How are source-address prefixes interpretted for Port ACLs?

Mat_Wood · ‎03-01-2011

In IOS I had some ACL's that made use of the wildcard mask with generic network/host addresses to perform a limited load balancing function. I'm trying to see if I can do the same thing on a Juniper switch as the egress Port filters are very nice and would reduce my interface usage for this application.

I would like to match source-addresses based on the last 2 bits of the IP Address, no matter what the prefix is, and the wildcard masks made this very easy, ie in this ACE:

access-list 1 permit 0.0.0.1 255.255.255.252
access-list 1 remark Allow IPs ending with 01 bits only

access-list 2 permit 0.0.0.2 255.255.255.252
access-list 2 remark Allow IPs ending with 10 bits only

My question is whether the following filter config will allow for the same functionality, or does the prefix I put in the term from section have to actually match the incoming traffic?

filter INCOMING01 {
    term 01 {
        from {
            source-address {
                0.0.0.1/30;
            }
        }
    }
}
filter INCOMING10 {
    term 10 {
        from {
            source-address {
                0.0.0.2/30;
            }
        }
    }
}

aarseniev · ‎08-21-2009

Hello,

In JUNOS, one cannot use Cisco inverse ACL match in prefix-lists:

aarseniev@abernathy# set policy-options prefix-list tst1 0.0.0.2/30               
                                                         ^
host portion is not zero (0.0.0.0/30) at '0.0.0.2/30'

{master:0}[edit]
aarseniev@abernathy# set policy-options prefix-list tst1 0.0.0.2/255.255.255.252   
                                                         ^
invalid input at '/255.255.255.252' in address '0.0.0.2/255.255.255.252' at '0.0.0.2/255.255.255.252'

You can use non-contiguous netmask in firewall filters though. I believe Cisco-style 0.0.0.2/255.255.255.252 should be written as 0.0.0.2/0.0.0.3 in JUNOS:

aarseniev@abernathy# set firewall family inet filter flt1 term 1 from source-address 0.0.0.2/0.0.0.3    

{master:0}[edit]
aarseniev@abernathy# commit check 
configuration check succeeds

{master:0}[edit]
aarseniev@abernathy# show | compare 
[edit]
+  firewall {
+      family inet {
+          filter flt1 {
+              term 1 {
+                  from {
+                      source-address {
+                          0.0.0.2/0.0.0.3;
+                      }
+                  }
+              }
+          }
+      }
+  }

What I haven't checked whether this filter actually filters pkts from source IPs ending with 10 binary.

Would you please be able to test and report back?

HTH

Regards

Alex

___________________________________
Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !

Mat_Wood · ‎03-01-2011

aarseniev - That definitely looks promising, I will test that out today and let you know if that works. Thanks!

Mat_Wood · ‎03-01-2011

aarseniev, Thanks for the suggestion but unfortunately it doesn't work with the inverse mask. It doesn't use the same AND comparison logic as a wildcard mask and tries to still match the prefix it seems.

How are source-address prefixes interpretted for Port ACLs?

Re: How are source-address prefixes interpretted for Port ACLs?

Re: How are source-address prefixes interpretted for Port ACLs?

Re: How are source-address prefixes interpretted for Port ACLs?