Switching

Dear community !

I need your help to clarify the firewall fitlter on EX to a) protect the RE and B) protect management access

Contrary to M/MX/T serie, I have read some limitation on EX firewall filter on the loopack but I would love to have this answer :

1) When I configure a very basic firewall filter (discard all) on the loopback, it seems the management access is not concerned :

Firewall filter :

set firewall family inet filter ACCESS_CONTROL term 1 then discard

set interfaces lo0.0 family inet input ACCESS_CONTROL

=> OSPF, BGP, or other protocols are correcty dropped. => Good

=> management access the me or vme interface is not dropped => WHY ?

Do I have the configure a filter in all my vlan interface to discard the remote access the the switch (expect for specific subnet ?)

Thank you for your help

Salah

JNCIE-SP 2194

Salah,

In EX series switches, we need to explicity apply firewall filter on management interface , loopback filter will not influence traffic coming to management interface.Management port sits on control plane.

Filter applied on loopback will have all the l3 interfaces included and it will protect routing engine , when  traffic is coming the network ports.

Thanks for your quick reply...

Do you know why EX have this difference ?

--

Salah

Salah,

Not sure, but it is the design by hardware and they have clearly documented 

Unlike some Junos devices, firewall filters
applied to the loopback interface do not affect traffic traversing the management Ethernet interface
(me0)".