Ethernet Switching
Ethernet Switching

Object Groups for ACLs like cisco

‎04-30-2019 05:26 AM

Hi, Guys,

 

Can we use object groups for ACL in juniper switches as mentioned in the below Cisco link?

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/15-sy/sec-data-acl-15-s...

 

Thanks,
Jsree

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
7 REPLIES 7
Ethernet Switching

Re: Object Groups for ACLs like cisco

‎04-30-2019 07:36 AM

The link you refer to is service object-groups for protocols and ports. The same does not exist for Junos.

 

For source/destination addresses you can use prefix-lists and refer to these in firewall filters.

you can use prefix-lists which you then refer to in your firewall filters.

 

Example:

user@switch# show policy-options
prefix-list sources {
    10.10.10.0/24;
    10.10.11.1/32;
}
prefix-list destinations {
    192.168.0.0/24;
    192.168.1.1/32;
}

[edit]
jh@fw# show firewall family inet filter flaf
term 1 {
    from {
        source-prefix-list {
            sources;
        }
        destination-prefix-list {
            destinations;
        }
    }
    then accept;
}

 

 


--
Best regards,

Jonas Hauge Klingenberg
Systems Engineer, SEC DATACOM A/S (Denmark)
Ethernet Switching

Re: Object Groups for ACLs like cisco

‎05-02-2019 08:15 AM

Hi, 

 

Thanks for the reply, It is a real deal breaker, so I need to go for Cisco switches. I am trying to achieve as mention in the example as we need to mention the range of ports.

Example Creating a Service Object Group

The following example shows how to create a service object group named my_service_object_group, which contains several ICMP, TCP, UDP, and TCP-UDP protocols and an existing object group (child) named sjc_eng_svcs as objects:

Router> enable
Router# configure terminal
Router(config)# object-group service my_service_object_group
Router(config-service-group)# icmp echo
Router(config-service-group)# tcp smtp
Router(config-service-group)# tcp telnet
Router(config-service-group)# tcp source range 1 65535 telnet
Router(config-service-group)# udp domain
Router(config-service-group)# tcp-udp range 2000 2005
Router(config-service-group)# group-object sjc_eng_svcs

Example Creating an Object Group-Based ACL

The following example shows how to create an object group-based ACL that permits packets from the users in my_network_object_group if the protocol ports match the ports specified in my_service_object_group:

Router> enable
Router# configure terminal
Router(config)# ip access-list extended my_ogacl_policy
Router(config-ext-nacl)# permit object-group my_service_object_group object-group my_network_object_group any
Router(config-ext-nacl)# deny tcp any any
Router(config-ext-nacl)# exit
Router(config)# exit

Example Applying an Object Group-Based ACL to an Interface

The following example shows how to apply an object group-based ACL to an interface. In this example, an object group-based ACL named my_ogacl_policy is applied to VLAN interface 100:

Router> enable
Router# configure terminal
Router(config)# interface vlan 100
Router(config-if)# ip access-group my_ogacl_policy in
Router(config-if)# end

 

Thanks,
Jsree

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Ethernet Switching

Re: Object Groups for ACLs like cisco

‎05-02-2019 08:29 AM

Just a comment, I think you need to validate if this is actually possible on Cisco switches as well. What you are looking for is more a router/firewall feature than a switch feature.

 

The documentation you are refering to, is for Ciscos router platforms (ISR and similar) where this post mention that it isn't supported on some of the older Catalyst switches: https://community.cisco.com/t5/switching/acl-object-groups-on-catalyst-switches/td-p/3082302

 

At least you need to validate your specific Cisco switch with the Cisco Feature Navigator:

https://cfn.cloudapps.cisco.com/ITDIT/CFN/jsp/by-feature-technology.jsp

 

When I briefly searches for support on Object groups for ACLs only Catalyst 4500, 6500, ASR, ISR and CSR routers images shows up. Suggested software for an Catalyst 9300 is currently IOS XE 16.6.5... Object groups for ACLs are only on ISR4300 and CSR1000v with this release.

 


--
Best regards,

Jonas Hauge Klingenberg
Systems Engineer, SEC DATACOM A/S (Denmark)
Ethernet Switching

Re: Object Groups for ACLs like cisco

‎05-08-2019 12:57 AM

 

Thanks, Jonas for your valuable input, We are a juniper house and need this for a new datacentre. we will check with Cisco before buying the switch. 

Thanks,
Jsree

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Ethernet Switching

Re: Object Groups for ACLs like cisco

‎05-08-2019 08:17 AM

The closest to this that I can think of, is creating and applying a configuration group. Something like this:

 

[edit groups FF-MATCH-GROUP]

lab@vMX-1# show | display set relative

set filter <*> term <*> from protocol tcp

set filter <*> term <*> from protocol udp

set filter <*> term <*> from destination-port smtp

set filter <*> term <*> from destination-port telnet

set filter <*> term <*> from destination-port domain

 

[edit firewall family inet filter test]

lab@vMX-1# show             

term 1 {

    apply-groups FF-MATCH-GROUP;

}

 

[edit firewall family inet filter test]

lab@vMX-1# show | display inheritance 

term 1 {

    ##

    ## 'from' was inherited from group 'FF-MATCH-GROUP'

    ##

    from {

        ##

        ## 'tcp' was inherited from group 'FF-MATCH-GROUP'

        ## 'udp' was inherited from group 'FF-MATCH-GROUP'

        ##

        protocol [ tcp udp ];

        ##

        ## 'smtp' was inherited from group 'FF-MATCH-GROUP'

        ## 'telnet' was inherited from group 'FF-MATCH-GROUP'

        ## 'domain' was inherited from group 'FF-MATCH-GROUP'

        ##

        destination-port [ smtp telnet domain ];

    }

}

 

HTH,

 

Yasmin Lara - Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIS-CLOUD, JNCDS-DC, JNCIA-DevOps
Ethernet Switching

Re: Object Groups for ACLs like cisco

2 weeks ago

Hi,

 

Thanks, Lara, for helping me, Is this available in switching gears in Juniper or only in MX series.

Thanks,
Jsree

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Ethernet Switching

Re: Object Groups for ACLs like cisco

2 weeks ago

This is a general Junos feature available on all platforms.


--
Best regards,

Jonas Hauge Klingenberg
Systems Engineer, SEC DATACOM A/S (Denmark)