Junos ipv6 import filter

I’m going to start off with some example import filters for BGP with IPv6.  Mainly from several best practise docs I have found across the internet.

show configuration policy-options policy-statement default_ipv6_import
term reject_our_prefix {
from {
route-filter 2a02:xxxx::/32 orlonger; ## you shouldnt see your own prefix announced back to you!
}
then reject;
}
term reject_default_route {
from {
route-filter ::/0 exact; ## Unless your upstream is only providing a default route then you shouldn't accep this.
}
then reject;
}
term reject_link_local {
from {
route-filter fe80::/10 orlonger; ## Link local addresses should only be seen on the LAN side of your network
}
then reject;
}
term reject_site_local {
from {
route-filter fec0::/10 orlonger; ## Again, you should only see this on the LAN side.
}
then reject;
}
term reject_unique_local { ##  Meant to be used for devices not connected to the internet per RFC4193
from {
route-filter fc00::/7 orlonger;
}
}
term reject_documentation_address {
from {
route-filter 2001:db8::/32 orlonger; ## This whole /32 is not globally routable as it's used for documentation only
}
then reject;
}
term reject_multicast {
from {
route-filter ff00::/8 orlonger; ## We currently do not have multicast on our network so will reject by default
}
then reject;
}
term default_accept { ## Accept everything else
then accept;
}

Roughly speaking we do not want to see anything on the WAN side that we expect on the LAN.

If you think there is anything else that can be rejected please leave a comment and I will get amended.  This is a work in progress and any feedback wether positive or negative is greatly appreciated.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s