Ethernet Switching
Highlighted
Ethernet Switching

How to exclude an ip from the subnet defined as prefix-list in firewall filter

[ Edited ]
‎07-19-2019 08:14 AM

Hi I have already configure a firewall filter on subnet  "115.189.245.64/28" by defining it as  prefix list "xyz"  in that filter "cc-out" . I want to exclude ip ( 115.189.245.78/28 ) from that prefix list and want that this server should be accessible by only two ips ( 210.250.190.190/32 )  and  ( 210.250.190.211/32 ) . Current filter allow access to that subnet servers to many ips but i want to restrict access of this  ( 115.189.245.78/28 )  for only two ips   ( 210.250.190.190/32 )  and  ( 210.250.190.211/32 ) .

 

Please find below mentioned config of that existing filter and kindly tell me how and where i can that new term for this server  ( 115.189.245.78/28 ) without impacting existing filter : 

 

set groups AA:BB interfaces <*> unit 98 description "aa"
set groups AA:BB interfaces <*> unit 98 family inet mtu 1500
set groups AA:BB interfaces <*> unit 98 family inet filter output cc-out
set groups AA:BB interfaces <*> unit 98 family inet address 115.189.245.65/28
set groups AA:BB policy-options prefix-list xyx 115.189.245.64/28
set groups AA:BB firewall family inet filter cc-out term accept-mgmt from source-prefix-list management
set groups AA:BB firewall family inet filter cc-out term accept-mgmt then accept
set groups AA:BB firewall family inet filter cc-out term accept-icmp from destination-prefix-list xyz
set groups AA:BB firewall family inet filter cc-out term accept-icmp from protocol icmp
set groups AA:BB firewall family inet filter cc-out term accept-icmp then policer management-5m
set groups AA:BB firewall family inet filter cc-out term accept-icmp then accept
set groups AA:BB firewall family inet filter cc-out term accept-http from destination-prefix-list xyz
set groups AA:BB firewall family inet filter cc-out term accept-http from protocol tcp
set groups AA:BB firewall family inet filter cc-out term accept-http from destination-port http
set groups AA:BB firewall family inet filter cc-out term accept-http from destination-port https
set groups AA:BB firewall family inet filter cc-out term accept-http then accept
set groups AA:BB firewall family inet filter cc-out-out term last then discard

 

2 REPLIES 2
Highlighted
Ethernet Switching
Solution
Accepted by topic author jsnow_0445
‎07-19-2019 10:27 AM

Re: How to exclude an ip from the subnet defined as prefix-list in firewall filter

‎07-19-2019 10:16 AM

Please add two more terms in front of  accept-icmp 

 

set groups AA:BB firewall family inet filter cc-out term accept-icmp-78-server from source-address 210.250.190.190/32
set groups AA:BB firewall family inet filter cc-out term accept-icmp-78-server from source-address 210.250.190.211/32
set groups AA:BB firewall family inet filter cc-out term accept-icmp-78-server from destination-address 115.189.245.78/32
set groups AA:BB firewall family inet filter cc-out term accept-icmp-78-server from protocol icmp
set groups AA:BB firewall family inet filter cc-out term accept-icmp-78-server then accept
set groups AA:BB firewall family inet filter cc-out term reject-icmp-78-server from destination-address 115.189.245.78/32
set groups AA:BB firewall family inet filter cc-out term reject-icmp-78-server from protocol icmp
set groups AA:BB firewall family inet filter cc-out term reject-icmp-78-server then reject
set groups AA:BB firewall family inet filter cc-out term accept-icmp from destination-prefix-list xyz
set groups AA:BB firewall family inet filter cc-out term accept-icmp from protocol icmp
set groups AA:BB firewall family inet filter cc-out term accept-icmp then policer management-5m
set groups AA:BB firewall family inet filter cc-out term accept-icmp then accept


Mengzhe Hu
JNCIE x 3 (SP DC ENT)
Highlighted
Ethernet Switching

Re: How to exclude an ip from the subnet defined as prefix-list in firewall filter

‎07-19-2019 10:27 AM

awesome . it works . thank you for you kind help . 

 

Reall appreciate it  🙂 

Feedback