[j-nsp] dynamic-db for prefix-list filter on ex3200, ex2200
Dan Farrell
danno at appliedi.net
Tue Oct 27 07:39:25 EDT 2015
Thank-you very much.
Dan
________________________________________
From: Adam Vitkovsky <Adam.Vitkovsky at gamma.co.uk>
Sent: Monday, October 26, 2015 6:06 PM
To: Dan Farrell; Nitzan Tzelniker
Cc: juniper-nsp at puck.nether.net
Subject: RE: [j-nsp] dynamic-db for prefix-list filter on ex3200, ex2200
Hi Dan,
I found this:
"BGP is the only protocol to which you can apply routing policies that reference policies and policy objects configured in the dynamic database"
http://www.juniper.net/documentation/en_US/junos12.3/topics/usage-guidelines/policy-configuring-dynamic-routing-policies.html
adam
>
Adam Vitkovsky
IP Engineer
T: 0333 006 5936
E: Adam.Vitkovsky at gamma.co.uk
W: www.gamma.co.uk
This is an email from Gamma Telecom Ltd, trading as “Gamma”. The contents of this email are confidential to the ordinary user of the email address to which it was addressed. This email is not intended to create any legal relationship. No one else may place any reliance upon it, or copy or forward all or any of it in any form (unless otherwise notified). If you receive this email in error, please accept our apologies, we would be obliged if you would telephone our postmaster on +44 (0) 808 178 9652 or email postmaster at gamma.co.uk
Gamma Telecom Limited, a company incorporated in England and Wales, with limited liability, with registered number 04340834, and whose registered office is at 5 Fleet Place London EC4M 7RD and whose principal place of business is at Kings House, Kings Road West, Newbury, Berkshire, RG14 5BY.
-----Original Message-----
> From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf
> Of Dan Farrell
> Sent: Monday, October 26, 2015 6:34 PM
> To: Nitzan Tzelniker
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] dynamic-db for prefix-list filter on ex3200, ex2200
>
> Hi Nitzan,
>
> Thanks for your reply- I think you're right. To further add info and split the
> documentation and feature-set hairs-
>
>
>
> - At least from 9.5 this is stated to be usable by EX series.
>
> - BUT! All docs that reference dynamic-db do so with routing policies,
> and show support for only M, MX, and T.
>
> - JUNOS-on-EX does not error out on the configuration (as it would, for
> example, when configuring BGP on an EX2200-C).
>
> The use-case is loading large numbers of prefixes for filtering purposes
> without having to churn the unit with a typical commit operation and it's
> associated churn. I'd hate to have to migrate to MX because EX can't/won't
> do it.
>
> Cheers!
>
> Dan
>
> From: Nitzan Tzelniker [mailto:nitzan.tzelniker at gmail.com]
> Sent: Monday, October 26, 2015 2:19 PM
> To: Dan Farrell <danno at appliedi.net>
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] dynamic-db for prefix-list filter on ex3200, ex2200
>
> Dan,
>
> AFAIK dynamic-db is for routing policy only it dose not work for firewall filters
>
> Nitzan
>
>
> On Mon, Oct 26, 2015 at 7:29 PM, Dan Farrell
> <danno at appliedi.net<mailto:danno at appliedi.net>> wrote:
> Howdy List,
>
> I can't seem to get a dynamic-db prefix-list to work correctly on either an
> ex3200 or ex2200 on JUNOS 12.3 and 12.10.
> I'm starting to suspect it simply won't work on these models (or maybe on
> EX-series at all, or maybe only on routing policies).
>
> Using a dynamic-db prefix-list in a filter leads to NO packets passing on the
> interface it is instantiated on. (tested on l2 and l3 interface filtering).
>
> It seems to be a simple implementation (create the same prefix-list name in
> the normal configuration as the dynamic-db prefix list and tag it 'dynamic-db',
> then use in a filter), so I'm currently not suspecting myself as the culprit.
>
>
> Combining manual prefixes with the dynamic-db in one prefix-list results in
> only the manual prefixes being honored, while the dynamic-db ones are still
> ignored (same as above).
>
>
> Thanks list!
>
>
> Also, here's my configuration's relevant parts:
>
> DYNAMIC CONFIGURATION:
> ========================
> policy-options {
> prefix-list badips {
>
> 192.168.75.35/32<http://t.sidekickopen03.com/e1t/c/5/f18dQhb0S7lC8dDM
> PbW2n0x6l2B9nMJW7t5XYg3LjyGCW8q-
> mCP4XX_G8VQsxsT56dNv4f7SpRnW02?t=http%3A%2F%2F192.168.75.35%2F
> 32&si=6603779591372800&pi=2f49fcc1-2375-495f-ad7d-295df3bd9fff>;
>
> 192.168.75.100/32<http://t.sidekickopen03.com/e1t/c/5/f18dQhb0S7lC8dD
> MPbW2n0x6l2B9nMJW7t5XYg3LjyGCW8q-
> mCP4XX_G8VQsxsT56dNv4f7SpRnW02?t=http%3A%2F%2F192.168.75.100%2
> F32&si=6603779591372800&pi=2f49fcc1-2375-495f-ad7d-295df3bd9fff>;
>
> 192.168.100.251/32<http://t.sidekickopen03.com/e1t/c/5/f18dQhb0S7lC8dD
> MPbW2n0x6l2B9nMJW7t5XYg3LjyGCW8q-
> mCP4XX_G8VQsxsT56dNv4f7SpRnW02?t=http%3A%2F%2F192.168.100.251%
> 2F32&si=6603779591372800&pi=2f49fcc1-2375-495f-ad7d-295df3bd9fff>;
> }
> }
>
>
>
>
> STATIC CONFIGURATION:
> ======================
> policy-options {
> prefix-list badips {
> dynamic-db;
>
> 1.1.1.1/32<http://t.sidekickopen03.com/e1t/c/5/f18dQhb0S7lC8dDMPbW2n
> 0x6l2B9nMJW7t5XYg3LjyGCW8q-
> mCP4XX_G8VQsxsT56dNv4f7SpRnW02?t=http%3A%2F%2F1.1.1.1%2F32&si=
> 6603779591372800&pi=2f49fcc1-2375-495f-ad7d-295df3bd9fff>;
> }
> }
>
> firewall {
> family inet {
> filter blocktest {
> term block-dy {
> from {
> destination-prefix-list {
> badips;
> }
> }
> then {
> discard;
> }
> }
> term allow-all-else {
> then accept;
> }
> }
> }
> }
>
> interfaces {
> vlan {
> unit 33 {
> family inet {
> filter {
> input blocktest;
> }
> address
> 192.168.78.1/24<http://t.sidekickopen03.com/e1t/c/5/f18dQhb0S7lC8dDMP
> bW2n0x6l2B9nMJW7t5XYg3LjyGCW8q-
> mCP4XX_G8VQsxsT56dNv4f7SpRnW02?t=http%3A%2F%2F192.168.78.1%2F2
> 4&si=6603779591372800&pi=2f49fcc1-2375-495f-ad7d-295df3bd9fff>;
> }
> }
> }
> }
>
> vlans {
> noc24-test {
> vlan-id 33;
> interface {
> ge-0/0/3.0;
> }
> l3-interface vlan.33;
> }
> }
>
>
>
> Dan Farrell
> Applied Innovations Corp.
> danf at appliedi.net<mailto:danf at appliedi.net>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net<mailto:juniper-
> nsp at puck.nether.net>
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list