Ethernet Switching
Highlighted
Ethernet Switching

firewall filter

‎12-29-2014 09:12 AM

Hi Guys,

 

I want to create two quarantine vlans in my core switch for some test purposes,what I am trying to acheive is,lets say vlan 1 and vlan 2.The members of the vlan 1 should only communicate to three IPs(172.16.0.135,172.16.0.250,172.16.0.152) and members of vlan 2 should only communicate to two ip (172.16.0.152,172,16.0.250).How can I acheive this configuration in my core switch,the hardware I am using is a EX mixed VC.Thank you.

 

Thanks,
Jsree

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
9 REPLIES 9
Highlighted
Ethernet Switching
Solution
Accepted by topic author jsree
‎08-26-2015 01:27 AM

Re: firewall filter

‎12-31-2014 03:50 AM

I would say the quick and easy way to do this might be with firewall filters on the "vlan" L3 interfaces:

 

# show firewall family inet
filter block-comm-a {
    term 0-permit_traffic_a {
        from {
            destination-address {
                172.16.0.135/32;
                172.16.0.152/32;
                172.16.0.250/32;
            }
        }
        then accept;
    }
    term 1000-implicit_deny {
        then discard;
    }
}
filter block-comm-b {
    term 0-permit_traffic_b {
        from {
            destination-address {
                172.16.0.152/32;
                172.16.0.250/32;
            }
        }
        then accept;                    
    }
    term 1000-implicit_deny {
        then discard;
    }
}
# show vlans 
vlan-a {
    vlan-id 10;
l3-interface vlan.10; } vlan-b { vlan-id 20;
l3-interface vlan.20; }
# show interfaces vlan
unit 10 {
family inet {
address 172.16.1.1/24;
filter {
input block-common-a;
}
}
}
unit 20 {
family inet {
address 172.16.2.1/24;
filter {
input block-common-b;
}
}
}

 

Highlighted
Ethernet Switching

Re: firewall filter

‎01-01-2015 08:10 AM

Hi Evt

 

Thank you very much for your reply,the configuration is working fine.If I want to allow internet too to this two vlan,what changes I need to do it on the firewall filter you have given.

Thanks,
Jsree

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
Ethernet Switching

Re: firewall filter

‎01-01-2015 08:28 AM

If you only want them to have access to the internet and nothing else on that 172.16.0.0 private network, you could do this:

 

filter block-comm-a {
    term 0-permit_traffic_a {
        from {
            destination-address {
                172.16.0.0/24;
                172.16.0.135/32 except;
                172.16.0.152/32 except;
                172.16.0.250/32 except;
            }
        }
        then discard;
    }
    term 1000-implicit_allow {
        then accept;
    }
}
filter block-comm-b {
    term 0-permit_traffic_b {
        from {
            destination-address {
                172.16.0.0/24;
                172.16.0.152/32 except;
                172.16.0.250/32 except;
            }
        }
        then discard;                    
    }
    term 1000-implicit_allow {
        then accept;
    }
}

 Note the changes in the filter.  The first term is denying all traffic to your 172.16.0.0/24 network except for the IP addresses listed, then permitting all traffic in the following term.  Alternatively, you could create one more term on each of the first set of example filters that denies traffic to the rest of the 172.16.0.0/24 network and just modify the last term to 'accept'.  Be aware that if you add terms, you need to re-order the terms properly using the 'insert' command.  For further details, I suggest reading through the docs here:

 

http://www.juniper.net/techpubs/en_US/junos13.1/information-products/pathway-pages/config-guide-fire...

Highlighted
Ethernet Switching

Re: firewall filter

[ Edited ]
‎01-01-2015 10:22 AM

Hi Evt

 

Got an error like this,while trying the above recommendation.

 

show firewall family inet
filter block-comm-qu {
    term 0-permit_traffic_qu {
        from {
            destination-address {
                172.16.0.0/12;
                ##
                ## Warning: statement ignored: unsupported platform (ex4500-40f)
                ##
                172.16.0.135/32 except;
                ##
                ## Warning: statement ignored: unsupported platform (ex4500-40f)
                ##
                172.16.0.130/32 except;
                ##
                ## Warning: statement ignored: unsupported platform (ex4500-40f)
                ##
                172.17.0.130/32 except;
                ##
                ## Warning: statement ignored: unsupported platform (ex4500-40f)
                ##
                172.17.0.250/32 except;
            }
        }
        then {
            discard;
        }
    }
    term 1000-inplicit_allow {
        then accept;
    }
}

 

Is there any workaround to acheive the above recommendation.Thank you.

 

Thanks,
Jsree

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
Ethernet Switching

Re: firewall filter

‎01-01-2015 10:37 AM

Sorry, I did that from memory and some filtering features are not available on the EX.  You will have to follow my second suggestion of creating a new term that denies traffic to the 172.16.0.0/24 network either changing the last team's description and action to 'accept' or deleting the last term and creating a new one that accepts all traffic.

Highlighted
Ethernet Switching

Re: firewall filter

‎01-01-2015 11:42 AM

add another match condition destination port http and https

[KUDOS PLEASE! If you think I earned it!
If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
Highlighted
Ethernet Switching

Re: firewall filter

[ Edited ]
‎01-02-2015 04:37 AM

Hi Evt

 

I tried your suggested workaround and is working fine,I only tried in the first vlan.The out put shown below.

 

1.JPG

 

Here I added  two of my DNS server IP(172.16.0.130 and 172.17.0.130) ,so that the name resolution should take place.

 

I will follow the guidelines for other Vlan.Thank you very much for your help.

 

 

 

Thanks,
Jsree

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
Ethernet Switching

Re: firewall filter

‎01-02-2015 04:43 AM

Hi Lyndidon

 

Could you please explain the match condition you have mentioned earlier.so I can also test that condition .Thank you.

Thanks,
Jsree

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
Ethernet Switching

Re: firewall filter

‎01-02-2015 04:46 AM

If you only want the users to have HTTP and HTTPS access to the general internet, and you have added your DNS servers to the first term, then you can do this to the very last term:

 

set firewall family inet filter block-comm-qu term 1000-internet_allow from destination-port [ http https ]

 

This blocks everything except traffic to port 80 and port 443.

Feedback