[j-nsp] router protect policy
Bill Blackford
BBlackford at nwresd.k12.or.us
Wed Aug 5 11:11:58 EDT 2009
I'm trying to form a router protect policy on an EX3200 that is being used as a layer3 border device receiving default routes only (temporary until it's replaced by an M series). I was able to create a policy that works fine for EX series running layer2 only services. Are there any examples or templates to look at?
Another engineer offered this:
ROUTER-PROTECT
term SEQ-100 {
from {
source-address {
0.0.0.0/0;
}
source-prefix-list {
NMS-NETWORKS except;
}
destination-port [ telnet ssh ftp ftp-data snmp ntp ];
}
then {
syslog;
discard;
}
}
term SEQ-200 {
from {
source-address {
0.0.0.0/0;
}
source-prefix-list {
BGP-NEIGHBORS except;
}
destination-port bgp;
}
then {
discard;
}
}
term SEQ-300 {
then accept;
}
My problem is that the EX is barfing on the source-prefix-list command. As such:
firewall {
family inet {
filter ROUTER-PROTECT {
term SEQ-100 {
from {
source-address {
0.0.0.0/0;
}
##
## Warning: configuration block ignored: unsupported platform (ex3200-24t)
##
source-prefix-list {
NMS-NETWORKS;
}
destination-port [ ssh telnet snmp ftp ftp-data ntp ];
}
then accept;
}
term SEQ-200 {
from {
##
## Warning: configuration block ignored: unsupported platform (ex3200-24t)
##
source-prefix-list {
BGP-OSPF-NEIGHBORS;
}
protocol ospf;
destination-port bgp;
}
then accept;
}
term SEQ-300 {
then accept;
}
}
}
So in essence, I'm looking for a policy that will achieve the same goal that can actually be placed on a ex series.
Thank you
-b
--
Bill Blackford
Senior Network Engineer
Technology Systems Group
Northwest Regional ESD
my /home away from home
More information about the juniper-nsp
mailing list