Switching

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Intrazone Security Policy and VLANs

    This message was posted by a user wishing to remain anonymous
    Posted 01-17-2022 05:40
    This message was posted by a user wishing to remain anonymous

    Hi everyone, 

    I have an SRX1500 and a EX4300 and several EX3400. The SRX is used as the firewall and router. The EX4300 is being used to aggregate all the EX3400 Access switches. The purpose of the network is to connect a range of different customers to the internet and cloud resources. Currently each customer has their own VLAN with the irb interface terminated on the SRX within its own dedicated Security Zone. There is a requirement that some customers can access some of their own local services within their own VLAN while also restricting unnecessary host to host communication.

     

    My question is about Intrazone Policy behavior within these VLANs. My understanding is that if Host A (client) tries to communicate with Host B (server) within the same VLAN that they would be able to communicate regardless of the Intrazone Policy? My assumption is that because the above mentioned traffic is switched at L2, it would not be enforced by intrazone security policy as unicast traffic would never reach the L3 irb interface on the SRX? 

     

    Would the use of Private VLANs in this scenario be a good solution? 

     

    I unfortunately can't lab up this specific scenario or test it in the office due to COVID restrictions so just hoping to understand the theory behind it. 


    Thanks,
    Alex



  • 2.  RE: Intrazone Security Policy and VLANs

     
    Posted 01-17-2022 05:45
    yes private vlans  would be a solution if you want all devices to have only access to the gateway and in/out of subnet traffic.

    If you need more control than that as in some devices need to talk locally, then you would need to deploy firewall filters per port groups on the switch.  An example of required local traffic might be printers.

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Intrazone Security Policy and VLANs

    Posted 01-17-2022 19:52
    You can also use vacl to solve this.


  • 4.  RE: Intrazone Security Policy and VLANs

    This message was posted by a user wishing to remain anonymous
    Posted 01-18-2022 06:58
    This message was posted by a user wishing to remain anonymous

    @spuluka Thanks for the feedback!

    @tgreaser Thanks for your comment. Do you know what he VACL terminology equivalent in Junos is? L2 firewall filter per port?
    ​​​​​​​