Routing

Hi,

We have a mx204 running on 21.2R3-S5.4.

This device has a firewall filter configuration which is applied to lo0.0 This filter is used to limit BGP connections.

This works as we want however, we have created a logical-systems on the device. It has a loopback interface as well lo0.1500
This loopback doesn't have any firewall filter applied to it but still, the firewall filter applied to lo0.0 affects our BGP connections in the logical-system.

The original filter config

set firewall filter BGPFILTER term allow-bgp-neighbors from source-prefix-list configured-bgp-neighbors
set firewall filter BGPFILTER term allow-bgp-neighbors from source-prefix-list configured-bgp-instance-neighbors
set firewall filter BGPFILTER term allow-bgp-neighbors from protocol tcp
set firewall filter BGPFILTER term allow-bgp-neighbors from port bgp
set firewall filter BGPFILTER term allow-bgp-neighbors then count allow-bgp-neighbors
set firewall filter BGPFILTER term allow-bgp-neighbors then accept

set policy-options prefix-list configured-bgp-neighbors apply-path "protocols bgp group <*> neighbor <*>"
set policy-options prefix-list configured-bgp-instance-neighbors apply-path "routing-instances <*> protocols bgp group <*> neighbor <*>"

-----------
We had to add the following lines to the configuration to make it work

set firewall filter BGPFILTER term allow-bgp-neighbors from source-prefix-list configured-LYS-bgp-routing-instance-neighbors
set policy-options prefix-list configured-LYS-bgp-routing-instance-neighbors apply-path "logical-systems TEST routing-instances <*> protocols bgp group <*> neighbor <*>"

My question is if this is expected behavior. I thought logical-systems essentially create another router and if a logical-system doesn't have any firewall filter applied to its loopback interface it should work as if everything is allowed to the routing engine.

Additional note: As you may realize the additional config has routing-instances because this affects BGP if they are in routing-instances only. If they are not there is no issue.

set logical-systems TEST protocols bgp group CENTER neighbor XXX unaffected
set logical-systems TEST routing-instances CUSTOMER protocols bgp group CUST neighbor XXXX affected

Thanks

Understanding Logical Systems for Routers and Switches | Junos OS | Juniper Networks

The following guidelines describe how firewall filters affect the main routing device, logical systems, and virtual routers. The "default loopback interface" refers to lo0.0 (associated with the default routing table), the "loopback interface in a logical system" refers to lo0.n configured in the logical system, and the "loopback interface in the virtual router" refers to lo0.n configured in the virtual router.

If you configure Filter A on the default loopback interface in the main routing device but do not configure a filter on the loopback interface in a logical system, the logical system does not use a filter.

If you configure Filter A on the default loopback interface in the main routing device but do not configure a loopback interface in a logical system, the logical system uses Filter A.

If you configure Filter A on the default loopback interface on the main routing device and Filter B on the loopback interface in a logical system, the logical system uses Filter B. In a special case of this rule, when you also configure a routing instance of type virtual-router on the logical system, the following rules apply:

-If you configure Filter C on the loopback interface in the virtual router, traffic belonging to the virtual router uses Filter C.

-If you do not configure a filter on the loopback interface in the virtual router, traffic belonging to the virtual router does not use a filter.

-If you do not configure a loopback interface in the virtual router, traffic belonging to the virtual router uses Filter A.