Switching

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

Client Isolation | Firewall Filter

This thread has been viewed 6 times
  • 1.  Client Isolation | Firewall Filter

    Posted 11-01-2021 05:45
    Hi all, 

    Does anyone know if sub-vlan isolation (ie, port isolation in the same vlan) can be doen with firewall filters using family etherenet-switching?

    I tried the following, and yeah, nothing can talk to anything.....including the default GW / DHCP

    Any ideas?

    family ethernet-switching {
        filter Data-Isolation {
            term A {
                from {
                    source-mac-address {
                        00:00:00:00:00:00/48;
                    }
                    destination-mac-address {
                        2a:30:44:1f:bd:59/48;
                    }
                }
                then accept;
            }
            term B {
                from {
                    source-mac-address {
                        2a:30:44:1f:bd:59/48;
                    }
                    destination-mac-address {
                        00:00:00:00:00:00/48;
                    }
                }
                then accept;
            }                               
            term C {
                from {
                    source-mac-address {
                        00:00:00:00:00:00/48;
                    }
                    destination-mac-address {
                        00:00:00:00:00:00/48;
                    }
                    source-port [ 67 68 ];
                    destination-port [ 67 68 ];
                }
                then accept;
            }
            term D {
                from {
                    source-mac-address {
                        00:00:00:00:00:00/48;
                    }
                    destination-mac-address {
                        00:00:00:00:00:00/48;
                    }
                }
                then discard;               
            }
            term E {
                then accept;
            }
        }
    }​


  • 2.  RE: Client Isolation | Firewall Filter

    Posted 11-01-2021 15:09
    Terms a , b
    Im guessing  2a:30:44:1f:bd:59/48 is your  gw ?  Anyway your making everything an exact macth /48

    So a ,b  put in your gw and your test station mac address. and test from there.

    from {
    source-mac-address {
    00:00:4C:aa:b0:c0/48;  made up client mac address

    }
    destination-mac-address {
    2a:30:44:1f:bd:59/48; Cradlepoint
    }
    }
    then accept;
    }
    term B {
    from {
    source-mac-address {
    2a:30:44:1f:bd:59/48;
    }
    destination-mac-address {
    00:00:4C:aa:b0:c0/48;

    you may be wanting to match 00:00:00:00:00:00/0

    Add some counters in your terms to help track frames / packets.