Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
A am looking at creating a VLAN with access restrictions to other VLANs on our network, but to be controlled via Layer 3 EX 4200 switches.
I would like the VLAN to have some access to basic services such as DNS and DHCP located on a separate VLAN.
restricted-vlan 10corporate-vlan 20
Restricted-vlan 10 should be able to access vlan 20 for DNS & DHCP but no other traffic.However, vlan 20, should not be able to initiate a connection with vlan 10.
Is this sort of configuration possible?
If so, how would I go about implementing this? Would PVLAN be what I need?
Is the EX4200 performing routing between the VLANs or is there a separate router/firewall upstream? I would say that PVLAN is not the way to go here. If the EX4200 is performing routing, you can create routed firewall filters and apply them to the layer 3 VLAN interfaces. If there's an upstream device performing the routing, you can do the same on that device or you can create VLAN-based filters and apply them to one or both VLANs at the layer 2 level.
Firewall Filter Overview for EX Series:
Understanding Firewall Filter Processing Points in EX Series:
I personally would want a firewall upstream doing this filtering rather than relying on the stateless filtering of an EX switch, but if that's not possible, you gotta work with what you have.
Thank you for your reply, this certainly looks like the correct place to start.