Mailing List Archive

On Fri, Dec 12, 2003 at 11:03:41PM -0500, bbird@epik.net wrote:
>
> Exactly! The way I must accomplish this today, is force my
> prefix-list generator to build the list of route-filter's twice,
> (once upto /32 (for customer blackholing), and once upto /24).
> Quite a waste. And with a large-customer, or non-customer peers,
> these policy-statement's can grow quite large.

Speaking of growing large, has there been any thought given to an
"include" statement in the config, to include data from another file
besides juniper.conf as a way of seperating totally distinct and
potentially 100% automated data like prefix-lists or completely
standardized configs (such as you would use with groups) which you
generally don't want to or need to see when show'ing around in your config
normally?

Personally I would rather just drop to shell and write automated data to a
file, rather than use junoscript or script cli interactions which seem to
be loaded with weird points where you must pause, having to load merge
terminal, etc. I would almost be tempted to give each router its own CVS
reposititory for such data, and have it pull data until it succeeds,
rather than having a central site push data to all routers... Is anyone
doing anything like this now?

Oh and while I'm asking, has anyone else noticed dropped characters on
large pastes or scripts without artifically induced delays ever since
6.1-ish, or is it just me?

--
Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

#-----Original Message-----
#From: Richard A Steenbergen [mailto:ras@e-gerbil.net]
#Sent: Friday, December 12, 2003 9:51 PM
#To: juniper-nsp@puck.nether.net
#Subject: Re: [j-nsp] RE: bgp config changes (was:
#autonomous-system N loops L)
<snip>
#You wouldn't want the ability to mix "exact" and "orlonger" or even
a
#specific range in the same prefix-list?

You bet I would.

#
#I do agree that putting it outside the prefix-list has some
advantages
#though. For example, one application which pops to mind that I've
had
#users hounding me about is the null route community, and the ability
to
#announce it on any IP in their set of registered routes all
#the way up to
#a /32 without compromising the security of my network or others by
#allowing /32s to be announced as "non-null route".
#
#Thus you might have regular import for BGP routes which is done:
#
#from prefix-list blah upto /24;
#
#And then for null route community imports (which you would
#probably want
#to set no-export, or say change next-hop to something aimed at a dsc
#interface with a filter that automatically forwards of a
#policied amount
#of packets over a pre-configured LSP to an analysis box for
#DoS tracking,
#or any number of other things):
#
#from prefix-list blah upto /32;
#
#Personally I'd like to have the modifiers available both inside and
#outside the prefix-list, with a value outside the list overriding.

I agree. There is no reason that the software can't provide this.
Heck, it already does, with respect to route-filters. I would hope
that Juniper would also agree on your idea regarding precedence. It
seems against current Juniper convention to have the common modifier
applied within the policy, overriding the modifier applied to the
specific prefix. But, in this application, the prefix-list's
functionality is only obtained by its use in the policy. So
obviously the policy's modifiers should override. You made me think
about it though. :)

Does anyone else ever wonder if the prefix-list and firewall policy
guy, ever talked to the route policy guy? :-)

#
#> - ability to use prefix-lists for snmp access control
#>
#> :-$
#
#On a completely unrelated subject, if you don't already have it
(though
#somehow I suspect you do :P), make sure to add automatically
#tuning prefix
#limits which track the normal number of prefixes + some configurable
#amount or percentage of burst, and block anything past that as
#"abnormal"
#without the need to constantly scan peer prefix-limits adjusting for
#growth.

Hey now! I spent a lot of time on these scripts. :) Now what is
that server supposed to do?

I swear, both you and Daniel are reading my notes. :)
Juniper...Please add me to the waiting list, as well (I know...I'll
talk to my rep).

Ben

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBP9qW2NFQh6ARB7TZEQKKoQCgzYAaoKOE4acigXgH3oLRPGlx5ZUAoOkJ
prKS3kAsr6CS8/2QLOd7Ym0V
=yYug
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

#-----Original Message-----
#From: Richard A Steenbergen [mailto:ras@e-gerbil.net]
#Sent: Friday, December 12, 2003 11:24 PM
#To: bbird@epik.net
#Cc: dr@cluenet.de; juniper-nsp@puck.nether.net
#Subject: Re: [j-nsp] RE: bgp config changes (was:
#autonomous-system N loop s L)
<snip>
#Personally I would rather just drop to shell and write
#automated data to a
#file, rather than use junoscript or script cli interactions
#which seem to
#be loaded with weird points where you must pause, having to load
merge
#terminal, etc. I would almost be tempted to give each router
#its own CVS
#reposititory for such data, and have it pull data until it succeeds,
#rather than having a central site push data to all routers...
#Is anyone
#doing anything like this now?
#
#Oh and while I'm asking, has anyone else noticed dropped characters
on
#large pastes or scripts without artifically induced delays ever
since
#6.1-ish, or is it just me?

I'm doing a limited field trial of 6.1-ish stuff, right now. I can't
say I've noticed this behavior, when doing things manually. But the
manual pastes have been less than 50 lines, per load replace/merge,
and have been very limited in number. Of course, I've been paying
more attention/fighting with the *cough* new-features.

My scripts are loading about 150+ lines of config per 6.1-ish router.
But that is being done by ftp, so things like buffering, or
pagination probably don't apply.

Ben

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBP9qa+9FQh6ARB7TZEQIgOACg/iNSFCxr3l+X4Lvjv3mI/1Rc9qIAn2Nu
6f/xxOOcNhWehvrmg3RKBdmC
=B6bz
-----END PGP SIGNATURE-----

On Fri, Dec 12, 2003 at 11:24:07PM -0500, Richard A Steenbergen wrote:
> Speaking of growing large, has there been any thought given to an
> "include" statement in the config, to include data from another file
> besides juniper.conf as a way of seperating totally distinct and
> potentially 100% automated data like prefix-lists or completely
> standardized configs (such as you would use with groups) which you
> generally don't want to or need to see when show'ing around in your config
> normally?

Well, at least in form of a wishlist item:

$ fgrep include vendor/juniper/JunOS-featurerequests
- ability to include portions of config, e.g. prefix-lists, policies etc.

:-)=

> Oh and while I'm asking, has anyone else noticed dropped characters on
> large pastes or scripts without artifically induced delays ever since
> 6.1-ish, or is it just me?

I've seen this in 5.x series as well.


Regards,
Daniel