Switching

last person joined: 3 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
  • 1.  EX firewall discard traffic between 2 IP's in different VLAN's

    Posted 07-03-2014 14:08

    I'd like to drop traffic between two network devices which reside on two different vlans.

     

    Junos version: 12.3R6.6

     

    Topology:

     

    Device one (10.0.250.93) on vlan.42 <--> L3 Switch <--> device two (10.0.6.30) on vlan.46

     

    Firewall Config:

     

    family inet {
    filter drop-to-cucm {
    term rule1 {
    from {
    source-address {
    10.0.250.93/32;
    }
    destination-address {
    10.0.6.30/32;
    }
    }
    then {
    discard;
    }
    }
    }
    }

     

    Then I ran:

    set interfaces vlan unit 42 family inet filter input drop-to-cucm

    {master:1}[edit]
    root@ex3300-vc# commit check

     

    The result is that all traffic on vlan.42 is dropped, instead of just traffic from device one.

     

    I've also tried applying the rule to vlan.46 input, and removing the destination-address 10.0.6.30/32 line with the same result.

     

    I'm obviously making a fundamental mistake understanding how these firewall rules should be applied. Any help is appreciated.

     

    Thanks,

    Steve

     

     

    -------------------------------------------------------

    Edit: Solution provided works, greatly appreciated. For extra clarity, the accept term would be added to the existing firewall filter, as only one filter can be assigned to an interface.



  • 2.  RE: EX firewall discard traffic between 2 IP's in different VLAN's
    Best Answer

     
    Posted 07-03-2014 22:40

    If a packet will not hit any of the terms of the filter, then it will be handled by the implicit term which is to discard everything else.

     

    Can you add something like this?

     

    set firewall family inet filter F term LAST then accept

     

    Make sure that this term is the last one after everything that you wanted to deny.

     

     

     

    =====

    If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.