09-22-2010 01:29 PM
As a Juniper partner (and hosting provider) we've recently purchased two 4200 48T's to replace our less-than-robust ProCurve 3400's, and we'd like to get inter-vlan routing restricted with ACL. We have about 15 customer VLANs and a NOC administrative vlan that need to have the proper directional ACLs applied.
I've scoured the forums and it doesn't seem like there are settings within the firewall filter family ethernet-switching to accommodate 'from' statements using the vlan tag; at least directionally. I see the vlan; Match Vlan Id or Name selection, but all of the posts and KB's I'm referencing use a network subnet and mask for the 'from' clause.
Is it possible to use the 'filter admin-access-filter from vlan' syntax to configure access for the following?
no traffic between any customer vlans (but back and forth from a firewall)
directionally allowing all traffic from admin_vlan to all customer vlans
09-22-2010 02:17 PM
I tried this on a older version of JUNOS and id didn't work. I think the vlan tag chanched first and the the filter was applied. You can't flter on the orignal tag than. I think I read in some recent release note this is fixed now (10.2?) just gice it a try!
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI
If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
09-22-2010 05:50 PM
If I understand the requirements, I would recommend setting up each set of segmented traffic in a different routing-instance. You could then use a firewall-filter based on the sources and destinations to selectively allow traffic to route between instances. Would this work for what you are trying to do?
09-23-2010 04:59 AM
I was looking at routing instances, but couldn't find the maximum number available on the EX4200 with VC. My concern is that we'll have more customer VLANs that are configurable on the switch.
We're already looking at separating the customers that can't move from their 192.168.0.0/24 or 192.168.1.0/24 subnets in lieu of policy based routing, so this may make sense.
What i was trying to avoid is to use the actual network and mask in the filter. I'd like to use logical objects like VLAN-IDs or perhaps a routing instance number.
The other thing that i've noticed is that the firewall isn't stateful, but there is a command for tcp-established. Should I be looking at that considering there will be traffic back and forth between the internet, a firewall, and the vlan? The directionality seems to be touble to set up in my testing even when referencing the network and mask.
09-23-2010 12:28 PM
From the docs I can find, there is a limit of 252 as the number of routing-instances on the EX-4200 platform.
It is correct that the firewall filters are not stateful. If you need that level of capability, I would recommend a true firewall platform like the SRX be used, with the EX directing traffic up to the SRX via these routing instances for traffic that needs to transit from one network to another.