Switching

last person joined: 14 hours ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.

  • 1.  Filters or not?

    Posted 02-15-2013 01:27

    Hi all, I've tried to found decision by myself but unsuccessfully. I'm not so good at network's management. I hope to find some answers here 🙂

     

    Topology: Juniper EX4200. I have users(production team) that are connected to the Juniper's ports and users(managers) that are connected to the cheap 1GB switch which one's connected to Juniper. And a server that is connected to Juniper.

     

    Goal: Server has to be accessible to all users. But I want to avoid the traffic collision between mangers and production team. I mean they shouldn't have access to each other.

     

    I've tried to create the firewall filter that discard all packets not destined to the server. I assigned this filter to the port which managers connected to. I've tried to use destination address as a criteria to discard all useless packets. But it doesn't work.

     

    filter PublicServer {
        term t1 {
            from {
                destination-address {

                        1.1.1.1/32;

                        192.168.0.100/32 except;

                }

            }
            then discard;
        }
        term t2 {
            then accept;
        }
    }

     

    Also I'm not sure about the approach. Should I use firewall or filter based forwarding or create different vlans and configure routing between vlans or etc?

     

    Any help will be appreciated. Many thanks.

     



  • 2.  RE: Filters or not?

    Posted 02-15-2013 09:37

    Keep it simple.

     

    How about 3 VLANs?  One for your production team (VLAN A), one for the managers (VLAN B), and one for the server(s) (VLAN C)?

     

    Create ACLs (filters) as such:

     

    VLAN A -> VLAN C -- permit traffic

    VLAN B -> VLAN C -- permit traffic

     

    (possibly also VLAN C back to VLANs A and B, depending on your needs).

     

    Any A <-> B traffic should be denied.

     



  • 3.  RE: Filters or not?

    Posted 02-17-2013 21:20

    Hi Keithr,

     

    Thank you for your reply, just couple questions.

     

    1. Before ACLs creation I should set up routing between VLANs through RVI?

     

    2. Then create firewall filter that will be assigned to VLAN (not to interface)?

     

    Many thanks!



  • 4.  RE: Filters or not?
    Best Answer

    Posted 02-18-2013 08:59

    As Keithr suggest to create the separate VLANS seems to be what will accomplish what you are trying to do. There will be very little collisions on the switch (each port is its own collision domain) between the users. But creating the VLANS will separarte the broadcast domains of the different groups and there will be no further communication between them unless you configure other means such as RVI. But as you know, Juniper is quite flexible (from simple to complex 🙂 ) right! It depends on the network you have and what level of configuration/reconfiguration you want to do. If all the users reside on the same subnet and you do not want to create separate subnet and econfigure IP address, then you could go a little more fancy and configure PVLAN (private VLANS). This would acomplish exactly what you want with the ability to restrict routing between the VLANS while still providing both groups access to the server. And if your needs further demand it, you get even more restrictive. I don't think filter base forwarding would be the solution here; it is mainly used to forward traffic to say, a different ISP based on source or any other criteria you specify in the filter. I am sure it can be used, but it would seem to require a lot more complex configurations. The more I think about it, the more i believe PVLAN is what you are looking for. You may have to get someone to help you design and implement that strategy. It requires more knowledge of your network and configurations.