[j-nsp] dynamic-db for prefix-list filter on ex3200, ex2200
Dan Farrell
danno at appliedi.net
Mon Oct 26 13:29:53 EDT 2015
Howdy List,
I can't seem to get a dynamic-db prefix-list to work correctly on either an ex3200 or ex2200 on JUNOS 12.3 and 12.10.
I'm starting to suspect it simply won't work on these models (or maybe on EX-series at all, or maybe only on routing policies).
Using a dynamic-db prefix-list in a filter leads to NO packets passing on the interface it is instantiated on. (tested on l2 and l3 interface filtering).
It seems to be a simple implementation (create the same prefix-list name in the normal configuration as the dynamic-db prefix list and tag it 'dynamic-db', then use in a filter), so I'm currently not suspecting myself as the culprit.
Combining manual prefixes with the dynamic-db in one prefix-list results in only the manual prefixes being honored, while the dynamic-db ones are still ignored (same as above).
Thanks list!
Also, here's my configuration's relevant parts:
DYNAMIC CONFIGURATION:
========================
policy-options {
prefix-list badips {
192.168.75.35/32;
192.168.75.100/32;
192.168.100.251/32;
}
}
STATIC CONFIGURATION:
======================
policy-options {
prefix-list badips {
dynamic-db;
1.1.1.1/32;
}
}
firewall {
family inet {
filter blocktest {
term block-dy {
from {
destination-prefix-list {
badips;
}
}
then {
discard;
}
}
term allow-all-else {
then accept;
}
}
}
}
interfaces {
vlan {
unit 33 {
family inet {
filter {
input blocktest;
}
address 192.168.78.1/24;
}
}
}
}
vlans {
noc24-test {
vlan-id 33;
interface {
ge-0/0/3.0;
}
l3-interface vlan.33;
}
}
Dan Farrell
Applied Innovations Corp.
danf at appliedi.net
More information about the juniper-nsp
mailing list