Switching

I don't understand why you can put a 'family ethernet-switching' filter on the same interface that has a 'family inet address' configuration.

I know that there is an error message when you try to put two different family configs on the same interface, so it doesn't make sense to me that you can get away with this.

It also doesn't make sense to me also because when applying the 'family ethernet-switching' filter to a Vlan (edit vlans) the Vlan can be on layer 2 or layer 3, but either way (I tried both ways) the filter that I was able to apply to the vlans seem to be on layer 2 level.  Is it because in the 'edit vlan' configuration it is simultaneiously both a layer two and a layer three construct?

In short, it seems like there is some mixing and matching going on here which I thought was not allowed since I always get the message that you can't put a family inet and family ethernet-switching on the same interface????

THANKS

robin hood

What platform is this?

I checked on EX4200(12.3) and I have this:

{master:0}[edit]
root@EX4200# show interfaces ge-0/0/0
unit 0 {
    family inet {
        filter {
            input F; ## reference 'F' not found
        }
        address 1.1.1.1/24;
    }
}

{master:0}[edit]
root@EX4200# show firewall
family ethernet-switching {
    filter F {
        term 1 {
            from {
                source-address {
                    1.1.1.2/32;
                }
            }
            then discard;
        }
        term 2 {
            then accept;
        }
    }
}

{master:0}[edit]
root@EX4200#

=====

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

Thanks,

on the EX2200-c

here is what I have successfully configured:

show vlans                       
default {
    l3-interface vlan.0;
}
v100 {
    vlan-id 100;
    interface {
        ge-0/0/11.0;
    }
    filter {
        input Between-every-address;
    }
    l3-interface vlan.100;
}
v25 {
    vlan-id 25;
    interface {
        ge-0/0/4.0;
    }
    filter {
        input Between-every-address;
    }
    l3-interface vlan.25;
}
v50 {
    vlan-id 50;
    interface {
        ge-0/0/5.0;
    }
    filter {
        input Between-every-address;
    }
    l3-interface vlan.50;
}

and

the filter is:

robmin@JunipEX22cSW1# show firewall family ethernet-switching filter Between-every-address
term term1 {
from {
source-address {
10.1.10.0/24;
}
destination-address {
10.1.11.0/24;
}
}
then discard;
}
term term2 {
from {
source-address {
10.10.100.0/23;
}
destination-address {
10.1.11.0/24;
}
}
then discard;
}
term term3 {
from {
source-address {
10.1.11.0/24;
}
destination-address {
10.1.10.0/24;
}
}
then discard;
}
term term4 {
from {
source-address {
10.1.11.0/24;
}
destination-address {
10.10.100.0/23;
}
}
then discard;
}
term term5 {
from {
source-address {
10.10.100.0/23;
}
destination-address {
10.1.10.0/24;
}
}
then discard;
}
term term6 {
from {
source-address {
10.1.10.0/24;
}
destination-address {
10.10.100.0/23;
}
}
then discard;
}
term term7 {
then accept;
}

I thought at first I could only put a family inet filter on a layer 3 vlan, however, as this configuration shows, I was

able to put a layer 2 filter on a layer 3 vlan.

Why is this possible when it is not possible to mix layer 2 and layer 3 items upon an interface. Does the Vlan interface not follow the physical interface rules?

Thanks for sharing your time and knowledge.

robin hood

Just to set some ground rules(for now, let's disregard IPv6 family):

1. Port filter(L2 interface) can only be ethernet-switching family

2. VLAN filter can only be ethernet-switching family

3. Router filter(L3 interface or RVI) can only be inet family

Ethernet-switching is more focused on L2 matching conditions, while inet is focused more on L3 matching conditions.

Some of the matching conditions are common for these two types of families, like matching on IP addresses.

It's very common that you would like to match an IP address on an ethernet-switching port, hence the flexibility.

This is coming down to the flexibility of the filter type conditions.

These are the options for inet family from an EX4200(most likely is it different than EX2200-C):

+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> destination-address  Match IP destination address
+ destination-port     Match TCP/UDP destination port
> destination-prefix-list  Match IP destination prefixes in named list
+ dscp                 Match Differentiated Services (DiffServ) code point
  fragment-flags       Match fragment flags (in symbolic or hex formats) - (Ingress only)
+ icmp-code            Match ICMP message code
+ icmp-type            Match ICMP message type
> interface            Match interface name
+ ip-options           Match IP options
  is-fragment          Match if packet is a fragment
+ precedence           Match IP precedence value
+ protocol             Match IP protocol type
> source-address       Match IP source address
+ source-port          Match TCP/UDP source port
> source-prefix-list   Match IP source prefixes in named list
  tcp-established      Match packet of an established TCP connection
  tcp-flags            Match TCP flags (in symbolic or hex formats)
  tcp-initial          Match initial packet of a TCP connection
+ ttl                  Match IP ttl type

and these are the options for ethernet-switching family:

+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> destination-address  Match IP destination address
> destination-mac-address  Match MAC destination address
+ destination-port     Match TCP/UDP destination port
> destination-prefix-list  Match IP destination prefixes in named list
+ dot1q-tag            Match Dot1Q Tag Value
+ dot1q-user-priority  Match Dot1Q user priority
+ dscp                 Match Differentiated Services (DiffServ) code point
+ ether-type           Match Ethernet Type
  fragment-flags       Match fragment flags (in symbolic or hex formats) - (Ingress only)
+ icmp-code            Match ICMP message code
+ icmp-type            Match ICMP message type
> interface            Match interface name
> interface-set        Match interface in set
> ip-version           Define IP version
  is-fragment          Match if packet is a fragment
+ l2-encap-type        Match Ethernet Encapsulation Type
+ precedence           Match IP precedence value
+ protocol             Match IP protocol type
> source-address       Match IP source address
> source-mac-address   Match MAC source address
+ source-port          Match TCP/UDP source port
> source-prefix-list   Match IP source prefixes in named list
  tcp-established      Match packet of an established TCP connection
  tcp-flags            Match TCP flags (in symbolic or hex formats)
  tcp-initial          Match initial packet of a TCP connection
+ vlan                 Match Vlan Id or Name

