Switching

Hi, Guys,

Can we use object groups for ACL in juniper switches as mentioned in the below Cisco link?

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/15-sy/sec-data-acl-15-sy-book/sec-object-group-acl.html#GUID-B12163EE-71C5-4D1A-9DA1-6AA9558378A7

The link you refer to is service object-groups for protocols and ports. The same does not exist for Junos.

For source/destination addresses you can use prefix-lists and refer to these in firewall filters.

you can use prefix-lists which you then refer to in your firewall filters.

Example:

user@switch# show policy-options
prefix-list sources {
    10.10.10.0/24;
    10.10.11.1/32;
}
prefix-list destinations {
    192.168.0.0/24;
    192.168.1.1/32;
}

[edit]
jh@fw# show firewall family inet filter flaf
term 1 {
    from {
        source-prefix-list {
            sources;
        }
        destination-prefix-list {
            destinations;
        }
    }
    then accept;
}

Hi, 

Thanks for the reply, It is a real deal breaker, so I need to go for Cisco switches. I am trying to achieve as mention in the example as we need to mention the range of ports.

Router> enable
Router# configure terminal
Router(config)# object-group service my_service_object_group
Router(config-service-group)# icmp echo
Router(config-service-group)# tcp smtp
Router(config-service-group)# tcp telnet
Router(config-service-group)# tcp source range 1 65535 telnet
Router(config-service-group)# udp domain
Router(config-service-group)# tcp-udp range 2000 2005
Router(config-service-group)# group-object sjc_eng_svcs

Router> enable
Router# configure terminal
Router(config)# ip access-list extended my_ogacl_policy
Router(config-ext-nacl)# permit object-group my_service_object_group object-group my_network_object_group any
Router(config-ext-nacl)# deny tcp any any
Router(config-ext-nacl)# exit
Router(config)# exit

Router> enable
Router# configure terminal
Router(config)# interface vlan 100
Router(config-if)# ip access-group my_ogacl_policy in
Router(config-if)# end

Just a comment, I think you need to validate if this is actually possible on Cisco switches as well. What you are looking for is more a router/firewall feature than a switch feature.

The documentation you are refering to, is for Ciscos router platforms (ISR and similar) where this post mention that it isn't supported on some of the older Catalyst switches: https://community.cisco.com/t5/switching/acl-object-groups-on-catalyst-switches/td-p/3082302

At least you need to validate your specific Cisco switch with the Cisco Feature Navigator:

https://cfn.cloudapps.cisco.com/ITDIT/CFN/jsp/by-feature-technology.jsp

When I briefly searches for support on Object groups for ACLs only Catalyst 4500, 6500, ASR, ISR and CSR routers images shows up. Suggested software for an Catalyst 9300 is currently IOS XE 16.6.5... Object groups for ACLs are only on ISR4300 and CSR1000v with this release.

Thanks, Jonas for your valuable input, We are a juniper house and need this for a new datacentre. we will check with Cisco before buying the switch. 

The closest to this that I can think of, is creating and applying a configuration group. Something like this:

[edit groups FF-MATCH-GROUP]

lab@vMX-1# show | display set relative

set filter <*> term <*> from protocol tcp

set filter <*> term <*> from protocol udp

set filter <*> term <*> from destination-port smtp

set filter <*> term <*> from destination-port telnet

set filter <*> term <*> from destination-port domain

[edit firewall family inet filter test]

lab@vMX-1# show             

term 1 {

    apply-groups FF-MATCH-GROUP;

}

[edit firewall family inet filter test]

lab@vMX-1# show | display inheritance 

term 1 {

    ##

    ## 'from' was inherited from group 'FF-MATCH-GROUP'

    ##

    from {

        ##

        ## 'tcp' was inherited from group 'FF-MATCH-GROUP'

        ## 'udp' was inherited from group 'FF-MATCH-GROUP'

        ##

        protocol [ tcp udp ];

        ##

        ## 'smtp' was inherited from group 'FF-MATCH-GROUP'

        ## 'telnet' was inherited from group 'FF-MATCH-GROUP'

        ## 'domain' was inherited from group 'FF-MATCH-GROUP'

        ##

        destination-port [ smtp telnet domain ];

    }

}

HTH,

Hi,

Thanks, Lara, for helping me, Is this available in switching gears in Juniper or only in MX series.

This is a general Junos feature available on all platforms.