Switching

 View Only
last person joined: 10 hours ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.

  • 1.  Juniper Ex4200 problem with assign firewall to access port

    Posted 07-22-2019 00:13

    Hello,

    This is my firewall filter rules :

    family ethernet-switching {
    filter port5 {
        term port5 {
            from {
                source-address {
                    192.168.1.0/29;
                    192.168.1.240/29;
                }
            }
            then accept;
        }
        term default-term {
            then discard;
        }
    }
}

    and this is my port configurations :

    description "PORT-Description";
unit 0 {
    family ethernet-switching {
        vlan {
            members vlan3712;
        }
        filter {
            input port5;
        }
    }
}

and this is my ethernet switching options :
ethernet-switching-options {
    secure-access-port {
        interface ge-0/0/5.0 {
            mac-limit 100 action shutdown;
        }
        interface ge-0/0/6.0 {
            mac-limit 100 action shutdown;
        }
    }
    port-error-disable {
        disable-timeout 60;
    }
    storm-control {
        inactive: interface all;
    }
}

    the rules working properly and there is only one issue and its when i shutdown(disable) the port and enable (activate) it again that port switch can not learn mac address till i deactive the firewall filter rule and enable it again, whats wrong and what should i edit it?

    Thank you.



  • 2.  RE: Juniper Ex4200 problem with assign firewall to access port
    Best Answer

    Posted 07-22-2019 02:30

    Hi,

     

    I would try to allow ARP traffic on that interface as well.

     

    set firewall family ethernet-switching filter port5 term l2 from ether-type arp
    set firewall family ethernet-switching filter port5 term l2 then accept
    set firewall family ethernet-switching filter port5 term port 5 from source-address 192.168.1.0/29
    set firewall family ethernet-switching filter port5 term port 5 from source-address 192.168.1.240/29
    set firewall family ethernet-switching filter port5 term port 5 then accept
    set firewall family ethernet-switching filter port5 term default-term then discard

     This should work.

     

    Cheers,

     



  • 3.  RE: Juniper Ex4200 problem with assign firewall to access port

    Posted 07-22-2019 02:39

    Hello,

    Thank you it woks!



  • 4.  RE: Juniper Ex4200 problem with assign firewall to access port

    Posted 07-22-2019 02:45

    For confirmation with these rules only that permitted ips are allowed to send/receive traffic and other spoofed ips, will drop right?





  • 5.  RE: Juniper Ex4200 problem with assign firewall to access port

    Posted 07-22-2019 04:46

    Hi,

     

    I've not tested it, but this is what I would expect - with one small exemption:

    1) Spoofed ARP messages might be able to get through. But no data traffic should be able to do so.

     

    Dynamic ARP inspection might be a way to get around this:

    https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/understanding-and-using-dai.html

     

    Cheers,