Ethernet Switching
Reply
Visitor
Mat_Wood
Posts: 5
Registered: ‎03-01-2011
0

How are source-address prefixes interpretted for Port ACLs?

In IOS I had some ACL's that made use of the wildcard mask with generic network/host addresses to perform a limited load balancing function.  I'm trying to see if I can do the same thing on a Juniper switch as the egress Port filters are very nice and would reduce my interface usage for this application.

I would like to match source-addresses based on the last 2 bits of the IP Address, no matter what the prefix is, and the wildcard masks made this very easy, ie in this ACE:

 

access-list 1 permit 0.0.0.1 255.255.255.252
access-list 1 remark Allow IPs ending with 01 bits only

access-list 2 permit 0.0.0.2 255.255.255.252
access-list 2 remark Allow IPs ending with 10 bits only

 

 

 

My question is whether the following filter config will allow for the same functionality, or does the prefix I put in the term from section have to actually match the incoming traffic?

 

filter INCOMING01 {
    term 01 {
        from {
            source-address {
                0.0.0.1/30;
            }
        }
    }
}
filter INCOMING10 {
    term 10 {
        from {
            source-address {
                0.0.0.2/30;
            }
        }
    }
}

 

 

Distinguished Expert
aarseniev
Posts: 1,545
Registered: ‎08-21-2009
0

Re: How are source-address prefixes interpretted for Port ACLs?

Hello,

In JUNOS, one cannot use Cisco inverse ACL match in prefix-lists:

 

 

aarseniev@abernathy# set policy-options prefix-list tst1 0.0.0.2/30               
                                                         ^
host portion is not zero (0.0.0.0/30) at '0.0.0.2/30'

{master:0}[edit]
aarseniev@abernathy# set policy-options prefix-list tst1 0.0.0.2/255.255.255.252   
                                                         ^
invalid input at '/255.255.255.252' in address '0.0.0.2/255.255.255.252' at '0.0.0.2/255.255.255.252'

 

 

You can use non-contiguous netmask in firewall filters though. I believe Cisco-style 0.0.0.2/255.255.255.252 should be written as 0.0.0.2/0.0.0.3 in JUNOS:

 

 

aarseniev@abernathy# set firewall family inet filter flt1 term 1 from source-address 0.0.0.2/0.0.0.3    

{master:0}[edit]
aarseniev@abernathy# commit check 
configuration check succeeds

{master:0}[edit]
aarseniev@abernathy# show | compare 
[edit]
+  firewall {
+      family inet {
+          filter flt1 {
+              term 1 {
+                  from {
+                      source-address {
+                          0.0.0.2/0.0.0.3;
+                      }
+                  }
+              }
+          }
+      }
+  }

 

 

What I haven't checked whether this filter actually filters pkts from source IPs ending with 10 binary.

Would you please be able to test and report back?

HTH

Regards

Alex

 

 

 

 

 

___________________________________
Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Visitor
Mat_Wood
Posts: 5
Registered: ‎03-01-2011
0

Re: How are source-address prefixes interpretted for Port ACLs?

aarseniev - That definitely looks promising, I will test that out today and let you know if that works.  Thanks!

Visitor
Mat_Wood
Posts: 5
Registered: ‎03-01-2011
0

Re: How are source-address prefixes interpretted for Port ACLs?

aarseniev,  Thanks for the suggestion but unfortunately it doesn't work with the inverse mask.  It doesn't use the same AND comparison logic as a wildcard mask and tries to still match the prefix it seems.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.