Switching

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Problem filtering traffic between VLANs on EX4200

    Posted 02-17-2022 09:38

    Hello everyone,

    We have a stack of 4 x EX4200-48T (12.3R2.5]) switches and we're trying to configure filters between VLANs/IPs.

    The task is pretty simple:

    To block access to 192.168.77.0/24 ( VLAN 77 ) for anyone except 192.168.11.101/32 (vlan 11), 192.168.13.112/32 (vlan 13)

     All of the three VLANs have L3 interface on the stack.

    After a little bit of struggling with applying it in the right direction, we have managed to do it, but the problem now is that it filters the traffic in both directions…

    Here is the config of the filter:

     

    firewall {

        family inet {

            filter VoiceFilter-egress {

                term allowTraffic {

                    from {

                        source-address {

                            192.168.11.101/32;

                            192.168.13.112/32;

                        }

                    }

                    then accept;

                }

            }

    }

     

    It's applied with the following command:

    set interfaces vlan.77 family inet filter output VoiceFilter-egress

     

    Therefore, the result of this config is that I can successfully access hosts in VLAN 77 (192.168.77.0/24) only from 192.168.11.101/32 and 192.168.13.112/32, but unfortunately, the communication from VLAN 77 (192.168.77.0/24) is limited only to those hosts. The goal is to have no restrictions for traffic exiting VLAN 77

    There are no other applied filters on VLAN 77 or VLAN 11 and VLAN 13.

    Is this a normal behavior filter to restrict traffic in both directions?

    I appreciate your help!

    Regards,

    Georgi



    ------------------------------
    Georgi Mihalev
    ------------------------------


  • 2.  RE: Problem filtering traffic between VLANs on EX4200

    Posted 02-25-2022 12:25
    There is an implicit deny at the end of a firewall filter (for no matches).

    I believe since the traffic still has to egress from the vlan interface it's being dropped as it leaves. So I would add your vlan77 subnet as an accepted subnet, either in the existing condition or in a separate condition.

    ------------------------------
    Allyn Crowe
    ------------------------------



  • 3.  RE: Problem filtering traffic between VLANs on EX4200

    Posted 03-04-2022 05:35
    Hi Allyn,

    Thank you for your response!

    I know that there is implicit deny at the end, but the filter was created to filter traffic for the direction to VLAN 77. I have a problem with the direction from VLAN 77 when using this filter. I have no other filters applied to this VLAN...

    As I know I should use egress when applying the filter, because of this principle:

                                                                                                                filter
    source -------> { | incomming traffic from any vlan - ingress|   | outgoing traffic to VLAN 77 - egress| }------->  destination

    How do you propose to add VLAN 77 (192.168.77.0/24)  in the existing condition (as a source or destination), given the fact that it is applied on egress of the VLAN 77... maybe:

    firewall {

        family inet {

            filter VoiceFilter-egress {

                term allowTraffic {

                    from {

                        source-address {

                            192.168.11.101/32;

                            192.168.13.112/32;

                        }

                    }

                    then accept;

               term allowVLAN77 {
                    from {
                        source-address {
                            192.168.77./24;
                        }
                    }
                    then accept;
                }
            }
    }


    Regards,
    Georgi

    ------------------------------
    Georgi Mihalev
    ------------------------------