=====

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

But why can you match an IP address on an interface that is layer 2?  Layer 2 would not know about layer 3 addresses (or maybe it would immediately look for the corresponding MAC address and go from there.)  It is confusing, but useful.  It avoids being stuck by having to only use MAC addresses which cannot be summarized by the prefix using the mask. It might mean that a filter on an ethernet-switched interface could only match against one MAC at a time.  But I guess I don't see how it can work.

Could it be that a Vlan is on the logical interface half (of the total physical and logical) and that even though we might be dealing with a layer 2 vlan, the fact that it is not just the physical interface, but the logical part on top of the physical which allows IP addresses to come into play?

As far as I know (which isn't far), by definition, a vlan only exists as a unit of the physical interface so it is logical only.

Maybe the logical part of an interface allows both ethernet-switching and inet at the same time.

No, this has nothing to do with a vlan being on a logical interface. You should take as it is. You have granularity on matching for specific packets. The internal working of the filter inside the EX allows you to match on IP addresses when you use an ethernet-switching family filter.

For instance, the same ethernet-switching filter would work fine for both situations like below:

{master:0}[edit]
root@EX4200# show firewall
family inet {
    filter F-inet {
        term 1 {
            then accept;
        }
    }
}
family ethernet-switching {
    filter F-eth {
        term 1 {
            then accept;
        }
    }
}

{master:0}[edit]
root@EX4200# show vlans
default {
    l3-interface vlan.0;
}
v10 {
    vlan-id 10;
    filter {
        input F-eth;
    }
    l3-interface vlan.10;
}

{master:0}[edit]
root@EX4200# show interfaces ge-0/0/0
unit 0 {
    family ethernet-switching {
        filter {
            input F-eth;
        }
    }
}

{master:0}[edit]
root@EX4200#

=====

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

Can you, as well, use the F-inet in both situations?  I see what you mean about using F-eth in both situations.

BTW, parau, thank you very much for answering my questions.

I really appreciate it!

robin hood

Sorry, I just saw that you already answered this question:

1. Port filter(L2 interface) can only be ethernet-switching family

2. VLAN filter can only be ethernet-switching family

3. Router filter(L3 interface or RVI) can only be inet family

I can use it, but for the EX it will be a filter that is not configured, because it is expecting a filter called F-inet that is ethernet-switching family. Filter A for family inet is different than Filter A for family ethernet-switching:

{master:0}[edit]
root@EX4200# show firewall
family inet {
    filter F-inet {
        term 1 {
            then accept;
        }
    }
}
family ethernet-switching {
    filter F-eth {
        term 1 {
            then accept;
        }
    }
}

{master:0}[edit]
root@EX4200# show interfaces ge-0/0/0
unit 0 {
    family ethernet-switching {
        filter {
            input F-inet; ## reference 'F-inet' not found
        }
    }
}

{master:0}[edit]
root@EX4200# show vlans
default {
    l3-interface vlan.0;
}
v10 {
    vlan-id 10;
    filter {
        input F-inet; ## 'F-inet' is not defined
    }
    l3-interface vlan.10;
}

{master:0}[edit]
root@EX4200#

=====

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.

Can policy-options policy-statements be put anywhere else besides on protocols (with export keyword)? Like on interfaces or vlans?

I just remembered something else that confused me when I was trying to apply my filters earlier today which all had no effect toward achieving my goal.

Some of my filters were matching against source-address but they did not have any effect. It was only when I saw your earlier post that I matched against both source-address and destination-address. I do not understand why my filter would not also work. Wouldn't it also find a match and discard the packets?  Why does it take both source and destination to have the final effect of actually discarding the packets?

I remember that there were some cases where it would not allow me to apply a filter on egress.

Also, there was a case that I could not apply a filter with the action reject, it could only be discard. I think this was because on egress it could not send an error message because maybe the Routing Engine, which handles ICMP error messages, would not be involved during 'output'?  Does this sound right?

this is also confusing because I think with policies there are only the actions of accept and reject (no discard), which is exactly the opposite as the above case.

THANKS

I just remembered another thing I was hoping someone might be able to comment on. I read somewhere that Router-on-a-stick is an outdated way of doing things. Evidently this is because all connectivity between Vlans can be done by the L3-interface on the switch. But I could not find a way on a switch only to do something that is very common these days. That is have connectivity between Vlans and have connectivity from all Vlans to the Internet. I could only find that to do both, I needed to use the Router-on-a-stick beyond the switch, that is, on the Router. At some point this has to all come together, and this is through the trunk link. I could not find a way to have a trunk link without having a router and I could not find a way just on a switch to have each Vlan to have its own unique Gateway without using the Router-on-a-stick.

Is there a way to have connectivity, both, between Vlans and to One Internet on just a switch? If not, why would Router-on-a-stick be outdated?

Even if your Router is a Security device (SRX) you are still trunking to it and putting subinterfaces on the firewall, so this is still a Router-on-a-stick, isn't it??  I really sincerely would like to know of a better way of doing this if it is possible.

THANKS

robin hood