Switching

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  Firewall filters in EX4300

    This message was posted by a user wishing to remain anonymous
    Posted 06-10-2022 17:12
    This message was posted by a user wishing to remain anonymous

    Hi Experts,

       I have these filters in a EX4300 switch with the same matching conditions.   First one to be applied on a VLAN and the second one on an irb.  Can you please advise on which of these filters should be preferred to be used or if  there is any advantage/disadvantage of using one over the other ?

    Thanks,

    set firewall family ethernet-switching filter VTR term t1 from ip-source-address 192.168.2.0/24
    set firewall family ethernet-switching filter VTR term t1 from ip-destination-address 192.168.2.0/24
    set firewall family ethernet-switching filter VTR term t1 then accept
     
    set firewall family inet filter VTR term t1 from ip-source-address 192.168.2.0/24
    set firewall family inet filter VTR term t1 from ip-destination-address 192.168.2.0/24
    set firewall family inet filter VTR term t1 then accept



  • 2.  RE: Firewall filters in EX4300

    Posted 06-13-2022 18:27

    I think the definition of "Firewall Filter Types" here will probably help you:

    https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/concept/firewall-filter-ex-series-overview.html

    https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/concept/firewall-filter-ex-series-planning.html

    https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/concept/firewall-filter-ex-series-understanding.html

    https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/concept/firewall-filter-ex-series-evaluation-understanding.html

    Small section:

    Start with the following basic guidelines:

    • If all the packets entering a port need to be exposed to filtering, then use port firewall filters.
    • If all the packets that are bridged need filtering, then use VLAN firewall filters.
    • If all the packets that are routed need filtering, then use router firewall filters.

    Also worth to note:

    When you apply a filter to an IRB interface associated with a given VLAN, the filter is executed on any Layer 3 interface with a matching VLAN ID. This is because the filter matches on all Layer 3 interfaces with the corresponding VLAN tag.

    There is a path for the checks:

    port firewall filter -> VLAN firewall filter -> router firewall filter.

    If these are the only rules, and your irb from example 2 is associated with the vlan from example 1, it does not matter which one you use.

    Example configuration can be found here: https://supportportal.juniper.net/s/article/EX-Understanding-VLAN-IRB-firewall-filter-behavior-on-EX4300?language=en_US



    ------------------------------
    Michael Behrns
    ------------------------------