Junos
Highlighted
Junos

Dont work ACL on 19.1R1.6 EX2300

‎05-06-2019 06:13 AM

Hello, have another problem, not working ACL on EX2300 after upgrade to 19.1R1.6

Scenario: network 192.168.216.0/24 should not connect to netwroks from DENY prefix-list

My config is right?

set firewall family inet filter ACL-for-ITC term deny_internal_nets from source-address 192.168.216.0/24
set firewall family inet filter ACL-for-ITC term deny_internal_nets from destination-prefix-list DENY-INTERNAL-NETS
set firewall family inet filter ACL-for-ITC term deny_internal_nets then discard
set firewall family inet filter ACL-for-ITC term permit-dhcp from source-address 0.0.0.0/32
set firewall family inet filter ACL-for-ITC term permit-dhcp from destination-address 255.255.255.255/32
set firewall family inet filter ACL-for-ITC term permit-dhcp then accept
set firewall family inet filter ACL-for-ITC term permit-other from source-address 192.168.216.0/24
set firewall family inet filter ACL-for-ITC term permit-other then accept
set interfaces vlan unit 216 family inet filter input ACL-for-ITC

set policy-options prefix-list DENY-INTERNAL-NETS 10.10.130.0/24
set policy-options prefix-list DENY-INTERNAL-NETS 10.10.132.0/24
set policy-options prefix-list DENY-INTERNAL-NETS 10.10.170.0/24
set policy-options prefix-list DENY-INTERNAL-NETS 10.10.228.0/24
set policy-options prefix-list DENY-INTERNAL-NETS 172.29.100.0/27
set policy-options prefix-list DENY-INTERNAL-NETS 172.30.96.0/19
set policy-options prefix-list DENY-INTERNAL-NETS 192.168.17.0/24
set policy-options prefix-list DENY-INTERNAL-NETS 192.168.102.0/23
set policy-options prefix-list DENY-INTERNAL-NETS 192.168.104.0/24
set policy-options prefix-list DENY-INTERNAL-NETS 192.168.108.0/22
set policy-options prefix-list DENY-INTERNAL-NETS 192.168.116.0/22
set policy-options prefix-list DENY-INTERNAL-NETS 192.168.120.0/22
set policy-options prefix-list DENY-INTERNAL-NETS 192.168.130.0/24
set policy-options prefix-list DENY-INTERNAL-NETS 192.168.132.0/24
set policy-options prefix-list DENY-INTERNAL-NETS 192.168.134.0/24
set policy-options prefix-list DENY-INTERNAL-NETS 192.168.144.0/24
set policy-options prefix-list DENY-INTERNAL-NETS 192.168.145.0/24
set policy-options prefix-list DENY-INTERNAL-NETS 192.168.148.0/22
set policy-options prefix-list DENY-INTERNAL-NETS 192.168.170.0/24
set policy-options prefix-list DENY-INTERNAL-NETS 192.168.172.0/24
set policy-options prefix-list DENY-INTERNAL-NETS 192.168.180.0/24
set policy-options prefix-list DENY-INTERNAL-NETS 192.168.210.0/24
set policy-options prefix-list DENY-INTERNAL-NETS 192.168.211.0/24
set policy-options prefix-list DENY-INTERNAL-NETS 192.168.213.0/27
set policy-options prefix-list DENY-INTERNAL-NETS 192.168.214.0/24
set policy-options prefix-list DENY-INTERNAL-NETS 192.168.215.0/24
set policy-options prefix-list DENY-INTERNAL-NETS 192.168.218.0/24
set policy-options prefix-list DENY-INTERNAL-NETS 192.168.219.0/30
set policy-options prefix-list DENY-INTERNAL-NETS 192.168.220.0/22
set policy-options prefix-list DENY-INTERNAL-NETS 192.168.227.0/24

2 REPLIES 2
Junos

Re: Dont work ACL on 19.1R1.6 EX2300

‎05-06-2019 10:16 AM

Hi, 

- Was this working before the upgrade? 

- Are you sure traffic from  192.168.216.0/24 is arriving at interfaces vlan unit 216 to reach the destination on your prefix-list? Maybe you can add a log action on the the term to check. 

 

Regards,

 

Yasmin Lara - Juniper Ambassador #QuadE - JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCIS-CLOUD, JNCDS-DC, JNCIA-DevOps
Junos

Re: Dont work ACL on 19.1R1.6 EX2300

‎05-07-2019 03:05 AM

On which interface are you applying the filter and is it on input or output?

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home