Dynamic Prefix Lists - Sys Admin Blog

Dynamic prefix lists are a handy way to add firewall rules to your Juniper equipment. Prefix lists can make use of ‘apply-path’ which allows you to glob parts of the configuration. As an example, you can create a firewall term that uses a prefix list that automatically includes all BGP peers. This will let you firewall off the routing engine and make future changes very easy (no need to manually add firewall rules for new BGP peers).

Here is a list of prefix lists I commonly use. You can change the naming to what ever you like, I prefer to use the naming format “Dynamic-Name-Protocol” so that at a glance you know these are generated with an apply-path.

If you would like to make use of these prefix lists you can load them into your existing configuration using the command “load merge terminal relative” when you are editing “policy-options”.

An example firewall term that makes use of dynamic prefix lists to allow RADIUS traffic to the configured RADIUS servers:

/* Allow RADIUS traffic from RADIUS servers for authentication */
term RADIUS {
    from {
        source-prefix-list {
            Dynamic-RADIUS-IPv4;
        }
        protocol udp;
        source-port [ radacct radius ];
    }
    then accept;
}

If you would like to see exactly what the prefix list is expanding out to, use the show command and pipe it to ‘display inheritance’:

[edit policy-options prefix-list Dynamic-BGP-IPv4]
me@router# show | display inheritance
## apply-path was expanded to:
##     192.168.1.1/32;
##     192.168.1.2/32;
##
apply-path "protocols bgp group <*> neighbor <*.*>";

BGP Neighbors

These prefix lists will match any BGP neighbors.

/* Dynamic Prefix List - BGP neighbors - IPv4 */
prefix-list Dynamic-BGP-IPv4 {
    apply-path "protocols bgp group <*> neighbor <*.*>";
}
/* Dynamic Prefix List - BGP neighbors - IPv6 */
prefix-list Dynamic-BGP-IPv6 {
    apply-path "protocols bgp group <*> neighbor <*:*>";
}

If you have a seperate routing instance, you can add “routing-instances NAME” to the front of the apply path to match BGP peers for that routing instance, eg. for the routing instance IPSEC:

/* Dynamic Prefix List - BGP Neighbors (IPSEC routing instance) - IPv4 */
prefix-list Dynamic-BGP-IPSEC-IPv4 {
    apply-path "routing-instances IPSEC protocols bgp group <*> neighbor <*.*>";
}
/* Dynamic Prefix List - BGP Neighbors (IPSEC routing instance) - IPv6 */
prefix-list Dynamic-BGP-IPSEC-IPv6 {
    apply-path "routing-instances IPSEC protocols bgp group <*> neighbor <*:*>";
}

DNS Servers

These prefix lists will match any resolvers configured for DNS lookups.

/* Dynamic Prefix List - DNS servers to use for lookups - IPv4 */
prefix-list Dynamic-DNS-IPv4 {
    apply-path "system name-server <*.*>";
}
/* Dynamic Prefix List - DNS servers to use for lookups - IPv6 */
prefix-list Dynamic-DNS-IPv6 {
    apply-path "system name-server <*:*>";
}

NTP Servers

These prefix lists will match any configured NTP servers.

/* Dynamic Prefix List - NTP servers - IPv4*/
prefix-list Dynamic-NTP-IPv4 {
    apply-path "system ntp server <*.*>";
}
/* Dynamic Prefix List - NTP servers - IPv6 */
prefix-list Dynamic-NTP-IPv6 {
    apply-path "system ntp server <*:*>";
}

SNMP Clients

To make use of this you MUST define the clients as part of the SNMP configuration. As an example, your SNMP configuration should look like this:

snmp {
    community My-RO-Community {
        authorization read-only;
        /* These clients are allowed to access this SNMP community. Firewall rules will be automatically added. */
        clients {
            /* A SNMP client */
            192.168.1.1/32;
        }
    }
}

These prefix lists will match any configured SNMP clients.

/* Dynamic Prefix List - SNMP clients - IPv4 */
prefix-list Dynamic-SNMP-IPv4 {
    apply-path "snmp community <*> clients <*.*>";
}
/* Dynamic Prefix List - SNMP clients - IPv6 */
prefix-list Dynamic-SNMP-IPv6 {
    apply-path "snmp community <*> clients <*:*>";
}

RADIUS Servers

These prefix lists will match any configured RADIUS servers (used for system authentication for example).

/* Dynamic Prefix List - RADIUS servers used for authentication - IPv4 */
prefix-list Dynamic-RADIUS-IPv4 {
    apply-path "system radius-server <*.*>";
}
/* Dynamic Prefix List - RADIUS servers used for authentication - IPv6 */
prefix-list Dynamic-RADIUS-IPv6 {
    apply-path "system radius-server <*:*>";
}