[j-nsp] router protect policy

masood at nexlinx.net.pk masood at nexlinx.net.pk
Wed Aug 5 12:32:43 EDT 2009


It seems "source-prefix-list" is being ignored by EX-3200. If
"source-prefix-list: statement being ignored; would you use source-address
(for the time being) :)

Regards,
Masood

> I'm trying to form a router protect policy on an EX3200 that is being used
> as a layer3 border device receiving default routes only (temporary until
> it's replaced by an M series). I was able to create a policy that works
> fine for EX series running layer2 only services. Are there any examples or
> templates to look at?
>
> Another engineer offered this:
> ROUTER-PROTECT
> term SEQ-100 {
>      from {
>          source-address {
>              0.0.0.0/0;
>          }
>          source-prefix-list {
>              NMS-NETWORKS except;
>          }
>          destination-port [ telnet ssh ftp ftp-data snmp ntp ];
>      }
>      then {
>          syslog;
>          discard;
>      }
> }
> term SEQ-200 {
>      from {
>          source-address {
>              0.0.0.0/0;
>          }
>          source-prefix-list {
>              BGP-NEIGHBORS except;
>          }
>          destination-port bgp;
>      }
>      then {
>          discard;
>      }
> }
> term SEQ-300 {
>      then accept;
> }
>
> My problem is that the EX is barfing on the source-prefix-list command. As
> such:
> firewall {
>     family inet {
>         filter ROUTER-PROTECT {
>             term SEQ-100 {
>                 from {
>                     source-address {
>                         0.0.0.0/0;
>                     }
>                     ##
>                     ## Warning: configuration block ignored: unsupported
> platform (ex3200-24t)
>                     ##
>                     source-prefix-list {
>                         NMS-NETWORKS;
>                     }
>                     destination-port [ ssh telnet snmp ftp ftp-data ntp ];
>                 }
>                 then accept;
>             }
>             term SEQ-200 {
>                 from {
>                     ##
>                     ## Warning: configuration block ignored: unsupported
> platform (ex3200-24t)
>                     ##
>                     source-prefix-list {
>                         BGP-OSPF-NEIGHBORS;
>                     }
>                     protocol ospf;
>                     destination-port bgp;
>                 }
>                 then accept;
>             }
>             term SEQ-300 {
>                 then accept;
>             }
>         }
>     }
>
>
> So in essence, I'm looking for a policy that will achieve the same goal
> that can actually be placed on a ex series.
>
> Thank you
>
> -b
>
> --
> Bill Blackford
> Senior Network Engineer
> Technology Systems Group
> Northwest Regional ESD
>
> my /home away from home
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>




More information about the juniper-nsp mailing list