[j-nsp] dynamic-db for prefix-list filter on ex3200, ex2200
Dan Farrell
danno at appliedi.net
Mon Oct 26 14:33:48 EDT 2015
Hi Nitzan,
Thanks for your reply- I think you're right. To further add info and split the documentation and feature-set hairs-
- At least from 9.5 this is stated to be usable by EX series.
- BUT! All docs that reference dynamic-db do so with routing policies, and show support for only M, MX, and T.
- JUNOS-on-EX does not error out on the configuration (as it would, for example, when configuring BGP on an EX2200-C).
The use-case is loading large numbers of prefixes for filtering purposes without having to churn the unit with a typical commit operation and it's associated churn. I'd hate to have to migrate to MX because EX can't/won't do it.
Cheers!
Dan
From: Nitzan Tzelniker [mailto:nitzan.tzelniker at gmail.com]
Sent: Monday, October 26, 2015 2:19 PM
To: Dan Farrell <danno at appliedi.net>
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] dynamic-db for prefix-list filter on ex3200, ex2200
Dan,
AFAIK dynamic-db is for routing policy only
it dose not work for firewall filters
Nitzan
On Mon, Oct 26, 2015 at 7:29 PM, Dan Farrell <danno at appliedi.net<mailto:danno at appliedi.net>> wrote:
Howdy List,
I can't seem to get a dynamic-db prefix-list to work correctly on either an ex3200 or ex2200 on JUNOS 12.3 and 12.10.
I'm starting to suspect it simply won't work on these models (or maybe on EX-series at all, or maybe only on routing policies).
Using a dynamic-db prefix-list in a filter leads to NO packets passing on the interface it is instantiated on. (tested on l2 and l3 interface filtering).
It seems to be a simple implementation (create the same prefix-list name in the normal configuration as the dynamic-db prefix list and tag it 'dynamic-db', then use in a filter), so I'm currently not suspecting myself as the culprit.
Combining manual prefixes with the dynamic-db in one prefix-list results in only the manual prefixes being honored, while the dynamic-db ones are still ignored (same as above).
Thanks list!
Also, here's my configuration's relevant parts:
DYNAMIC CONFIGURATION:
========================
policy-options {
prefix-list badips {
192.168.75.35/32<http://t.sidekickopen03.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XYg3LjyGCW8q-mCP4XX_G8VQsxsT56dNv4f7SpRnW02?t=http%3A%2F%2F192.168.75.35%2F32&si=6603779591372800&pi=2f49fcc1-2375-495f-ad7d-295df3bd9fff>;
192.168.75.100/32<http://t.sidekickopen03.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XYg3LjyGCW8q-mCP4XX_G8VQsxsT56dNv4f7SpRnW02?t=http%3A%2F%2F192.168.75.100%2F32&si=6603779591372800&pi=2f49fcc1-2375-495f-ad7d-295df3bd9fff>;
192.168.100.251/32<http://t.sidekickopen03.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XYg3LjyGCW8q-mCP4XX_G8VQsxsT56dNv4f7SpRnW02?t=http%3A%2F%2F192.168.100.251%2F32&si=6603779591372800&pi=2f49fcc1-2375-495f-ad7d-295df3bd9fff>;
}
}
STATIC CONFIGURATION:
======================
policy-options {
prefix-list badips {
dynamic-db;
1.1.1.1/32<http://t.sidekickopen03.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XYg3LjyGCW8q-mCP4XX_G8VQsxsT56dNv4f7SpRnW02?t=http%3A%2F%2F1.1.1.1%2F32&si=6603779591372800&pi=2f49fcc1-2375-495f-ad7d-295df3bd9fff>;
}
}
firewall {
family inet {
filter blocktest {
term block-dy {
from {
destination-prefix-list {
badips;
}
}
then {
discard;
}
}
term allow-all-else {
then accept;
}
}
}
}
interfaces {
vlan {
unit 33 {
family inet {
filter {
input blocktest;
}
address 192.168.78.1/24<http://t.sidekickopen03.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XYg3LjyGCW8q-mCP4XX_G8VQsxsT56dNv4f7SpRnW02?t=http%3A%2F%2F192.168.78.1%2F24&si=6603779591372800&pi=2f49fcc1-2375-495f-ad7d-295df3bd9fff>;
}
}
}
}
vlans {
noc24-test {
vlan-id 33;
interface {
ge-0/0/3.0;
}
l3-interface vlan.33;
}
}
Dan Farrell
Applied Innovations Corp.
danf at appliedi.net<mailto:danf at appliedi.net>
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net<mailto:juniper-nsp at puck.nether.net>
https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list