[j-nsp] router protect policy
masood at nexlinx.net.pk
masood at nexlinx.net.pk
Wed Aug 5 12:32:43 EDT 2009
It seems "source-prefix-list" is being ignored by EX-3200. If
"source-prefix-list: statement being ignored; would you use source-address
(for the time being) :)
Regards,
Masood
> I'm trying to form a router protect policy on an EX3200 that is being used
> as a layer3 border device receiving default routes only (temporary until
> it's replaced by an M series). I was able to create a policy that works
> fine for EX series running layer2 only services. Are there any examples or
> templates to look at?
>
> Another engineer offered this:
> ROUTER-PROTECT
> term SEQ-100 {
> from {
> source-address {
> 0.0.0.0/0;
> }
> source-prefix-list {
> NMS-NETWORKS except;
> }
> destination-port [ telnet ssh ftp ftp-data snmp ntp ];
> }
> then {
> syslog;
> discard;
> }
> }
> term SEQ-200 {
> from {
> source-address {
> 0.0.0.0/0;
> }
> source-prefix-list {
> BGP-NEIGHBORS except;
> }
> destination-port bgp;
> }
> then {
> discard;
> }
> }
> term SEQ-300 {
> then accept;
> }
>
> My problem is that the EX is barfing on the source-prefix-list command. As
> such:
> firewall {
> family inet {
> filter ROUTER-PROTECT {
> term SEQ-100 {
> from {
> source-address {
> 0.0.0.0/0;
> }
> ##
> ## Warning: configuration block ignored: unsupported
> platform (ex3200-24t)
> ##
> source-prefix-list {
> NMS-NETWORKS;
> }
> destination-port [ ssh telnet snmp ftp ftp-data ntp ];
> }
> then accept;
> }
> term SEQ-200 {
> from {
> ##
> ## Warning: configuration block ignored: unsupported
> platform (ex3200-24t)
> ##
> source-prefix-list {
> BGP-OSPF-NEIGHBORS;
> }
> protocol ospf;
> destination-port bgp;
> }
> then accept;
> }
> term SEQ-300 {
> then accept;
> }
> }
> }
>
>
> So in essence, I'm looking for a policy that will achieve the same goal
> that can actually be placed on a ex series.
>
> Thank you
>
> -b
>
> --
> Bill Blackford
> Senior Network Engineer
> Technology Systems Group
> Northwest Regional ESD
>
> my /home away from home
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list