Routing

Expand all | Collapse all

Cisco ACL Config to Juniper ACL Config (Migration)

Jump to Best Answer
  • 1.  Cisco ACL Config to Juniper ACL Config (Migration)

    Posted 09-03-2019 02:33

    Hi all!

     

    My customer wants to change Cisco router to Juniper MX480.

     

    However, I don't know the differecnce between Cisco's acl standard and extended.

    !
    ip access-list standard CISCO
    permit 17.17.17.0 0.0.0.255
    permit 217.217.217.0 0.0.0.255
    !
    ip access-list extended CISCO-BLOCK
    permit ip host 17.17.17.0 host 255.255.255.0
    permit ip host 217.217.217.0 host 255.255.255.0
    !

     

    Question1: How can i migrate above Cisco ACL Config to Juniper Config?

    Please, Let me know the Juniper Configuration... and I want to know what exactly the difference.

     

    Thanks  in Advance, 😄


    #cisco
    #FirewallFilter
    #ACL
    #Juniper


  • 2.  RE: Cisco ACL Config to Juniper ACL Config (Migration)

     
    Posted 09-03-2019 02:51

    Hi Charlies,

     

    Standard ACL filters only using Source address whereas extended uses the five tuples i.e. 

    • Source IP address
    • Destination IP address
    • TCP/UDP Source port
    • TCP/UDP Destination port.
    • Protocol ID

    Equivalent configuration in Juniper:

     

    firewall {
        family {
            inet {
                filter CISCO {
                    term T1 {
                        from {
                            source-address {
                                17.17.17.0/24;
                                217.217.217.0/24;
                            }
                        }
                        then {
                            accept;
                        }
                    }
                }
                filter CISCO-BLOCK {
                    term T1 {
                        from {
                            source-address {
                                17.17.17.0/32;
                                217.217.217.0/32;
                            }
                            destination-address {
                                255.255.255.0/32;
                            }
                        }
                        then {
                            accept;
                        }
                    }
                }
            }
        }
    }

    Use I2J. Its a translation tool that translates IOS configuration to JUNOS.

    https://i2j.juniper.net/release/index.jsp

     

    Thanks,
    Pradeep
    Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too!!!

     

     

     

     



  • 3.  RE: Cisco ACL Config to Juniper ACL Config (Migration)

    Posted 09-03-2019 16:33
    Hi Pradeep and all,

    I know the I2J sites and already convert the Configuration.

    Question1: Is it correct the above Config?
    If it is, What is purpose on CISCO-BLOCK ACL? I DON'T UNDERSTAND CISCO-BLOCK's purpose.

    Thanks in Advance,
    #Migration
    #Juniper
    #FirewallFilter
    #cisco
    #ACL


  • 4.  RE: Cisco ACL Config to Juniper ACL Config (Migration)

    Posted 09-03-2019 18:25
    Let us know where you applied above acl in Cisco.


  • 5.  RE: Cisco ACL Config to Juniper ACL Config (Migration)

    Posted 09-03-2019 20:16

    Hi Nellikka and All,

     

    Thanks for your answer!

     

    Here is the Cisco Configuration.

    !
    route-map CONN-BGP permit 20
    match ip address CISCO
    set origin igp
    set community 5005:20

    !
    route-map STATIC-BGP permit 10
    match ip address CISCO-BLOCK
    set origin igp
    set community 5005:0 5005:20000 5005:20050
    !

     

    Thanks in Advance,


    #Juniper
    #FirewallFilter
    #ACL
    #cisco


  • 6.  RE: Cisco ACL Config to Juniper ACL Config (Migration)

    Posted 09-03-2019 21:01

    ip access-list extended CISCO-BLOCK
    permit ip host 17.17.17.0 host 255.255.255.0
    permit ip host 217.217.217.0 host 255.255.255.0

    The Extenedend ACL CISCO-BLOCK is used to filter  IP prefixes 17.17.17.0 and 217.217.217.0 with specific prefix length /24.
    When an Extended ACL is used to filter ip prefixes, the source matches the Prefix (17.17.17.0 , 217.217.217.0) and the destination matches the prefix length (/24 in this case).
    So in the above config, the source requires a match on all 32 bits (17.17.17.0) and the destination also requires a match on all 32 bits (255.255.255.0).

     

    When you use Standard ACL to filter prefixes, it will check/match only Prefix and will not check Prefix length

    ip access-list standard CISCO
    permit 17.17.17.0 0.0.0.255
    permit 217.217.217.0 0.0.0.255

    In this case, above ACL checks only the prefixes 17.17.17.0 and 217.217.217.0. The prefix length can be anything like /24, /25, /26, /27, /28 ...etc
    It can match any of the prefix/routes given below:
    17.17.17.0/24
    17.17.17.0/25
    17.17.17.0/26
    17.17.17.0/27
    17.17.17.0/30
    .....
    217.217.217.0/24
    217.217.217.0/25
    217.217.217.0/26
    .....

    So use Extended ACL if you want to filter prefix with specific prefix length.

     

     



  • 7.  RE: Cisco ACL Config to Juniper ACL Config (Migration)
    Best Answer

    Posted 09-05-2019 21:50

    Hi 

     

    If I understand this correctly, you have this extended ACL called upon in a route-map which is used in BGP import policy, in order for control-plane filtering.

     

    In that case, direct conversion of ACLs between Cisco and Juniper is not feasible.

    You need to write policy in the place of Firewall (Junos term for ACL).

     

    set policy-options policy-statement BGP-import term CONN from route-filter x.x.x.x/y exact

    set policy-options policy-statement BGP-import term CONN then origin igp

    set policy-options policy-statement BGP-import term CONN then community set COM1

    set policy-options policy-statement BGP-import term CONN then accept

    set policy-options policy-statement BGP-import term STATIC from route-filter z.z.z.z/y exact

    set policy-options policy-statement BGP-import term STATIC then community set COM2

    set policy-options policy-statement BGP-import term STATIC then community add COM3

    set policy-options policy-statement BGP-import term STATIC then community add COM4

    set policy-options policy-statement BGP-import term STATIC then accept

     

    set policy-options community COM1 members 5005:20

    set policy-options community COM2 members 5005:0

    set policy-options community COM3 members 5005:20000

    set policy-options community COM4 members 5005:20050

     

    Please let know if you need any further help.