Routing
Routing

Cisco ACL Config to Juniper ACL Config (Migration)

‎09-03-2019 02:32 AM

Hi all!

 

My customer wants to change Cisco router to Juniper MX480.

 

However, I don't know the differecnce between Cisco's acl standard and extended.

!
ip access-list standard CISCO
permit 17.17.17.0 0.0.0.255
permit 217.217.217.0 0.0.0.255
!
ip access-list extended CISCO-BLOCK
permit ip host 17.17.17.0 host 255.255.255.0
permit ip host 217.217.217.0 host 255.255.255.0
!

 

Question1: How can i migrate above Cisco ACL Config to Juniper Config?

Please, Let me know the Juniper Configuration... and I want to know what exactly the difference.

 

Thanks  in Advance, Smiley Very Happy

6 REPLIES 6
Routing

Re: Cisco ACL Config to Juniper ACL Config (Migration)

‎09-03-2019 02:50 AM

Hi Charlies,

 

Standard ACL filters only using Source address whereas extended uses the five tuples i.e. 

  • Source IP address
  • Destination IP address
  • TCP/UDP Source port
  • TCP/UDP Destination port.
  • Protocol ID

Equivalent configuration in Juniper:

 

firewall {
    family {
        inet {
            filter CISCO {
                term T1 {
                    from {
                        source-address {
                            17.17.17.0/24;
                            217.217.217.0/24;
                        }
                    }
                    then {
                        accept;
                    }
                }
            }
            filter CISCO-BLOCK {
                term T1 {
                    from {
                        source-address {
                            17.17.17.0/32;
                            217.217.217.0/32;
                        }
                        destination-address {
                            255.255.255.0/32;
                        }
                    }
                    then {
                        accept;
                    }
                }
            }
        }
    }
}

Use I2J. Its a translation tool that translates IOS configuration to JUNOS.

https://i2j.juniper.net/release/index.jsp

 

Thanks,
Pradeep
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

 

 

 

 

Highlighted
Routing

Re: Cisco ACL Config to Juniper ACL Config (Migration)

‎09-03-2019 04:32 PM
Hi Pradeep and all,

I know the I2J sites and already convert the Configuration.

Question1: Is it correct the above Config?
If it is, What is purpose on CISCO-BLOCK ACL? I DON'T UNDERSTAND CISCO-BLOCK's purpose.

Thanks in Advance,
Routing

Re: Cisco ACL Config to Juniper ACL Config (Migration)

‎09-03-2019 06:24 PM
Let us know where you applied above acl in Cisco.
Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Routing

Re: Cisco ACL Config to Juniper ACL Config (Migration)

‎09-03-2019 08:16 PM

Hi Nellikka and All,

 

Thanks for your answer!

 

Here is the Cisco Configuration.

!
route-map CONN-BGP permit 20
match ip address CISCO
set origin igp
set community 5005:20

!
route-map STATIC-BGP permit 10
match ip address CISCO-BLOCK
set origin igp
set community 5005:0 5005:20000 5005:20050
!

 

Thanks in Advance,

Routing

Re: Cisco ACL Config to Juniper ACL Config (Migration)

[ Edited ]
‎09-03-2019 09:01 PM

ip access-list extended CISCO-BLOCK
permit ip host 17.17.17.0 host 255.255.255.0
permit ip host 217.217.217.0 host 255.255.255.0

The Extenedend ACL CISCO-BLOCK is used to filter  IP prefixes 17.17.17.0 and 217.217.217.0 with specific prefix length /24.
When an Extended ACL is used to filter ip prefixes, the source matches the Prefix (17.17.17.0 , 217.217.217.0) and the destination matches the prefix length (/24 in this case).
So in the above config, the source requires a match on all 32 bits (17.17.17.0) and the destination also requires a match on all 32 bits (255.255.255.0).

 

When you use Standard ACL to filter prefixes, it will check/match only Prefix and will not check Prefix length

ip access-list standard CISCO
permit 17.17.17.0 0.0.0.255
permit 217.217.217.0 0.0.0.255

In this case, above ACL checks only the prefixes 17.17.17.0 and 217.217.217.0. The prefix length can be anything like /24, /25, /26, /27, /28 ...etc
It can match any of the prefix/routes given below:
17.17.17.0/24
17.17.17.0/25
17.17.17.0/26
17.17.17.0/27
17.17.17.0/30
.....
217.217.217.0/24
217.217.217.0/25
217.217.217.0/26
.....

So use Extended ACL if you want to filter prefix with specific prefix length.

 

 

Thanks,
Nellikka
JNCIE x3 (SEC #321; SP #2839; ENT #790)
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!
Routing
Solution
Accepted by topic author charlies
‎09-08-2019 04:55 PM

Re: Cisco ACL Config to Juniper ACL Config (Migration)

‎09-05-2019 09:50 PM

Hi 

 

If I understand this correctly, you have this extended ACL called upon in a route-map which is used in BGP import policy, in order for control-plane filtering.

 

In that case, direct conversion of ACLs between Cisco and Juniper is not feasible.

You need to write policy in the place of Firewall (Junos term for ACL).

 

set policy-options policy-statement BGP-import term CONN from route-filter x.x.x.x/y exact

set policy-options policy-statement BGP-import term CONN then origin igp

set policy-options policy-statement BGP-import term CONN then community set COM1

set policy-options policy-statement BGP-import term CONN then accept

set policy-options policy-statement BGP-import term STATIC from route-filter z.z.z.z/y exact

set policy-options policy-statement BGP-import term STATIC then community set COM2

set policy-options policy-statement BGP-import term STATIC then community add COM3

set policy-options policy-statement BGP-import term STATIC then community add COM4

set policy-options policy-statement BGP-import term STATIC then accept

 

set policy-options community COM1 members 5005:20

set policy-options community COM2 members 5005:0

set policy-options community COM3 members 5005:20000

set policy-options community COM4 members 5005:20050

 

Please let know if you need any further help.