Ethernet Switching
Highlighted
Ethernet Switching

question about apply firewall rule on port switch

‎09-30-2019 06:16 AM

Hello,

This is my firewall rule

family ethernet-switching {
filter port1 {
term layer2 {
from {
ether-type arp;
}
then accept;
}
term port1 {
from {
source-address {
192.168.1.0/27;
}
}
then accept;
}
term default-term {
then discard;
}
}

 

 

and this is port1 configuration :

ge-0/0/1 {
description "LABEL";
unit 0 {
family ethernet-switching {
vlan {
members vlan1201;
}
filter {
input port1;
}
}
}
}

 

 

so my question is right now only 192.168.1.0/27 can send packets to outside and other ip prefixes (such as multicase prefixes) can not send packet towards my router right?

because in brocade when i have apply same acl it does not block multicast prefixes so i want to make sure in juniper all prefixes blocked with this rule except 192.168.1.0/27 ,

 

my switches are juniper ex4200 48p,

 

so am i right?

Thanks,

3 REPLIES 3
Highlighted
Ethernet Switching
Solution
Accepted by topic author blackmetal
‎09-30-2019 06:56 AM

Re: question about apply firewall rule on port switch

‎09-30-2019 06:30 AM

Hi blackmetal,

 

True, IP traffic will only be allowed for 192.168.1.0/27.  You can add a count to each term to check which term is taking effect, especially adding "count discarded_packets" to the last term will be helpful for troubleshooting any anomaly from expected behavior.

 

Also, the filter terms you've configured are matching on source IP.  So all destination IPs (including multicast) will be allowed, but soure can only be 192.168.1.0/27.  Just to be clear.  

 

Hope this helps.

 

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated Smiley Happy.

Highlighted
Ethernet Switching

Re: question about apply firewall rule on port switch

‎09-30-2019 06:57 AM

if i add count discarded_packets or count it does not cause any high cpu usages?

Highlighted
Ethernet Switching

Re: question about apply firewall rule on port switch

‎09-30-2019 09:18 AM
Hello blackmetal,

That’s a pretty common practice to count packets via firewall filter and I haven’t seen CPU issues due to it. That said, if the count is exorbitantly high and expected/known, perhaps you don’t need it 😊.

Hope this helps.

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated Smiley Happy.

Juniper Business Use Only