[j-nsp] router protect policy
Chris Morrow
morrowc at ops-netman.net
Wed Aug 5 12:36:25 EDT 2009
On Wed, 5 Aug 2009, Sean Clarke wrote:
> Hi Bill
>
> the keyword "except" is what is not allowed on the EX .. maybe you need to
> write one to accept only the NMS-NETWORKS prefix list and deny the rest ...
> it should do the same job
> i.e.
as a base-level question... why are these 'standard firewall filter'
features NOT supported on what is a 'standard juniper' platform?
if you need/want these, open bugs. it's silly that these aren't supported.
-chris
>
> filter ROUTER-PROTECT {
> term SEQ-100-accept {
> from {
> source-prefix-list {
> NMS-NETWORKS;
> }
> destination-port [ telnet ssh ftp ftp-data snmp ntp ];
> }
> then accept;
> }
> term SEQ-100-deny {
> from {
> source-address {
> 0.0.0.0/0;
> }
> destination-port [ telnet ssh ftp ftp-data snmp ntp ];
> }
> then {
> syslog;
> discard;
> }
> }
> }
>
> cheers
> Sean
>
> Bill Blackford wrote:
>> I'm trying to form a router protect policy on an EX3200 that is being used
>> as a layer3 border device receiving default routes only (temporary until
>> it's replaced by an M series). I was able to create a policy that works
>> fine for EX series running layer2 only services. Are there any examples or
>> templates to look at?
>>
>> Another engineer offered this:
>> ROUTER-PROTECT
>> term SEQ-100 {
>> from {
>> source-address {
>> 0.0.0.0/0;
>> }
>> source-prefix-list {
>> NMS-NETWORKS except;
>> }
>> destination-port [ telnet ssh ftp ftp-data snmp ntp ];
>> }
>> then {
>> syslog;
>> discard;
>> }
>> }
>> term SEQ-200 {
>> from {
>> source-address {
>> 0.0.0.0/0;
>> }
>> source-prefix-list {
>> BGP-NEIGHBORS except;
>> }
>> destination-port bgp;
>> }
>> then {
>> discard;
>> }
>> }
>> term SEQ-300 {
>> then accept;
>> }
>>
>> My problem is that the EX is barfing on the source-prefix-list command. As
>> such:
>> firewall {
>> family inet {
>> filter ROUTER-PROTECT {
>> term SEQ-100 {
>> from {
>> source-address {
>> 0.0.0.0/0;
>> }
>> ##
>> ## Warning: configuration block ignored: unsupported
>> platform (ex3200-24t)
>> ##
>> source-prefix-list {
>> NMS-NETWORKS;
>> }
>> destination-port [ ssh telnet snmp ftp ftp-data ntp ];
>> }
>> then accept;
>> }
>> term SEQ-200 {
>> from {
>> ##
>> ## Warning: configuration block ignored: unsupported
>> platform (ex3200-24t)
>> ##
>> source-prefix-list {
>> BGP-OSPF-NEIGHBORS;
>> }
>> protocol ospf;
>> destination-port bgp;
>> }
>> then accept;
>> }
>> term SEQ-300 {
>> then accept;
>> }
>> }
>> }
>>
>>
>> So in essence, I'm looking for a policy that will achieve the same goal
>> that can actually be placed on a ex series.
>>
>> Thank you
>>
>> -b
>>
>> --
>> Bill Blackford Senior Network Engineer
>> Technology Systems Group Northwest Regional ESD
>> my /home away from home
>>
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>>
> I
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list