Switching

last person joined: yesterday 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.

  • 1.  Layer 3 vlan isolation

    Posted 01-08-2016 07:14

    Hello,

     

         I was looking for commands on how to prevent certain L3 vlans from talking to each other on Juniper devices, specifically EX4200. I know with Cisco you use ACL and then apply it to the vlan interface but I have not found any commands to deny certains L3 vlans from communicating with each other. I have about 15 RVIs on the switch and I need to have 5 of them not communicate with the others. Can anyone help?

     

    Thanks,

     

    TD



  • 2.  RE: Layer 3 vlan isolation
    Best Answer

    Posted 01-08-2016 12:22

    Dear TDNY,

     

    Juniper's equivalent to access lists is firewall filters and you can use them to restrict traffic between specific vlans in the same manner. Here is a good reference with a simple example on that, though I would advise you to read up on firewall filters before starting on the examples.

     

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB24217&actp=search

     

     

    If you share your configuration I might be able to help you with the filter for the restrictions you want to apply to one of the vlans as an example.



  • 3.  RE: Layer 3 vlan isolation

    Posted 01-08-2016 12:41

    Hi Hisham,

     

            Thanks for the reply. I was searching on the web and indeed found another document referencing firewall filters. It looks straight forward, since we are just trying to block certain L3 vlans from talking to other L3 vlans. I was also looking at VRFs that will do the same, isolate L3 interfaces from talking to other L3 interfaces on a device, but it will create a seperate routing table, instead of the global routing table. I don't think we need that. Thanks for your help!



  • 4.  RE: Layer 3 vlan isolation

    Posted 01-08-2016 12:47

    Yes, you are correct on VRFs only thing is if the VLANs have a common uplink ( which they usually do ) then you will have import/export routes between the VRFs and this can get a bit ugly/complicated for a switch ( in my opinion ). Firewall filters are a cleaner more appropriate solution and you can even apply them through JWEB, which makes it easier.

     

    Just make sure not to apply them during operational hours and be careful when applying the filter to a vlan interface your accessing SSH on :P. Filters and direction of filter on interface leave room for many mistakes and errors.