Ethernet Switching
Reply
Contributor
Abhi
Posts: 14
Registered: ‎05-13-2009
0

Hey

Hi,

 

I am using 2 EX4200 as core switches and few EX 3200 as access switches. I have configured two vlans in the network user & cctv. Since intervlan routing is enabled by default in all the switches, every user will be able to interact with each other. Now i want, few (2 or 3) of users only to access the cctv out of all, how should i configure this ? kindlysuggest.

Distinguished Expert
Screenie
Posts: 1,082
Registered: ‎01-10-2008
0

Re: Hey

You could write a stateless packet filter and assign this on input on the CCTV RVI. Accept only certain IP's block everything else.

 

You configure the filter under the firewall hierarchy and apply in on unit level under interfaces vlan. Don't forget to allow return packets for traffic initiated on CCTV vlan to the other vlan.

 

 

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Contributor
Abhi
Posts: 14
Registered: ‎05-13-2009
0

Re: Hey

Hi Screenie,

 

Thanks for the suggestions. Can you help me by sharing how to write the stateless packet filter and assign these on input on the cctv rvi. Looking for your support. Or can i do it through web-gui also.

 

regards

abhi

Distinguished Expert
Screenie
Posts: 1,082
Registered: ‎01-10-2008

Re: Hey

Don't have an ex here but I'll try:

 

Create a list with accepted hosts first:

 

policy-options {
    prefix-list accepted_hosts {
        10.1.1.1/32;
        10.1.1.4/32;
    }
}

Create a policy (triggy for me I don't know what you need, use my code as an example, not as a complete working policy)

 

firewall {
    filter accepted_hosts {
        term term1 {
            from {
                tcp-established;
            }
            then accept;
        }
        term term2 {
            from {
                source-prefix-list {
                    accepted_hosts;
                }
            }
            then accept;
        }
    }
}

Finaly apply at interface level:

 

interfaces {
      vlan {
        unit 0 {
            family inet {
                filter {
                    input accepted_hosts;
                }
            }
        }
    }

}

Hope this helps!

 

 

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.