It seems "source-prefix-list" is being ignored by EX-3200. If "source-prefix-list: statement being ignored; would you use source-address (for the time being) :)
Regards, Masood > I'm trying to form a router protect policy on an EX3200 that is being used > as a layer3 border device receiving default routes only (temporary until > it's replaced by an M series). I was able to create a policy that works > fine for EX series running layer2 only services. Are there any examples or > templates to look at? > > Another engineer offered this: > ROUTER-PROTECT > term SEQ-100 { > from { > source-address { > 0.0.0.0/0; > } > source-prefix-list { > NMS-NETWORKS except; > } > destination-port [ telnet ssh ftp ftp-data snmp ntp ]; > } > then { > syslog; > discard; > } > } > term SEQ-200 { > from { > source-address { > 0.0.0.0/0; > } > source-prefix-list { > BGP-NEIGHBORS except; > } > destination-port bgp; > } > then { > discard; > } > } > term SEQ-300 { > then accept; > } > > My problem is that the EX is barfing on the source-prefix-list command. As > such: > firewall { > family inet { > filter ROUTER-PROTECT { > term SEQ-100 { > from { > source-address { > 0.0.0.0/0; > } > ## > ## Warning: configuration block ignored: unsupported > platform (ex3200-24t) > ## > source-prefix-list { > NMS-NETWORKS; > } > destination-port [ ssh telnet snmp ftp ftp-data ntp ]; > } > then accept; > } > term SEQ-200 { > from { > ## > ## Warning: configuration block ignored: unsupported > platform (ex3200-24t) > ## > source-prefix-list { > BGP-OSPF-NEIGHBORS; > } > protocol ospf; > destination-port bgp; > } > then accept; > } > term SEQ-300 { > then accept; > } > } > } > > > So in essence, I'm looking for a policy that will achieve the same goal > that can actually be placed on a ex series. > > Thank you > > -b > > -- > Bill Blackford > Senior Network Engineer > Technology Systems Group > Northwest Regional ESD > > my /home away from home > > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp