Switching

Expand all | Collapse all

Object Groups for ACLs like cisco

  • 1.  Object Groups for ACLs like cisco

     
    Posted 04-30-2019 05:26


  • 2.  RE: Object Groups for ACLs like cisco

    Posted 04-30-2019 07:37

    The link you refer to is service object-groups for protocols and ports. The same does not exist for Junos.

     

    For source/destination addresses you can use prefix-lists and refer to these in firewall filters.

    you can use prefix-lists which you then refer to in your firewall filters.

     

    Example:

    user@switch# show policy-options
    prefix-list sources {
        10.10.10.0/24;
        10.10.11.1/32;
    }
    prefix-list destinations {
        192.168.0.0/24;
        192.168.1.1/32;
    }
    
    [edit]
    jh@fw# show firewall family inet filter flaf
    term 1 {
        from {
            source-prefix-list {
                sources;
            }
            destination-prefix-list {
                destinations;
            }
        }
        then accept;
    }
    

     

     



  • 3.  RE: Object Groups for ACLs like cisco

     
    Posted 05-02-2019 08:15

    Hi, 

     

    Thanks for the reply, It is a real deal breaker, so I need to go for Cisco switches. I am trying to achieve as mention in the example as we need to mention the range of ports.

    Example Creating a Service Object Group

    The following example shows how to create a service object group named my_service_object_group, which contains several ICMP, TCP, UDP, and TCP-UDP protocols and an existing object group (child) named sjc_eng_svcs as objects:

    Router> enable
    Router# configure terminal
    Router(config)# object-group service my_service_object_group
    Router(config-service-group)# icmp echo
    Router(config-service-group)# tcp smtp
    Router(config-service-group)# tcp telnet
    Router(config-service-group)# tcp source range 1 65535 telnet
    Router(config-service-group)# udp domain
    Router(config-service-group)# tcp-udp range 2000 2005
    Router(config-service-group)# group-object sjc_eng_svcs
    

    Example Creating an Object Group-Based ACL

    The following example shows how to create an object group-based ACL that permits packets from the users in my_network_object_group if the protocol ports match the ports specified in my_service_object_group:

    Router> enable
    Router# configure terminal
    Router(config)# ip access-list extended my_ogacl_policy
    Router(config-ext-nacl)# permit object-group my_service_object_group object-group my_network_object_group any
    Router(config-ext-nacl)# deny tcp any any
    Router(config-ext-nacl)# exit
    Router(config)# exit
    

    Example Applying an Object Group-Based ACL to an Interface

    The following example shows how to apply an object group-based ACL to an interface. In this example, an object group-based ACL named my_ogacl_policy is applied to VLAN interface 100:

    Router> enable
    Router# configure terminal
    Router(config)# interface vlan 100
    Router(config-if)# ip access-group my_ogacl_policy in
    Router(config-if)# end

     



  • 4.  RE: Object Groups for ACLs like cisco

    Posted 05-02-2019 08:29

    Just a comment, I think you need to validate if this is actually possible on Cisco switches as well. What you are looking for is more a router/firewall feature than a switch feature.

     

    The documentation you are refering to, is for Ciscos router platforms (ISR and similar) where this post mention that it isn't supported on some of the older Catalyst switches: https://community.cisco.com/t5/switching/acl-object-groups-on-catalyst-switches/td-p/3082302

     

    At least you need to validate your specific Cisco switch with the Cisco Feature Navigator:

    https://cfn.cloudapps.cisco.com/ITDIT/CFN/jsp/by-feature-technology.jsp

     

    When I briefly searches for support on Object groups for ACLs only Catalyst 4500, 6500, ASR, ISR and CSR routers images shows up. Suggested software for an Catalyst 9300 is currently IOS XE 16.6.5... Object groups for ACLs are only on ISR4300 and CSR1000v with this release.

     



  • 5.  RE: Object Groups for ACLs like cisco

     
    Posted 05-08-2019 00:58

     

    Thanks, Jonas for your valuable input, We are a juniper house and need this for a new datacentre. we will check with Cisco before buying the switch. 



  • 6.  RE: Object Groups for ACLs like cisco

     
    Posted 05-08-2019 08:17

    The closest to this that I can think of, is creating and applying a configuration group. Something like this:

     

    [edit groups FF-MATCH-GROUP]

    lab@vMX-1# show | display set relative

    set filter <*> term <*> from protocol tcp

    set filter <*> term <*> from protocol udp

    set filter <*> term <*> from destination-port smtp

    set filter <*> term <*> from destination-port telnet

    set filter <*> term <*> from destination-port domain

     

    [edit firewall family inet filter test]

    lab@vMX-1# show             

    term 1 {

        apply-groups FF-MATCH-GROUP;

    }

     

    [edit firewall family inet filter test]

    lab@vMX-1# show | display inheritance 

    term 1 {

        ##

        ## 'from' was inherited from group 'FF-MATCH-GROUP'

        ##

        from {

            ##

            ## 'tcp' was inherited from group 'FF-MATCH-GROUP'

            ## 'udp' was inherited from group 'FF-MATCH-GROUP'

            ##

            protocol [ tcp udp ];

            ##

            ## 'smtp' was inherited from group 'FF-MATCH-GROUP'

            ## 'telnet' was inherited from group 'FF-MATCH-GROUP'

            ## 'domain' was inherited from group 'FF-MATCH-GROUP'

            ##

            destination-port [ smtp telnet domain ];

        }

    }

     

    HTH,

     



  • 7.  RE: Object Groups for ACLs like cisco

     
    Posted 11-21-2019 07:21

    Hi,

     

    Thanks, Lara, for helping me, Is this available in switching gears in Juniper or only in MX series.



  • 8.  RE: Object Groups for ACLs like cisco

    Posted 11-21-2019 13:42

    This is a general Junos feature available on all platforms.