[j-nsp] router protect policy
Sean Clarke
sean at clarke-3.demon.nl
Wed Aug 5 12:24:36 EDT 2009
Hi Bill
the keyword "except" is what is not allowed on the EX .. maybe you need
to write one to accept only the NMS-NETWORKS prefix list and deny the
rest ... it should do the same job
i.e.
filter ROUTER-PROTECT {
term SEQ-100-accept {
from {
source-prefix-list {
NMS-NETWORKS;
}
destination-port [ telnet ssh ftp ftp-data snmp ntp ];
}
then accept;
}
term SEQ-100-deny {
from {
source-address {
0.0.0.0/0;
}
destination-port [ telnet ssh ftp ftp-data snmp ntp ];
}
then {
syslog;
discard;
}
}
}
cheers
Sean
Bill Blackford wrote:
> I'm trying to form a router protect policy on an EX3200 that is being used as a layer3 border device receiving default routes only (temporary until it's replaced by an M series). I was able to create a policy that works fine for EX series running layer2 only services. Are there any examples or templates to look at?
>
> Another engineer offered this:
> ROUTER-PROTECT
> term SEQ-100 {
> from {
> source-address {
> 0.0.0.0/0;
> }
> source-prefix-list {
> NMS-NETWORKS except;
> }
> destination-port [ telnet ssh ftp ftp-data snmp ntp ];
> }
> then {
> syslog;
> discard;
> }
> }
> term SEQ-200 {
> from {
> source-address {
> 0.0.0.0/0;
> }
> source-prefix-list {
> BGP-NEIGHBORS except;
> }
> destination-port bgp;
> }
> then {
> discard;
> }
> }
> term SEQ-300 {
> then accept;
> }
>
> My problem is that the EX is barfing on the source-prefix-list command. As such:
> firewall {
> family inet {
> filter ROUTER-PROTECT {
> term SEQ-100 {
> from {
> source-address {
> 0.0.0.0/0;
> }
> ##
> ## Warning: configuration block ignored: unsupported platform (ex3200-24t)
> ##
> source-prefix-list {
> NMS-NETWORKS;
> }
> destination-port [ ssh telnet snmp ftp ftp-data ntp ];
> }
> then accept;
> }
> term SEQ-200 {
> from {
> ##
> ## Warning: configuration block ignored: unsupported platform (ex3200-24t)
> ##
> source-prefix-list {
> BGP-OSPF-NEIGHBORS;
> }
> protocol ospf;
> destination-port bgp;
> }
> then accept;
> }
> term SEQ-300 {
> then accept;
> }
> }
> }
>
>
> So in essence, I'm looking for a policy that will achieve the same goal that can actually be placed on a ex series.
>
> Thank you
>
> -b
>
> --
> Bill Blackford
> Senior Network Engineer
> Technology Systems Group
> Northwest Regional ESD
>
> my /home away from home
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
I
More information about the juniper-nsp
mailing list