[j-nsp] Firewall filter using a prefix-list, not updating

Justin M. Streiner streiner at cluebyfour.org
Sun Mar 4 12:00:38 EST 2012 

On Sun, 4 Mar 2012, David Gee wrote:

> If I create a relatively simple filter such as the one below, and attach it
> as an output filter on a vlan interface, it works as per the prefix-list it
> references. However, if I update the prefix-list, like add an additional
> /32, the firewall filter does not permit it. If I remove and re-apply the
> filter, it has no effect on the new addition to the prefix-list (even though
> the prefix shows up in the prefix-list). To force the new prefix to become
> active, I have had to re-apply the firewall filter statement that references
> the prefix-list (i.e. delete it, and re-apply it). Is this normal?

I have several firewall filters that reference prefix-lists which are 
updated frequently, and I have not run into this issue.  I'm also running 
slightly older code (10.3).

Have you checked with JTAC on this?  While a quick scan of bug reports 
didn't show anything that looked like a match for what you're seeing, it 
might still be worth contacting JTAC and having them look at the issue.

Our workflow is:
update prefix-list
annotate new prefix-list entry/entries
review uncommitted changes
commit check
if no errors, commit

jms

> Model: j4350
>
> JUNOS Software Release [10.4R7.5]
>
> (Inet running in packet-mode and not flow-mode)
>
>
>
> filter management_protect {
>
>    term discard_world {
>
>        from {
>
>            source-prefix-list {
>
>                manager_ips except;     #<If I add additional prefixes to
> the manager_ips list, they do not take effect until I delete and set this
> configuration line>
>
>                world;
>
>            }
>
>        }
>
>        then {
>
>            discard;
>
>        }
>
>    }
>
>    term permit_mng {
>
>        then {
>
>            count management_count;
>
>            accept;
>
>        }
>
>    }
>
> }
>
>
>
> Thanks and look forward to the response,
> David Gee
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list