I have a firewall rule set up for an interface on our vlan deticated for VoIP devices. The firewall rule is designed to prevent anyone from hooking up a computer and browsing the internet. It's set up to allow all of our IP addresses, as well as our VoIP vendor IPs.
All that works fine, after a few lessons on Juniper firewall rules compared to Cisco ACLs. But, while the Cisco I pulled worked with the ACLs and DHCP-relay agent, the Juniper Forwarding Engine set up for bootp doesn't work with the firewall rule in place.
It's not in the rule now, but I did try adding destination-port bootps to the match conditions, and there was no change.
Device info:
timg@Grant> show version
Hostname: Grant
Model: j4350
JUNOS Software Release [10.4R2.7]
JUNOS Web Management [10.4R2.6]
Relevant config sections:
timg@Grant> show configuration forwarding-options
helpers {
bootp {
relay-agent-option;
server 192.168.220.158;
interface {
ge-0/0/2.410;
}
}
}
timg@Grant> show configuration firewall
family inet {
filter VoIP {
term Grant_VoIP_Filter {
from {
destination-address {
209.68.27.16/32;
}
destination-prefix-list {
Local-IPs;
VoIP Vendor;
}
}
then accept;
}
term else {
then {
discard;
}
}
}
}
timg@Grant> show configuration interfaces ge-0/0/2
vlan-tagging;
unit 410 {
description Phone;
vlan-id 410;
family inet {
inactive: filter {
input VoIP;
}
address 192.168.6.1/23;
}
}