SRX

I want to know if it is possible to apply a filter to an ethernet-switching port? I realize that the filter command is within the family inet statement and the firewall statement but I thought it might be possible via a group method or somehow else.

Anyone know anything?

Hi,

 

You can configure it under the family ether-switching heirarchy. Here is a sample:

 

root@srx# show firewall
family ethernet-switching {
filter FROM_RTR {
term 1 {
from {
source-mac-address {
0c:86:10:99:d5:2c/48;
}
}
then count from_rtr;
}
term 2 {
then accept;
}
}
}

root@srx# show interfaces xe-0/0/15
unit 0 {
family ethernet-switching {
filter {
input FROM_RTR;
}
}
}

 

I hope this helps. Regards,

 

Vikas

I have junos 11.47xx. does anyone know a different way? Inheriting attributes?

I have only family inet and inet6 but not family ethernet-switching in the firewall statement. I also don't have the filter statement in interfaces -> family ethernet-switching statement.

Hi,

 

In 12.1 I am seeing family bridge under the firewall filters, so looks like this functionality was added sometime in between.

 

> Which family does the interface belong to? bridge?

> What are you trying to achieve with the etherswitching filter?

 

Rgeards,

 

Vikas

Attributes can be inherited from group config or interface-range config. You may verify from where the config are inherited using "display inheritance" option like below:

 

show configuration interfaces ge-0/0/0 | display inheritance

 

 

 

Ideally I would want to use family inet or bridge and I want to get there but right now I'm using ethernet-switching. I probably will just switch to inet soon.

My intention with the filter is to filter MTU at value 1522. A route in the electrical service in my area is corrupted on MTU 1522. Or the attributes are manipulated. It's all the above because the electric company has fire requirements. IGMP and others zero out on this route. This interrupts internet service per requirement.

Anyway, I know this works because I have filtered out MTU at ge-0/0/0.0 which is my isp port. The problem is the AP's on the other ports. They are ethernet-switched. The loopback never stays on an absolute path. Real annoying.

Need help with attributes and a group. Anyone know how to apply a filter this way? I want to make those ports inherit a filter.

Hi Eugene,

    Can you please post your topology for better understanding? In my experience with filter , it works well on both SRX and EX devices either loopback or bridge port or an L3 port.

 

   To configure a firewall filter you must configure the filter and then apply it to a port, VLAN (or bridge), or Layer 3 interface.

 

  https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/firewall-filter-ex-series-cli.html

 

 https://www.juniper.net/documentation/en_US/junos/topics/reference/general/firewall-filter-ex-series-match-conditions-description.html

 

regards,

D

I have one srx240b2 with Juno's 11.47xxx
Three Asus/DD-WRT AP's

The AP's are on ports ge-0/0/13.0 - 15.0

I have created the filter at the firewall.

Firewall ->
Filter ->
MTU ->
1522 ->
and so on...

I'm filtering traffic at 1522 because there is an anomaly there.

It works so that's not a question.

I can't use ethernet-switching filters at the
ports. I can use filters at the ports if family inet or bridge is used.

I will probably change the topology to family inet on the internal/local ports as they are ethernet-switching, but I want to see if I can inherit filters since my Junos is 11.47xxx.

Any ideas?

Hello,

 

Unfortunately, groups/inheritence would not help in this case. Ultimately, even within the group you would not be able to configure an ether-switching filter to inherit within the interface heirarchy.

 

Regards,

 

Vikas 

Thx Nelumbo, thx to all the helpful posts.

Eugene1973
ITT Tech B S.C.M.
ITT Tech A.A.S.