailto:mourad.berkane@lambdanet.fr
> <mailto:mourad.berkane@lambdanet.fr> ]
> Sent: Wednesday, August 27, 2003 12:35 PM
> To: 'Neil Stirling'
> Cc: juniper-nsp@puck.nether.net
> Subject: RE: [j-nsp] Firewall filter: Allow ISIS
>
>
> OSPF run over IP, ISIS not.
>
> Do you need to do an ISO filtering?
>
>
> -----Message d'origine-----
> De : Neil Stirling [ mailto:neil.stirling@nortelnetworks.com
> <mailto:neil.stirling@nortelnetworks.com> ]
> Envoy? : mercredi 27 ao?t 2003 13:07
> ? : juniper-nsp@puck.nether.net
> Objet : [j-nsp] Firewall filter: Allow ISIS
>
>
>
> All,
>
> I'm being a little lazy, but need to know what parameter
> 'from' is set for matching all ISIS packets in a firewall filter.
>
> This is obviously applied to the lo0 interface.
>
> An OSPF example;
>
> term allow-ospf {
> from {
> source-address {
> 192.168.2.0/24;
> 192.168.3.0/24;
> }
> protocol ospf;
> }
> then accept;
> }
>
> There is NO 'protocol isis' or 'iso' in release 6.0R1.3.
>
> Thanks, Neil.
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0
>
> iQA/AwUBP0yekI3dwu/Ss2PCEQKEhwCg25P7k0NaWduGYfZrSY/pYxeH340AoO96
> RG9lgSggRP945yjpcrBEafnG
> =+xfo
> -----END PGP SIGNATURE-----
>
>
>
>
>