Security

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Client Isolation | Firewall Filter

    Posted 11-01-2021 05:45
    Hi all, 

    Does anyone know if sub-vlan isolation (ie, port isolation in the same vlan) can be doen with firewall filters using family etherenet-switching?

    I tried the following, and yeah, nothing can talk to anything.....including the default GW / DHCP

    Any ideas?

    family ethernet-switching {
        filter Data-Isolation {
            term A {
                from {
                    source-mac-address {
                        00:00:00:00:00:00/48;
                    }
                    destination-mac-address {
                        2a:30:44:1f:bd:59/48;
                    }
                }
                then accept;
            }
            term B {
                from {
                    source-mac-address {
                        2a:30:44:1f:bd:59/48;
                    }
                    destination-mac-address {
                        00:00:00:00:00:00/48;
                    }
                }
                then accept;
            }                               
            term C {
                from {
                    source-mac-address {
                        00:00:00:00:00:00/48;
                    }
                    destination-mac-address {
                        00:00:00:00:00:00/48;
                    }
                    source-port [ 67 68 ];
                    destination-port [ 67 68 ];
                }
                then accept;
            }
            term D {
                from {
                    source-mac-address {
                        00:00:00:00:00:00/48;
                    }
                    destination-mac-address {
                        00:00:00:00:00:00/48;
                    }
                }
                then discard;               
            }
            term E {
                then accept;
            }
        }
    }​


  • 2.  RE: Client Isolation | Firewall Filter

     
    Posted 11-02-2021 05:40
    Have you seen the private vlan feature that can be implemented on the switch for client isolation.

    https://www.juniper.net/documentation/en_US/release-independent/nce/topics/concept/pvlans-solution-segragating-customer-traffic.html

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
    http://puluka.com/home
    ------------------------------