[Contents] [Prev] [Next] [Index] [Report an Error]

Understanding Address Sets

An address book can grow to contain large numbers of addresses and become difficult to manage. To manage an address book with large numbers of addresses, you can create groups of addresses called address sets. You can reference an address set in a policy as you would an individual address book entry.

The following example shows addresses and address sets in the green zone:



user@host# set security zones security-zone green address-book
address src_addr1 64.10.4.44/32

user@host# set security zones security-zone green address-book
address src_addr2 64.10.9.28/32

user@host# set security zones security-zone green address-book
address src_addr3 10.10.10.10/24

user@host# set security zones security-zone green address-book
address bbc dns-name www.bbc.com

user@host# set security zones security-zone green address-book
address-set my_source_addresses address src_addr1

user@host# set security zones security-zone green address-book
address-set my_source_addresses address src_addr2

user@host# set security zones security-zone green address-book
address-set my_source_addresses address src_addr3

For more information on the address set configuration syntax and options, see the JUNOS Software CLI Reference

Note: Consider that for each address set, the system creates individual rules for its members. It creates an internal rule for each member in the group as well as for each service configured for each user. If you configure address books without taking this into account, you can exceed the number of available policy resources, especially if both the source and destination addresses are address groups and the specified service is a service group.

When you add addresses to policies, sometimes the same subset of addresses can be present in multiple policies, making it difficult to manage how policies affect each address entry. JUNOS software allows you to create groups of addresses called address sets. Address sets simplify the process by allowing you to add multiple addresses within an address set and therefore manage a small number of address sets, rather than manage a large number of individual address entries. See Figure 136.

Figure 136: Address Sets

Image Add_group.gif

The address set option has the following features:

You can create address sets in any zone.
You can create address sets with existing users, or you can create empty address sets and later fill them with users.

You can reference an address set entry in a policy like an individual address book entry.

Note: JUNOS software applies policies automatically to each address set member, so you do not have to create them one by one for each address. Furthermore, JUNOS software writes these policies to ASIC, which makes lookups run very fast.

When you delete an individual address book entry from the address book, you must remove the address (wherever it is referred) from all the address sets.

The following constraints apply to address sets:

To configure an address set, you need more than an address in the address book.
Address sets can only contain address names that belong to the same security zone.
Address names cannot be the same as address set names. For example, if the name Paris is used for an address in an individual address entry, it cannot be used for an address set name.
If an address set is referenced in a policy, the address set cannot be removed without removing its reference in the policy. It can, however, be edited.
You cannot add the predefined address any to an address book.

[Contents] [Prev] [Next] [Index] [Report an Error]