[j-nsp] dynamic-db for prefix-list filter on ex3200, ex2200

Nitzan Tzelniker nitzan.tzelniker at gmail.com
Mon Oct 26 14:18:43 EDT 2015 

Dan,

AFAIK dynamic-db is for routing policy only
it dose not work for firewall filters

Nitzan


On Mon, Oct 26, 2015 at 7:29 PM, Dan Farrell <danno at appliedi.net> wrote:

> Howdy List,
>
> I can't seem to get a dynamic-db prefix-list to work correctly on either
> an ex3200 or ex2200 on JUNOS 12.3 and 12.10.
> I'm starting to suspect it simply won't work on these models (or maybe on
> EX-series at all, or maybe only on routing policies).
>
> Using a dynamic-db prefix-list in a filter leads to NO packets passing on
> the interface it is instantiated on. (tested on l2 and l3 interface
> filtering).
>
> It seems to be a simple implementation (create the same prefix-list name
> in the normal configuration as the dynamic-db prefix list and tag it
> 'dynamic-db', then use in a filter), so I'm currently not suspecting myself
> as the culprit.
>
>
> Combining manual prefixes with the dynamic-db in one prefix-list results
> in only the manual prefixes being honored, while the dynamic-db ones are
> still ignored (same as above).
>
>
> Thanks list!
>
>
> Also, here's my configuration's relevant parts:
>
> DYNAMIC CONFIGURATION:
> ========================
>   policy-options {
>       prefix-list badips {
>           192.168.75.35/32;
>           192.168.75.100/32;
>           192.168.100.251/32;
>       }
>   }
>
>
>
>
> STATIC CONFIGURATION:
> ======================
>   policy-options {
>       prefix-list badips {
>           dynamic-db;
>           1.1.1.1/32;
>       }
>    }
>
>   firewall {
>       family inet {
>           filter blocktest {
>               term block-dy {
>                   from {
>                       destination-prefix-list {
>                           badips;
>                       }
>                   }
>                   then {
>                       discard;
>                   }
>               }
>               term allow-all-else {
>                   then accept;
>               }
>           }
>       }
>   }
>
>   interfaces {
>     vlan {
>         unit 33 {
>             family inet {
>                 filter {
>                     input blocktest;
>                 }
>                 address 192.168.78.1/24;
>             }
>         }
>     }
>   }
>
>   vlans {
>     noc24-test {
>         vlan-id 33;
>         interface {
>             ge-0/0/3.0;
>         }
>         l3-interface vlan.33;
>     }
>   }
>
>
>
> Dan Farrell
> Applied Innovations Corp.
> danf at appliedi.net
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list