[j-nsp] dynamic-db for prefix-list filter on ex3200, ex2200

Nitzan Tzelniker nitzan.tzelniker at gmail.com
Mon Oct 26 15:22:03 EDT 2015 

If you are doing destination based filtering (as I see in the example and
its OK to block it from all interfaces you can just use routing to discard
If you don't want to commit just do it from external server with exabgp


Nitzan


On Mon, Oct 26, 2015 at 8:33 PM, Dan Farrell <danno at appliedi.net> wrote:

> Hi Nitzan,
>
>
>
> Thanks for your reply- I think you’re right. To further add info and split
> the documentation and feature-set hairs-
>
>
>
> -          At least from 9.5 this is stated to be usable by EX series.
>
> -          BUT! All docs that reference dynamic-db do so with routing
> policies, and show support for only M, MX, and T.
>
> -          JUNOS-on-EX does not error out on the configuration (as it
> would, for example, when configuring BGP on an EX2200-C).
>
>
>
> The use-case is loading large numbers of prefixes for filtering purposes
> without having to churn the unit with a typical commit operation and it’s
> associated churn. I’d hate to have to migrate to MX because EX can’t/won’t
> do it.
>
>
>
> Cheers!
>
>
>
> Dan
>
>
>
> *From:* Nitzan Tzelniker [mailto:nitzan.tzelniker at gmail.com]
> *Sent:* Monday, October 26, 2015 2:19 PM
> *To:* Dan Farrell <danno at appliedi.net>
> *Cc:* juniper-nsp at puck.nether.net
> *Subject:* Re: [j-nsp] dynamic-db for prefix-list filter on ex3200, ex2200
>
>
>
> Dan,
>
>
>
> AFAIK dynamic-db is for routing policy only
>
> it dose not work for firewall filters
>
>
>
> Nitzan
>
>
>
>
>
> On Mon, Oct 26, 2015 at 7:29 PM, Dan Farrell <danno at appliedi.net> wrote:
>
> Howdy List,
>
> I can't seem to get a dynamic-db prefix-list to work correctly on either
> an ex3200 or ex2200 on JUNOS 12.3 and 12.10.
> I'm starting to suspect it simply won't work on these models (or maybe on
> EX-series at all, or maybe only on routing policies).
>
> Using a dynamic-db prefix-list in a filter leads to NO packets passing on
> the interface it is instantiated on. (tested on l2 and l3 interface
> filtering).
>
> It seems to be a simple implementation (create the same prefix-list name
> in the normal configuration as the dynamic-db prefix list and tag it
> 'dynamic-db', then use in a filter), so I'm currently not suspecting myself
> as the culprit.
>
>
> Combining manual prefixes with the dynamic-db in one prefix-list results
> in only the manual prefixes being honored, while the dynamic-db ones are
> still ignored (same as above).
>
>
> Thanks list!
>
>
> Also, here's my configuration's relevant parts:
>
> DYNAMIC CONFIGURATION:
> ========================
>   policy-options {
>       prefix-list badips {
>           192.168.75.35/32
> <http://t.sidekickopen03.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XYg3LjyGCW8q-mCP4XX_G8VQsxsT56dNv4f7SpRnW02?t=http%3A%2F%2F192.168.75.35%2F32&si=6603779591372800&pi=2f49fcc1-2375-495f-ad7d-295df3bd9fff>
> ;
>           192.168.75.100/32
> <http://t.sidekickopen03.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XYg3LjyGCW8q-mCP4XX_G8VQsxsT56dNv4f7SpRnW02?t=http%3A%2F%2F192.168.75.100%2F32&si=6603779591372800&pi=2f49fcc1-2375-495f-ad7d-295df3bd9fff>
> ;
>           192.168.100.251/32
> <http://t.sidekickopen03.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XYg3LjyGCW8q-mCP4XX_G8VQsxsT56dNv4f7SpRnW02?t=http%3A%2F%2F192.168.100.251%2F32&si=6603779591372800&pi=2f49fcc1-2375-495f-ad7d-295df3bd9fff>
> ;
>       }
>   }
>
>
>
>
> STATIC CONFIGURATION:
> ======================
>   policy-options {
>       prefix-list badips {
>           dynamic-db;
>           1.1.1.1/32
> <http://t.sidekickopen03.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XYg3LjyGCW8q-mCP4XX_G8VQsxsT56dNv4f7SpRnW02?t=http%3A%2F%2F1.1.1.1%2F32&si=6603779591372800&pi=2f49fcc1-2375-495f-ad7d-295df3bd9fff>
> ;
>       }
>    }
>
>   firewall {
>       family inet {
>           filter blocktest {
>               term block-dy {
>                   from {
>                       destination-prefix-list {
>                           badips;
>                       }
>                   }
>                   then {
>                       discard;
>                   }
>               }
>               term allow-all-else {
>                   then accept;
>               }
>           }
>       }
>   }
>
>   interfaces {
>     vlan {
>         unit 33 {
>             family inet {
>                 filter {
>                     input blocktest;
>                 }
>                 address 192.168.78.1/24
> <http://t.sidekickopen03.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJW7t5XYg3LjyGCW8q-mCP4XX_G8VQsxsT56dNv4f7SpRnW02?t=http%3A%2F%2F192.168.78.1%2F24&si=6603779591372800&pi=2f49fcc1-2375-495f-ad7d-295df3bd9fff>
> ;
>             }
>         }
>     }
>   }
>
>   vlans {
>     noc24-test {
>         vlan-id 33;
>         interface {
>             ge-0/0/3.0;
>         }
>         l3-interface vlan.33;
>     }
>   }
>
>
>
> Dan Farrell
> Applied Innovations Corp.
> danf at appliedi.net
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
> [image:
> http://t.sidekickopen03.com/e1t/o/5/f18dQhb0S7ks8dDMPbW2n0x6l2B9gXrN7sKj6v4LKngW7gsh4F64JlC6N8qlRZ4d3_yKW6HV8sC1k1H6H0?si=6603779591372800&pi=2f49fcc1-2375-495f-ad7d-295df3bd9fff]
>

More information about the juniper-nsp mailing list