Dynamic Prefix Lists

Dynamic prefix lists are a handy way to add firewall rules to your Juniper equipment. Prefix lists can make use of ‘apply-path’ which allows you to glob parts of the configuration. As an example, you can create a firewall term that uses a prefix list that automatically includes all BGP peers. This will let you firewall off the routing engine and make future changes very easy (no need to manually add firewall rules for new BGP peers).

Here is a list of prefix lists I commonly use. You can change the naming to what ever you like, I prefer to use the naming format “Dynamic-Name-Protocol” so that at a glance you know these are generated with an apply-path.

If you would like to make use of these prefix lists you can load them into your existing configuration using the command “load merge terminal relative” when you are editing “policy-options”.

An example firewall term that makes use of dynamic prefix lists to allow RADIUS traffic to the configured RADIUS servers:

If you would like to see exactly what the prefix list is expanding out to, use the show command and pipe it to ‘display inheritance’:

BGP Neighbors

These prefix lists will match any BGP neighbors.

If you have a seperate routing instance, you can add “routing-instances NAME” to the front of the apply path to match BGP peers for that routing instance, eg. for the routing instance IPSEC:

DNS Servers

These prefix lists will match any resolvers configured for DNS lookups.

NTP Servers

These prefix lists will match any configured NTP servers.

SNMP Clients

To make use of this you MUST define the clients as part of the SNMP configuration. As an example, your SNMP configuration should look like this:

These prefix lists will match any configured SNMP clients.

RADIUS Servers

These prefix lists will match any configured RADIUS servers (used for system authentication for example).