Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Juniper SSG-320 forwards broadcast in another network.

    Posted 11-27-2014 01:12
      |   view attached

    Hello,

    Strange things are happening here.

     

    We connected two networks with different subnets with two Juniper SSG-320 over an 60GHz Wireless Ethernet Bridge.

    NET 1 has Static IP Configuration an NET 2 has DHCP running. (see attachment for network topology)

     

    We have discovered that we receive DHCP packets of other network in our network. On closer diagnosis we discovered that all Boradcast are forwarded to our network. And the other way around as well.

     

    To my knowledge, broadcast are not forwarded through a router (Juniper).

     

    Or am I wrong? How do I prevent this.

     

    PS.: We discovered the Broadcast because 3 machines flooding the network with ICMPv6 "Multicast Listener Report". Two from the other net. Read more -> http://networkguy.de/?p=742

     

     

    Best Regards



  • 2.  RE: Juniper SSG-320 forwards broadcast in another network.

    Posted 11-27-2014 10:03

    You are correct.  L3 devices will not forward broadcast messages (some exceptions apply).

     

    DHCP can be forwarded if you have a device that is performing DHCP forwarding.  The device will listen for DHCP requests, add an IP header, and forward the request to the configured IP.

     

    IPv6 does NOT use broadcast (including ARP).  It's not even in the protocol.  IPv6 uses multicast, which is able to pass between L3 devices.

     

    Can you provide more details on what you are seeing along with the configuration of the firewall?



  • 3.  RE: Juniper SSG-320 forwards broadcast in another network.

    Posted 11-27-2014 23:36

    OK, then let's look at just the broadcast.

    I'm not sure what you mean by more details.

     

    We simply connected the two networks on two interfaces with an ANY-ANY-ANY policy. An DHCP Relay isn't configured. However, I see all types of v4 broadcast from the other network (e.g. ARP).

     

    If you need specific information, or configuration setting, I can gladly provide more information.



  • 4.  RE: Juniper SSG-320 forwards broadcast in another network.

    Posted 11-28-2014 08:54

    Could you please provide a capture that shows the ARPs along with the configuration of the firewall and a network topology.



  • 5.  RE: Juniper SSG-320 forwards broadcast in another network.
    Best Answer

    Posted 11-29-2014 05:38

    Can you provide the actual output of the broadcast traffic seen on the incorrect interface with how the network is connected?

     

    Most of the time these types of issues are caused by accidently bridging vlans.  The SSG is a router, so it will not duplicate layer two traffic from one layer 3 interface to another.

     

    Likely there is a vlan misconfigured on two interfaces so that the layer two connection is being made between them.  This could be on the SSG or on a switch somewhere in the layer 2 domains involved.

     

    The best way to track this down is to lookup the duplicate layer 2 entries to see which devices they belong to and are seen on for the two vlans affected.



  • 6.  RE: Juniper SSG-320 forwards broadcast in another network.

    Posted 12-03-2014 00:35

    A misconfigured switch or VLAN was probably really the problem.

     

    We disconnected the Juniper interface for testing. And the packages still came from the other network. At the time we knew that the Juniper definitely not the reason but some switch.

     

    A switch port was in VLAN1 (untagged) and simultaneously Tagged in the "Bridge VLAN 101". This was connecting the two VLANs. Now that we have the port excluded from the VLAN1, DHCP, ARP or any Broadcast was no longer visible from the other network.

     

    Thank you all for pointing in the right direction.