[j-nsp] | display inheritance vs. logical-systems
Chuck Anderson
cra at WPI.EDU
Thu Feb 11 15:58:58 EST 2016
An interesting CLI bug:
"show configuration | display inheritance" doesn't find prefix lists
that are referenced via configuration groups that are applied inside a
logical-system, but the configuration commits and works correctly:
MX_RE0# show groups DROP-RESERVED-SOURCES
logical-systems {
<*> {
firewall {
family inet {
filter <*> {
term DROP-RESERVED-SOURCES {
from {
source-prefix-list {
RESERVED-ADDRESSES;
}
}
then {
count DROP-RESERVED-SOURCES;
discard;
}
}
}
}
}
}
}
MX_RE0# show logical-systems LSYS1 policy-options prefix-list RESERVED-ADDRESSES
10.0.0.0/8;
172.16.0.0/12;
192.168.0.0/16;
MX_RE0# show logical-systems LSYS1 firewall family inet filter CUST-IN
apply-groups DROP-RESERVED-SOURCES;
MX_RE0# show logical-systems LSYS1 firewall family inet filter CUST-IN | display inheritance
##
## 'DROP-RESERVED-SOURCES' was inherited from group 'DROP-RESERVED-SOURCES'
##
term DROP-RESERVED-SOURCES {
##
## 'from' was inherited from group 'DROP-RESERVED-SOURCES'
##
from {
source-prefix-list {
##
## 'RESERVED-ADDRESSES' was inherited from group 'DROP-RESERVED-SOURCES'
##
RESERVED-ADDRESSES; ## 'RESERVED-ADDRESSES' is not defined
}
}
##
## 'then' was inherited from group 'DROP-RESERVED-SOURCES'
##
then {
##
## 'DROP-RESERVED-SOURCES' was inherited from group 'DROP-RESERVED-SOURCES'
##
count DROP-RESERVED-SOURCES;
##
## 'discard' was inherited from group 'DROP-RESERVED-SOURCES'
##
discard;
}
}
Notice the comment "## 'RESERVED-ADDRESSES' is not defined". It is
defined...
More information about the juniper-nsp
mailing list