Routing

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Firewall filter question

    Posted 13 days ago
    I have a pair of routers to be peered with BGP

    RA  -----BGP(BFD)----- RB

    I have the following filters
    set firewall family inet filter re-protection term icmp from protocol icmp
    set firewall family inet filter re-protection term icmp then accept
    set firewall family inet filter re-protection term bfd from protocol udp
    set firewall family inet filter re-protection term bfd then accept
    set firewall family inet filter re-protection term tcp from protocol tcp
    set firewall family inet filter re-protection term tcp from port bgp
    set firewall family inet filter re-protection term tcp then accept
    set firewall family inet filter re-protection term dropAll then reject
    ​

    It worked fine.

    But at first I had the following:

    set firewall family inet filter re-protection term bfd from protocol udp
    set firewall family inet filter re-protection term bfd then accept
    set firewall family inet filter re-protection term tcp from protocol tcp
    set firewall family inet filter re-protection term tcp from port bgp
    set firewall family inet filter re-protection term icmp from protocol icmp
    set firewall family inet filter re-protection term icmp then accept
    set firewall family inet filter re-protection term tcp then accept
    set firewall family inet filter re-protection term dropAll then reject
    

    Then ICMP is not allowed.
    Can anyone  shed some light on it ?

    thanks !!



  • 2.  RE: Firewall filter question

     
    Posted 12 days ago
    I also do not see why icmp would not be accepted on your second policy.

    I would try adding the count to all the terms and see which one icmp is hitting as a start.

    And perhaps rearranging the order of the terms to see if there might be some kind of interaction that is not obvious.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Firewall filter question

    Posted 11 days ago
    I tried a couple of time and noticed it might be related to the old image (vMX 14.). After I rebooted, it seemed to work fine with BFD with ICMP term.  

    thanks so much !!


  • 4.  RE: Firewall filter question

    Posted 12 days ago

    junos cant have issues with terms as general as yours, try adding port numbers to your terms BFD and BGP,  something like this:

    set firewall family inet filter re-protection term bfd from protocol udp
    set firewall family inet filter re-protection term bfd from port [4784 3784 3785]
    set firewall family inet filter re-protection term bfd then accept
    set firewall family inet filter re-protection term tcp from protocol tcp
    set firewall family inet filter re-protection term tcp from port bgp
    set firewall family inet filter re-protection term tcp then accept
    set firewall family inet filter re-protection term icmp from protocol icmp
    set firewall family inet filter re-protection term icmp then accept
    set firewall family inet filter re-protection term dropAll then reject
    



    ------------------------------
    GABRIEL FLORES
    ------------------------------



  • 5.  RE: Firewall filter question

    Posted 11 days ago
    thanks so much !!!