Switching

Hi everyone,

I have configure my juniper ex2200 with vlans id 2, 3, 4 for routing to internet trought my firewall like this image

Now my problem is to block access between vlans.

For example a pc in vlan 2 can access to a pc in vlan 3...So i should want to add fireall filter on juniper ex2200 to block this accesses and permit internet navigation through firewall.

Can anyone help me?

You will need a filter on each VLAN and deny packets between every subnet. For instance. I have 3 vlans:

v1 {
    vlan-id 1;
    filter {
        input filter_v1;
    }
    l3-interface vlan.1;
}
v2 {
    vlan-id 2;
    l3-interface vlan.2;
}
v3 {
    vlan-id 3;
    l3-interface vlan.3;
}

each with its own RVI:

unit 1 {
    family inet {
        address 192.168.1.1/24;
    }
}
unit 2 {
    family inet {
        address 192.168.2.1/24;
    }
}
unit 3 {
    family inet {
        address 192.168.3.1/24;
    }
}

You can configure a filter with multiple terms to deny traffic between the subnets and apply it on VLAN level.

For instance, this is a filter that is denying the traffic between 192.168.1.0/24 and 192.168.2.0/24. The filter is applied at vlan level for vlan v1 as shown above.

term 1 {
    from {
        source-address {
            192.168.1.0/24;
        }
        destination-address {
            192.168.2.0/24;
        }
    }
    then {
        discard;
        count v1_to_v2;
    }
}
term 2 {
    from {
        source-address {
            192.168.1.0/24;
        }
        destination-address {
            192.168.3.0/24;
        }
    }
    then {
        discard;
        count v1_to_v3;
    }
}
term 3 {
    then accept;

You will need to adapt the filters for your subnets and create for each vlan a filter.

=====

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

Hi Parau,

i test your configuration for 1 vlan, but i have a new problem.

This is my configuration of vlans:

vlans {
vlan1 {
description "Test Filter";
vlan-id 2;
filter {
input filter_vlan_Internet;
}
l3-interface vlan.1;
}
default {
description Dati;
l3-interface vlan.0;
}
}

RVI configuration:

vlan {
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
unit 1 {
family inet {
address 192.168.2.2/24;
}
}
}

My firewall configuration:

firewall {
family ethernet-switching {
filter filter_vlan_Internet {
term "Term 1" {
from {
source-address {
92.168.1.0/24;
}
destination-address {
192.168.2.1/32;
}
}
then discard;
}
}
}
}

If you look in "Term 1" i filter for test only one destination address, because some ip of that subnet must be reachable from subnet 192.168.1.0/24.

Unfortunately when i commit this configuration, i can't reach any ip of subnet 192.168.2.0/24 and not only the 192.168.2.1.

Where am i wrong?

Add another term that allows any other traffic. The new term should come after term "Term 1".

=====

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

It works!!! 

Thanks, you are the best!!!