Switching

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
  • 1.  ethernet-switching filter

    Posted 12-07-2022 10:28

    I have a pair of EX4600 configured as VC. I would like to add some firewall filters to specific ports (ae2 in this case), so they would be protected from outside (accessible only from Trusted-Sources prefix list), but should be able to access the internet. I am trying with different options, but nothing works like I would expect... :/
    I would appreciate any input or suggestions you may have. 

    here is my config, which does not work as expected:

    set interfaces xe-0/0/2 description "LAG 2"
    set interfaces xe-0/0/2 ether-options 802.3ad ae2

    set interfaces xe-1/0/2 description "LAG 2"
    set interfaces xe-1/0/2 ether-options 802.3ad ae2

    set interfaces ae2 description "server 2"
    set interfaces ae2 aggregated-ether-options lacp active
    set interfaces ae2 aggregated-ether-options lacp periodic fast
    set interfaces ae2 unit 0 family ethernet-switching interface-mode access
    set interfaces ae2 unit 0 family ethernet-switching vlan members servers-01
    set interfaces ae2 unit 0 family ethernet-switching filter input protect_srv

    set policy-options prefix-list Trusted-Sources 10.0.0.0/8
    set policy-options prefix-list Trusted-Sources 172.1.10.45/32
    set policy-options prefix-list Trusted-Sources 172.1.100.11/32

    set firewall family ethernet-switching filter protect_srv term ARP from ether-type arp
    set firewall family ethernet-switching filter protect_srv term ARP then accept
    set firewall family ethernet-switching filter protect_srv term rule1 from source-prefix-list Trusted-Sources
    set firewall family ethernet-switching filter protect_srv term rule1 then accept
    set firewall family ethernet-switching filter protect_srv term DEFAULT-DISCARD then discard
    set firewall family ethernet-switching filter protect_srv term DEFAULT-DISCARD then log


    ------------------------------
    JERNEJ PRAPROTNIK
    ------------------------------