Junos OS

 View Only
last person joined: yesterday 

Ask questions and share experiences about Junos OS.
  • 1.  Cisco ACL to Junos firewall filter

    Posted 11-03-2022 11:09
    Edited by Jodi Meier 11-03-2022 14:40
    We are in the process of moving from Cisco to Juniper and need some help with ACL's. We have a Public WiFi network (192.168.66.0/23) that is on a separate VLAN and we do not want it to be able to communicate/access with any of our other VLANs. What is the best way to setup a firewall filter or is there a better way to accomplish this? Thanks!

    ------------------------------
    WILL
    ------------------------------


  • 2.  RE: Cisco ACL to Junos firewall filter

    Posted 11-06-2022 07:06
    What switches or routers are you planning to use? Most switches support virtual routers (not the EX2300 and the EX3400 needs EFL or Advanced License (flex)), so you could put the public WiFi in a VR of it's own. If you don't want to use a VR, you can apply an input filter on the IRB unit that is the the L3 interface of that VLAN as you mentioned.

    set policy-options prefix-list RFC1918 10.0.0.0/8
    set policy-options prefix-list RFC1918 172.16.0.0/12
    set policy-options prefix-list RFC1918 192.168.0.0/16

    set policy-options prefix-list LocalPublicSubnets 5.6.7.0/24
    set policy-options prefix-list LocalPublicSubnets 6.7.8.0/24

    set firewall family inet filter BlockGuestToAll term RFC1918 from destination-prefix-list RFC1918
    set firewall family inet filter BlockGuestToAll term RFC1918 then count GuestToRFC1918
    set firewall family inet filter BlockGuestToAll term RFC1918 then reject
    set firewall family inet filter BlockGuestToAll term BlockLocalPublic from destination-prefix-list LocalPublicSubnets
    set firewall family inet filter BlockGuestToAll term BlockLocalPublic then count GuestToLocalPublicIP
    set firewall family inet filter BlockGuestToAll term BlockLocalPublic then reject
    set firewall family inet filter BlockGuestToAll term AllowInternetAccess then accept

    set interfaces irb unit 11 family inet filter input BlockGuestToAll

    or

    set routing-instances GuestWiFi instance-type virtual-router
    set routing-instances GuestWiFi interface irb.123 (WiFi subnet)
    set routing-instances GuestWiFi interface irb.124 (Link net to firewall for public WiFi)
    set routing-instances GuestWiFi routing-options static route 0.0.0.0/0 next-hop [IP of firewall interface]

    There are more ways of doing it, like Filter Based Forwarding, but it all depends on the rest of the setup.


  • 3.  RE: Cisco ACL to Junos firewall filter

    Posted 11-07-2022 08:42
    Thank you for the reply. I probably didn't provide enough information in my initial question. We will be using EX3400 switches and the gateway for the WiFi network is on the firewall as well as DHCP will be coming from the firewall. All of our other networks use another port on the firewall to get to the internet. So maybe all I need is a firewall filter on the port on the EX3400 that plugs into the firewall for all our other networks?


  • 4.  RE: Cisco ACL to Junos firewall filter

    Posted 11-07-2022 10:49
    If your gateway is on the SRX and the vlan is only layer 2 on the switch you can handle this with standard firewall policies.

    • Create a GuestWiFi zone
    • Add the gateway interface to the zone
    • create a policy from that zone to the internet with a nat interface policy
    • by default all other traffic is denied other policies not necessary


    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------