Switching

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
  • 1.  configuring access list on juniper 4600ex

    Posted 08-15-2018 22:21

    We have cisco 3750 in production need to replace with juniper 4600ex;

    confused with access list part.please help me:

     

    Extended IP access list VERIZON
        10 deny tcp 172.27.31.0 0.0.0.255 172.27.0.0 0.0.255.255 eq 3389 (15 matches)
        20 permit tcp 172.27.31.0 0.0.0.255 any eq 1985
        30 permit udp 172.27.31.0 0.0.0.255 any eq 1985
        40 permit udp any eq bootpc any eq bootps
        50 permit ip 172.27.31.0 0.0.0.255 host 172.27.10.11
        51 permit ip 172.27.31.0 0.0.0.255 host 172.27.67.69
        52 permit ip 172.27.31.0 0.0.0.255 host 172.27.67.97
        150 permit ip 172.27.31.0 0.0.0.255 host 172.27.67.119
        160 permit ip 172.27.31.0 0.0.0.255 host 172.27.67.85
        161 permit ip 172.27.31.0 0.0.0.63 host 172.27.67.104
        162 permit ip 172.27.31.0 0.0.0.63 host 172.27.67.53
        163 permit ip 172.27.31.0 0.0.0.63 host 172.27.67.110
        164 permit ip 172.27.31.0 0.0.0.255 host 172.27.67.59
        180 permit ip 172.27.31.0 0.0.0.255 host 166.68.85.77
        200 permit ip 172.27.31.0 0.0.0.255 172.27.31.0 0.0.0.255
        210 permit ip 172.27.31.0 0.0.0.255 host 172.27.67.21
        220 permit tcp 172.27.31.0 0.0.0.255 host 172.27.67.95
        230 permit ip 172.27.31.0 0.0.0.255 host 172.27.67.32
        240 permit ip 172.27.31.0 0.0.0.255 host 172.27.67.33
        250 permit ip 172.27.31.0 0.0.0.255 host 172.27.67.45
        260 permit ip 172.27.31.0 0.0.0.255 host 172.27.67.58

     

    interface Vlan150

    ip access-group VERIZON in

     

    these are cisco access-lists i need to convert all for juniper.

     

    will you please help me...

    I'm confused to use term parameter in this case.

     

     

    Viru



  • 2.  RE: configuring access list on juniper 4600ex

     
    Posted 08-15-2018 22:46

    Hi,

     

    The term part of the firewall filter is an identifier, much like the sequence number of the cisco ACL.

     

    See the juniper documentation about configuring your filter corectly.

    exmaple;

      10 deny tcp 172.27.31.0 0.0.0.255 172.27.0.0 0.0.255.255 eq 3389 (15 matches)
    
    set firewall family inet filter verizon term 10 from protocol tcp
    set firewall family inet filter verizon term 10 from source-address 172.27.31.0/24
    set firewall family inet filter verizon term 10 from destination-address 172.27.0.0/16
    set firewall family inet filter verizon term 10 from destination-port 3389
    set firewall family inet filter verizon term 10 then discard

     

    Tim