Switching

 View Only
last person joined: 17 hours ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
  • 1.  Client Isolation | Firewall Filter

    Posted 11-01-2021 05:45
    Hi all, 

    Does anyone know if sub-vlan isolation (ie, port isolation in the same vlan) can be doen with firewall filters using family etherenet-switching?

    I tried the following, and yeah, nothing can talk to anything.....including the default GW / DHCP

    Any ideas?

    family ethernet-switching {
        filter Data-Isolation {
            term A {
                from {
                    source-mac-address {
                        00:00:00:00:00:00/48;
                    }
                    destination-mac-address {
                        2a:30:44:1f:bd:59/48;
                    }
                }
                then accept;
            }
            term B {
                from {
                    source-mac-address {
                        2a:30:44:1f:bd:59/48;
                    }
                    destination-mac-address {
                        00:00:00:00:00:00/48;
                    }
                }
                then accept;
            }                               
            term C {
                from {
                    source-mac-address {
                        00:00:00:00:00:00/48;
                    }
                    destination-mac-address {
                        00:00:00:00:00:00/48;
                    }
                    source-port [ 67 68 ];
                    destination-port [ 67 68 ];
                }
                then accept;
            }
            term D {
                from {
                    source-mac-address {
                        00:00:00:00:00:00/48;
                    }
                    destination-mac-address {
                        00:00:00:00:00:00/48;
                    }
                }
                then discard;               
            }
            term E {
                then accept;
            }
        }
    }​


  • 2.  RE: Client Isolation | Firewall Filter

    Posted 11-01-2021 15:09
    Terms a , b
    Im guessing  2a:30:44:1f:bd:59/48 is your  gw ?  Anyway your making everything an exact macth /48

    So a ,b  put in your gw and your test station mac address. and test from there.

    from {
    source-mac-address {
    00:00:4C:aa:b0:c0/48;  made up client mac address

    }
    destination-mac-address {
    2a:30:44:1f:bd:59/48; Cradlepoint
    }
    }
    then accept;
    }
    term B {
    from {
    source-mac-address {
    2a:30:44:1f:bd:59/48;
    }
    destination-mac-address {
    00:00:4C:aa:b0:c0/48;

    you may be wanting to match 00:00:00:00:00:00/0

    Add some counters in your terms to help track frames / packets.