[j-nsp] Firewall filter using a prefix-list, not updating
David Gee
dave at infiltr8.com
Sun Mar 4 11:45:04 EST 2012
Hi all,
This is the first time I've used this group (although I've been subscribed
to it for a while!!!!). First off I'd like to say how useful it's been
watching the group share and deal with issues. I don't know if I'm
experiencing an issue, or if this is standard operation for Junos. Some help
would be greatly appreciated though.
If I create a relatively simple filter such as the one below, and attach it
as an output filter on a vlan interface, it works as per the prefix-list it
references. However, if I update the prefix-list, like add an additional
/32, the firewall filter does not permit it. If I remove and re-apply the
filter, it has no effect on the new addition to the prefix-list (even though
the prefix shows up in the prefix-list). To force the new prefix to become
active, I have had to re-apply the firewall filter statement that references
the prefix-list (i.e. delete it, and re-apply it). Is this normal?
Model: j4350
JUNOS Software Release [10.4R7.5]
(Inet running in packet-mode and not flow-mode)
filter management_protect {
term discard_world {
from {
source-prefix-list {
manager_ips except; #<If I add additional prefixes to
the manager_ips list, they do not take effect until I delete and set this
configuration line>
world;
}
}
then {
discard;
}
}
term permit_mng {
then {
count management_count;
accept;
}
}
}
Thanks and look forward to the response,
David Gee
More information about the juniper-nsp
mailing list