Routing

 View Only
last person joined: yesterday 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  Firewall Filter for Logical-Systems

    Posted 02-13-2024 08:54

    Hi,

    We have a mx204 running on 21.2R3-S5.4.

    This device has a firewall filter configuration which is applied to lo0.0 This filter is used to limit BGP connections.

    This works as we want however, we have created a logical-systems on the device. It has a loopback interface as well lo0.1500
    This loopback doesn't have any firewall filter applied to it but still, the firewall filter applied to lo0.0 affects our BGP connections in the logical-system.


    The original filter config

    set firewall filter BGPFILTER term allow-bgp-neighbors from source-prefix-list configured-bgp-neighbors
    set firewall filter BGPFILTER term allow-bgp-neighbors from source-prefix-list configured-bgp-instance-neighbors
    set firewall filter BGPFILTER term allow-bgp-neighbors from protocol tcp
    set firewall filter BGPFILTER term allow-bgp-neighbors from port bgp
    set firewall filter BGPFILTER term allow-bgp-neighbors then count allow-bgp-neighbors
    set firewall filter BGPFILTER term allow-bgp-neighbors then accept


    set policy-options prefix-list configured-bgp-neighbors apply-path "protocols bgp group <*> neighbor <*>"
    set policy-options prefix-list configured-bgp-instance-neighbors apply-path "routing-instances <*> protocols bgp group <*> neighbor <*>"

    -----------
    We had to add the following lines to the configuration to make it work

    set firewall filter BGPFILTER term allow-bgp-neighbors from source-prefix-list configured-LYS-bgp-routing-instance-neighbors
    set policy-options prefix-list configured-LYS-bgp-routing-instance-neighbors apply-path "logical-systems TEST routing-instances <*> protocols bgp group <*> neighbor <*>"


    My question is if this is expected behavior. I thought logical-systems essentially create another router and if a logical-system doesn't have any firewall filter applied to its loopback interface it should work as if everything is allowed to the routing engine.


    Additional note: As you may realize the additional config has routing-instances because this affects BGP if they are in routing-instances only. If they are not there is no issue.

    set logical-systems TEST protocols bgp group CENTER neighbor XXX unaffected
    set logical-systems TEST routing-instances CUSTOMER protocols bgp group CUST neighbor XXXX affected

    Thanks



    ------------------------------
    ULAS AYDIN
    ------------------------------


  • 2.  RE: Firewall Filter for Logical-Systems

    Posted 02-19-2024 14:49

    Understanding Logical Systems for Routers and Switches | Junos OS | Juniper Networks

    The following guidelines describe how firewall filters affect the main routing device, logical systems, and virtual routers. The "default loopback interface" refers to lo0.0 (associated with the default routing table), the "loopback interface in a logical system" refers to lo0.n configured in the logical system, and the "loopback interface in the virtual router" refers to lo0.n configured in the virtual router.

    If you configure Filter A on the default loopback interface in the main routing device but do not configure a filter on the loopback interface in a logical system, the logical system does not use a filter.

    If you configure Filter A on the default loopback interface in the main routing device but do not configure a loopback interface in a logical system, the logical system uses Filter A.

    If you configure Filter A on the default loopback interface on the main routing device and Filter B on the loopback interface in a logical system, the logical system uses Filter B. In a special case of this rule, when you also configure a routing instance of type virtual-router on the logical system, the following rules apply:

    -If you configure Filter C on the loopback interface in the virtual router, traffic belonging to the virtual router uses Filter C.

    -If you do not configure a filter on the loopback interface in the virtual router, traffic belonging to the virtual router does not use a filter.

    -If you do not configure a loopback interface in the virtual router, traffic belonging to the virtual router uses Filter A.



    ------------------------------
    ULAS AYDIN
    ------------------------------