Switching

last person joined: yesterday 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.

  • 1.  Firewall filter for VLAN to restrict access to another VLAN

    Posted 01-05-2017 09:54

    Hello everyone,

     

    I have two VLANS configured. I would like to allow clients from one VLAN to only be able to access one machine on a different VLAN. I don't want clients to be able to get to anyother IP on that network. Right now both VLANs can reach all clients on the other's VLAN.

     

    I am new to firewall filters and I know this is wrong, but this is what I came up with so far:

     

    set family inet filter BLOCK term TERM1 from source-address 192.168.10.0/24
    set family inet filter BLOCK term TERM1 from destination-address 192.168.11.5/24
    set family inet filter BLOCK term TERM1 then accept
    set family inet filter BLOCK term TERM2 from source-address 192.168.10.0/24
    set family inet filter BLOCK term TERM2 from destination-address 192.168.11.0/24
    set family inet filter BLOCK term TERM2 then block
    set family inet filter BLOCKI term TERM3 then accept

     

     

     

    Thanks for your help.



  • 2.  RE: Firewall filter for VLAN to restrict access to another VLAN

    Posted 01-05-2017 20:31

    Hi Vossa

    First create a firewall filter family ethernet switching matching the destination address that you wanted to block and then apply it on the VLAN

     

    root# show firewall
    family ethernet-switching {
    filter FILTER1 {
    term TERM1 {
    from {
    ip-destination-address {
    192.168.11.5/32;
    }
    }
    }
    }
    }

    {master:0}[edit]
    root#

    _________________________________________

     

    root# show vlans
    VLAN10 {
    vlan-id 10;
    forwarding-options {
    filter {
    input FILTER1;
    }
    }
    }
    default {
    vlan-id 1;
    l3-interface irb.0;
    }

     

    You can refer this link for more examples : https://www.juniper.net/techpubs/en_US/junos16.1/topics/example/firewall-filter-ex-series-configuring.html#jd0e1308 


    Thanks

    Arul 

     

     



  • 3.  RE: Firewall filter for VLAN to restrict access to another VLAN

    Posted 01-09-2017 09:34

    Hi Arul, thanks for your response. I know how to block a single address, in fact I just tested this.

     

    But, I am not sure how to allow a single address while blocking the rest of the addresses on that same subnet.

     

    For example:

     

    I want to allow VLAN-10 (192.168.10.0/24) to be able to access a single address, such as 192.168.11.5, on VLAN-11 (192.168.11.0/24), but no others.

     

    Thanks, 

    Vossa



  • 4.  RE: Firewall filter for VLAN to restrict access to another VLAN

     
    Posted 01-05-2017 22:05

    Hi Folks,
    Please find few reference on,

     

    Applying a Firewall Filter to a Port on a Switch
    Applying a Firewall Filter to a Management Interface on a Switch
    Applying a Firewall Filter to a VLAN on a Network
    Applying a Firewall Filter to a Layer 3 (Routed) Interface

     

    https://www.juniper.net/documentation/en_US/junos14.1/topics/task/configuration/firewall-filter-ex-series-cli.html#jd0e498

     

    Also some references,

     

    https://www.juniper.net/documentation/en_US/junos16.1/topics/reference/general/firewall-filter-ex-series-match-conditions-support.html
    https://www.juniper.net/documentation/en_US/junos13.3/topics/concept/firewall-filter-ex-series-evaluation-understanding.html
    https://www.juniper.net/techpubs/en_US/junos14.1/topics/example/firewall-filter-ex-series-configuring.html

     

    -Python