Understanding Address Sets

An address book can grow to contain large numbers of addresses and become difficult to manage. To manage an address book with large numbers of addresses, you can create groups of addresses called address sets. You can reference an address set in a policy as you would an individual address book entry.

The following example shows addresses and address sets in the green zone:

address-book {
    address src_addr1 64.10.4.44/32;
    address src_addr2 64.10.9.28/32;
    address src_addr3 10.10.10.0/24;
    address src_addr4 fa:43::/96;
    address src_addr5 fe80::210:dbff:feff:1000/64;
    address src_addr6 0001:db8:1::1/127;
    address bbc {
        dns-name www.bbc.com;
    }
    address-set my_source_addresses {
        address src_addr1;
        address src_addr2;
        address src_addr3;
        address src_addr4;
        address src_addr5;
        address src_addr6;
    }
}

For more information on the address set configuration syntax and options, see the JUNOS Software CLI Reference.

Note: Consider that for each address set, the system creates individual rules for its members. It creates an internal rule for each member in the group as well as for each service configured for each user. If you configure address books without taking this into account, you can exceed the number of available policy resources, especially if both the source and destination addresses are address groups and the specified service is a service group.

When you add addresses to policies, sometimes the same subset of addresses can be present in multiple policies, making it difficult to manage how policies affect each address entry. JUNOS Software allows you to create groups of addresses called address sets. Address sets simplify the process by allowing you to add multiple addresses within an address set and therefore manage a small number of address sets, rather than manage a large number of individual address entries. See Figure 9.

The address set option has the following features:

• You can create address sets in any zone.
• You can create address sets with existing users, or you can create empty address sets and later fill them with users.
• You can reference an address set entry in a policy like an individual address book entry.

  Note: JUNOS Software applies policies automatically to each address set member, so you do not have to create them one by one for each address. Furthermore, JUNOS Software writes these policies to ASIC, which makes lookups run very fast.

• When you delete an individual address book entry from the address book, you must remove the address (wherever it is referred) from all the address sets.

The following constraints apply to address sets:

• To configure an address set, you need more than an address in the address book.
• Address sets can only contain address names that belong to the same security zone.
• Address names cannot be the same as address set names. For example, if the name Paris is used for an address in an individual address entry, it cannot be used for an address set name.
• If an address set is referenced in a policy, the address set cannot be removed without removing its reference in the policy. It can, however, be edited.
• You cannot add the predefined address any to an address book.

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• Security Policy Address Books and Address Sets Overview
• Understanding Address Books
• Example: Configuring Address Books
• Example: Configuring Schedulers (CLI)