Switching

Expand all | Collapse all

Juniper Ex4200 problem with assign firewall to access port

Jump to Best Answer
  • 1.  Juniper Ex4200 problem with assign firewall to access port

    Posted 07-22-2019 00:13

    Hello,

    This is my firewall filter rules :

    family ethernet-switching {
        filter port5 {
            term port5 {
                from {
                    source-address {
                        192.168.1.0/29;
                        192.168.1.240/29;
                    }
                }
                then accept;
            }
            term default-term {
                then discard;
            }
        }
    }
    

    and this is my port configurations :

    description "PORT-Description";
    unit 0 {
        family ethernet-switching {
            vlan {
                members vlan3712;
            }
            filter {
                input port5;
            }
        }
    }
    
    and this is my ethernet switching options :
    ethernet-switching-options {
        secure-access-port {
            interface ge-0/0/5.0 {
                mac-limit 100 action shutdown;
            }
            interface ge-0/0/6.0 {
                mac-limit 100 action shutdown;
            }
        }
        port-error-disable {
            disable-timeout 60;
        }
        storm-control {
            inactive: interface all;
        }
    }
    

    the rules working properly and there is only one issue and its when i shutdown(disable) the port and enable (activate) it again that port switch can not learn mac address till i deactive the firewall filter rule and enable it again, whats wrong and what should i edit it?

    Thank you.



  • 2.  RE: Juniper Ex4200 problem with assign firewall to access port
    Best Answer

    Posted 07-22-2019 02:30

    Hi,

     

    I would try to allow ARP traffic on that interface as well.

     

    set firewall family ethernet-switching filter port5 term l2 from ether-type arp
    set firewall family ethernet-switching filter port5 term l2 then accept
    set firewall family ethernet-switching filter port5 term port 5 from source-address 192.168.1.0/29
    set firewall family ethernet-switching filter port5 term port 5 from source-address 192.168.1.240/29
    set firewall family ethernet-switching filter port5 term port 5 then accept
    set firewall family ethernet-switching filter port5 term default-term then discard

     This should work.

     

    Cheers,

     



  • 3.  RE: Juniper Ex4200 problem with assign firewall to access port

    Posted 07-22-2019 02:39

    Hello,

    Thank you it woks!



  • 4.  RE: Juniper Ex4200 problem with assign firewall to access port

    Posted 07-22-2019 02:45

    For confirmation with these rules only that permitted ips are allowed to send/receive traffic and other spoofed ips, will drop right?





  • 5.  RE: Juniper Ex4200 problem with assign firewall to access port

    Posted 07-22-2019 04:46

    Hi,

     

    I've not tested it, but this is what I would expect - with one small exemption:

    1) Spoofed ARP messages might be able to get through. But no data traffic should be able to do so.

     

    Dynamic ARP inspection might be a way to get around this:

    https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/understanding-and-using-dai.html

     

    Cheers,