Junos OS

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  VLAN Filtering/Restrictions EX4200

    Posted 12-16-2014 07:27

    Hi,

    A am looking at creating a VLAN with access restrictions to other VLANs on our network, but to be controlled via Layer 3 EX 4200 switches.

     

    I would like the VLAN to have some access to basic services such as DNS and DHCP located on a separate VLAN.

     

    Example:

    restricted-vlan 10
    corporate-vlan 20

     

    Restricted-vlan 10 should be able to access vlan 20 for DNS & DHCP but no other traffic.
    However, vlan 20, should not be able to initiate a connection with vlan 10.

     

    Is this sort of configuration possible?

    If so, how would I go about implementing this? Would PVLAN be what I need?

     

    Thank you

    Badger


    #PVLAN
    #vlan
    #ex4200


  • 2.  RE: VLAN Filtering/Restrictions EX4200
    Best Answer

     
    Posted 12-16-2014 08:33

    Is the EX4200 performing routing between the VLANs or is there a separate router/firewall upstream?  I would say that PVLAN is not the way to go here.  If the EX4200 is performing routing, you can create routed firewall filters and apply them to the layer 3 VLAN interfaces.  If there's an upstream device performing the routing, you can do the same on that device or you can create VLAN-based filters and apply them to one or both VLANs at the layer 2 level.

     

    Firewall Filter Overview for EX Series:

    https://www.juniper.net/documentation/en_US/junos12.1/topics/concept/firewall-filter-ex-series-overview.html

     

    Understanding Firewall Filter Processing Points in EX Series:

    http://www.juniper.net/techpubs/en_US/junos12.3/topics/concept/firewall-filter-ex-series-understanding.html

     

    I personally would want a firewall upstream doing this filtering rather than relying on the stateless filtering of an EX switch, but if that's not possible, you gotta work with what you have.



  • 3.  RE: VLAN Filtering/Restrictions EX4200

    Posted 12-19-2014 04:59

    Thank you for your reply, this certainly looks like the correct place to start.