Switching

Hi Guys,

I want to create two quarantine vlans in my core switch for some test purposes,what I am trying to acheive is,lets say vlan 1 and vlan 2.The members of the vlan 1 should only communicate to three IPs(172.16.0.135,172.16.0.250,172.16.0.152) and members of vlan 2 should only communicate to two ip (172.16.0.152,172,16.0.250).How can I acheive this configuration in my core switch,the hardware I am using is a EX mixed VC.Thank you.

I would say the quick and easy way to do this might be with firewall filters on the "vlan" L3 interfaces:

# show firewall family inet
filter block-comm-a {
    term 0-permit_traffic_a {
        from {
            destination-address {
                172.16.0.135/32;
                172.16.0.152/32;
                172.16.0.250/32;
            }
        }
        then accept;
    }
    term 1000-implicit_deny {
        then discard;
    }
}
filter block-comm-b {
    term 0-permit_traffic_b {
        from {
            destination-address {
                172.16.0.152/32;
                172.16.0.250/32;
            }
        }
        then accept;                    
    }
    term 1000-implicit_deny {
        then discard;
    }
}
# show vlans 
vlan-a {
    vlan-id 10;
    l3-interface vlan.10;
}
vlan-b {
    vlan-id 20;
    l3-interface vlan.20;
}
# show interfaces vlan
unit 10 {
    family inet {
        address 172.16.1.1/24;
        filter {
           input block-common-a;
        }
    }
}
unit 20 {
    family inet {
        address 172.16.2.1/24;
        filter {
           input block-common-b;
        }
    }
}

Hi Evt

Thank you very much for your reply,the configuration is working fine.If I want to allow internet too to this two vlan,what changes I need to do it on the firewall filter you have given.

If you only want them to have access to the internet and nothing else on that 172.16.0.0 private network, you could do this:

filter block-comm-a {
    term 0-permit_traffic_a {
        from {
            destination-address {
                172.16.0.0/24;
                172.16.0.135/32 except;
                172.16.0.152/32 except;
                172.16.0.250/32 except;
            }
        }
        then discard;
    }
    term 1000-implicit_allow {
        then accept;
    }
}
filter block-comm-b {
    term 0-permit_traffic_b {
        from {
            destination-address {
                172.16.0.0/24;
                172.16.0.152/32 except;
                172.16.0.250/32 except;
            }
        }
        then discard;                    
    }
    term 1000-implicit_allow {
        then accept;
    }
}

 Note the changes in the filter.  The first term is denying all traffic to your 172.16.0.0/24 network except for the IP addresses listed, then permitting all traffic in the following term.  Alternatively, you could create one more term on each of the first set of example filters that denies traffic to the rest of the 172.16.0.0/24 network and just modify the last term to 'accept'.  Be aware that if you add terms, you need to re-order the terms properly using the 'insert' command.  For further details, I suggest reading through the docs here:

http://www.juniper.net/techpubs/en_US/junos13.1/information-products/pathway-pages/config-guide-firewall-filter/config-guide-firewall-filter.html

Hi Evt

Got an error like this,while trying the above recommendation.

show firewall family inet
filter block-comm-qu {
    term 0-permit_traffic_qu {
        from {
            destination-address {
                172.16.0.0/12;
                ##
                ## Warning: statement ignored: unsupported platform (ex4500-40f)
                ##
                172.16.0.135/32 except;
                ##
                ## Warning: statement ignored: unsupported platform (ex4500-40f)
                ##
                172.16.0.130/32 except;
                ##
                ## Warning: statement ignored: unsupported platform (ex4500-40f)
                ##
                172.17.0.130/32 except;
                ##
                ## Warning: statement ignored: unsupported platform (ex4500-40f)
                ##
                172.17.0.250/32 except;
            }
        }
        then {
            discard;
        }
    }
    term 1000-inplicit_allow {
        then accept;
    }
}

Is there any workaround to acheive the above recommendation.Thank you.

Sorry, I did that from memory and some filtering features are not available on the EX.  You will have to follow my second suggestion of creating a new term that denies traffic to the 172.16.0.0/24 network either changing the last team's description and action to 'accept' or deleting the last term and creating a new one that accepts all traffic.

Hi Evt

I tried your suggested workaround and is working fine,I only tried in the first vlan.The out put shown below.

Here I added  two of my DNS server IP(172.16.0.130 and 172.17.0.130) ,so that the name resolution should take place.

I will follow the guidelines for other Vlan.Thank you very much for your help.

add another match condition destination port http and https

Hi Lyndidon

Could you please explain the match condition you have mentioned earlier.so I can also test that condition .Thank you.

If you only want the users to have HTTP and HTTPS access to the general internet, and you have added your DNS servers to the first term, then you can do this to the very last term:

set firewall family inet filter block-comm-qu term 1000-internet_allow from destination-port [ http https ]

This blocks everything except traffic to port 80 and port 443.