Routing

 View Only
last person joined: 13 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  Firewall filter question

    Posted 11-17-2021 16:52
    I have a pair of routers to be peered with BGP

    RA  -----BGP(BFD)----- RB

    I have the following filters
    set firewall family inet filter re-protection term icmp from protocol icmp
    set firewall family inet filter re-protection term icmp then accept
    set firewall family inet filter re-protection term bfd from protocol udp
    set firewall family inet filter re-protection term bfd then accept
    set firewall family inet filter re-protection term tcp from protocol tcp
    set firewall family inet filter re-protection term tcp from port bgp
    set firewall family inet filter re-protection term tcp then accept
    set firewall family inet filter re-protection term dropAll then reject
    ​

    It worked fine.

    But at first I had the following:

    set firewall family inet filter re-protection term bfd from protocol udp
    set firewall family inet filter re-protection term bfd then accept
    set firewall family inet filter re-protection term tcp from protocol tcp
    set firewall family inet filter re-protection term tcp from port bgp
    set firewall family inet filter re-protection term icmp from protocol icmp
    set firewall family inet filter re-protection term icmp then accept
    set firewall family inet filter re-protection term tcp then accept
    set firewall family inet filter re-protection term dropAll then reject
    

    Then ICMP is not allowed.
    Can anyone  shed some light on it ?

    thanks !!



  • 2.  RE: Firewall filter question

    Posted 11-18-2021 05:34
    I also do not see why icmp would not be accepted on your second policy.

    I would try adding the count to all the terms and see which one icmp is hitting as a start.

    And perhaps rearranging the order of the terms to see if there might be some kind of interaction that is not obvious.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Firewall filter question

    Posted 11-19-2021 05:43
    I tried a couple of time and noticed it might be related to the old image (vMX 14.). After I rebooted, it seemed to work fine with BFD with ICMP term.  

    thanks so much !!


  • 4.  RE: Firewall filter question

    Posted 11-18-2021 09:48

    junos cant have issues with terms as general as yours, try adding port numbers to your terms BFD and BGP,  something like this:

    set firewall family inet filter re-protection term bfd from protocol udp
    set firewall family inet filter re-protection term bfd from port [4784 3784 3785]
    set firewall family inet filter re-protection term bfd then accept
    set firewall family inet filter re-protection term tcp from protocol tcp
    set firewall family inet filter re-protection term tcp from port bgp
    set firewall family inet filter re-protection term tcp then accept
    set firewall family inet filter re-protection term icmp from protocol icmp
    set firewall family inet filter re-protection term icmp then accept
    set firewall family inet filter re-protection term dropAll then reject
    



    ------------------------------
    GABRIEL FLORES
    ------------------------------



  • 5.  RE: Firewall filter question

    Posted 11-19-2021 05:43
    thanks so much !!!