[Contents] [Prev] [Next] [Index] [Report an Error]

Address Books and Address Sets Overview

A security zone is a logical group of interfaces with identical security requirements. Each security zone contains an address book. Before you can set up policies between two zones, you must define the addresses for each of the zone's address books. A zone's address book must contain entries for the addressable networks and end hosts (and, thus, users) belonging to the zone.

Understanding Address Books

The following guidelines apply to address books:

An address book for a security zone contains the IP address or domain names of hosts and subnets whose traffic is either allowed, blocked, encrypted, or user-authenticated.
Address books can have address sets. Each address set has a name and a list of address names.
Addresses and address sets in the same zone must have distinct names.
Addresses must conform to the security requirements of the zone.
IP addresses can be configured as IPv4 addresses with the number of prefix bits, or as Domain Name System (DNS) names.
The predefined address any is automatically created for each security zone.
The address book of a security zone must contain all IP addresses that are reachable within that zone.

Policies contain both source and destination zones and addresses. An address is referred to in a policy by the name you give it in its zone's address book.

When traffic is sent to a zone, the zone and address to which the traffic is sent are used as the destination zone and address-matching criteria in policies.
When traffic is sent from a zone, the zone and address from which it is sent are used as the matching source zone and address in policies.

For more information on the address book configuration syntax and options, see the JUNOS Software CLI Reference

Note: Specify addresses as network prefixes in the prefix/length format. For example, 1.2.3.0/24 is an acceptable address book address because it translates to a network prefix. However, 1.2.3.4/24 is not acceptable for an address book because it exceeds the subnet length of 24 bits. Everything beyond the subnet length must be entered as 0 (zero). In special scenarios, you can enter a hostname because it can use the full 32-bit address length.

Understanding Address Sets

An address book can grow to contain large numbers of addresses and become difficult to manage. To manage an address book with large numbers of addresses, you can create groups of addresses called address sets. You can reference an address set in a policy as you would an individual address book entry.

The following example shows addresses and address sets in the green zone:



user@host# set security zones security-zone green address-book
address src_addr1 64.10.4.44/32

user@host# set security zones security-zone green address-book
address src_addr2 64.10.9.28/32

user@host# set security zones security-zone green address-book
address src_addr3 10.10.10.10/24

user@host# set security zones security-zone green address-book
address bbc dns-name www.bbc.com

user@host# set security zones security-zone green address-book
address-set my_source_addresses address src_addr1

user@host# set security zones security-zone green address-book
address-set my_source_addresses address src_addr2

user@host# set security zones security-zone green address-book
address-set my_source_addresses address src_addr3

For more information on the address set configuration syntax and options, see the JUNOS Software CLI Reference

Note: Consider that for each address set, the system creates individual rules for its members. It creates an internal rule for each member in the group as well as for each service configured for each user. If you configure address books without taking this into account, you can exceed the number of available policy resources, especially if both the source and destination addresses are address groups and the specified service is a service group.

When you add addresses to policies, sometimes the same subset of addresses can be present in multiple policies, making it difficult to manage how policies affect each address entry. JUNOS software allows you to create groups of addresses called address sets. Address sets simplify the process by allowing you to add multiple addresses within an address set and therefore manage a small number of address sets, rather than manage a large number of individual address entries. See Figure 15.

Figure 15: Address Sets

Image Add_group.gif

The address set option has the following features:

You can create address sets in any zone.
You can create address sets with existing users, or you can create empty address sets and later fill them with users.

You can reference an address set entry in a policy like an individual address book entry.

Note: JUNOS software applies policies automatically to each address set member, so you do not have to create them one by one for each address. Furthermore, JUNOS software writes these policies to ASIC, which makes lookups run very fast.

When you delete an individual address book entry from the address book, you must remove the address (wherever it is referred) from all the address sets.

The following constraints apply to address sets:

To configure an address set, you need more than an address in the address book.
Address sets can only contain address names that belong to the same security zone.
Address names cannot be the same as address set names. For example, if the name Paris is used for an address in an individual address entry, it cannot be used for an address set name.
If an address set is referenced in a policy, the address set cannot be removed without removing its reference in the policy. It can, however, be edited.
You cannot add the predefined address any to an address book.

[Contents] [Prev] [Next] [Index] [Report an Error]