Thank you for the reply - I have removed the OSPF portion for now as it's not important (to this discussion).
My current filter looks like this:
firewall {
family inet {
filter PROTECT {
term SSH {
from {
source-address {
xxx.xxx.115.176/28;
xx.xxx.20.115/32;
}
protocol tcp;
destination-port ssh;
}
then accept;
}
term DROP {
from {
destination-port ssh;
}
then {
discard;
}
}
term DEFAULT {
then accept;
}
}
}
}
Here's my problem now though - it works on one EX4200 switch just fine .... doesn't work on another one. So I thought this has to be where/how it's applied .. but both switches are identical from a layer3 perspective:
vlan {
unit 4094 {
family inet {
filter {
input PROTECT;
}
address xx.xxx.33.41/29;
}
}
}
Very puzzling... the *only* difference is that one of the EX4200's is stand alone and the other EX4200 is actually a pair in a VC configuration. Same software load as well.....
To top it off, on an EX3200 we have in production it filters SSH no problem without the "protocol tcp" included....
Thoughts? 😉
Paul