Ethernet Switching
Ethernet Switching

EX firewall discard traffic between 2 IP's in different VLAN's

[ Edited ]
‎07-03-2014 02:08 PM

I'd like to drop traffic between two network devices which reside on two different vlans.

 

Junos version: 12.3R6.6

 

Topology:

 

Device one (10.0.250.93) on vlan.42 <--> L3 Switch <--> device two (10.0.6.30) on vlan.46

 

Firewall Config:

 

family inet {
filter drop-to-cucm {
term rule1 {
from {
source-address {
10.0.250.93/32;
}
destination-address {
10.0.6.30/32;
}
}
then {
discard;
}
}
}
}

 

Then I ran:

set interfaces vlan unit 42 family inet filter input drop-to-cucm

{master:1}[edit]
root@ex3300-vc# commit check

 

The result is that all traffic on vlan.42 is dropped, instead of just traffic from device one.

 

I've also tried applying the rule to vlan.46 input, and removing the destination-address 10.0.6.30/32 line with the same result.

 

I'm obviously making a fundamental mistake understanding how these firewall rules should be applied. Any help is appreciated.

 

Thanks,

Steve

 

 

-------------------------------------------------------

Edit: Solution provided works, greatly appreciated. For extra clarity, the accept term would be added to the existing firewall filter, as only one filter can be assigned to an interface.

1 REPLY 1
Ethernet Switching
Solution
Accepted by topic author Steve D
‎08-26-2015 01:27 AM

Re: EX firewall discard traffic between 2 IP's in different VLAN's

‎07-03-2014 10:39 PM

If a packet will not hit any of the terms of the filter, then it will be handled by the implicit term which is to discard everything else.

 

Can you add something like this?

 

set firewall family inet filter F term LAST then accept

 

Make sure that this term is the last one after everything that you wanted to deny.

 

 

 

=====

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.