Switching

 View Only
last person joined: yesterday 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
  • 1.  Firewall filters in EX4300

    This message was posted by a user wishing to remain anonymous
    Posted 06-10-2022 17:12
    This message was posted by a user wishing to remain anonymous

    Hi Experts,

       I have these filters in a EX4300 switch with the same matching conditions.   First one to be applied on a VLAN and the second one on an irb.  Can you please advise on which of these filters should be preferred to be used or if  there is any advantage/disadvantage of using one over the other ?

    Thanks,

    set firewall family ethernet-switching filter VTR term t1 from ip-source-address 192.168.2.0/24
    set firewall family ethernet-switching filter VTR term t1 from ip-destination-address 192.168.2.0/24
    set firewall family ethernet-switching filter VTR term t1 then accept
     
    set firewall family inet filter VTR term t1 from ip-source-address 192.168.2.0/24
    set firewall family inet filter VTR term t1 from ip-destination-address 192.168.2.0/24
    set firewall family inet filter VTR term t1 then accept



  • 2.  RE: Firewall filters in EX4300

    Posted 06-13-2022 18:27

    I think the definition of "Firewall Filter Types" here will probably help you:

    https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/concept/firewall-filter-ex-series-overview.html

    https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/concept/firewall-filter-ex-series-planning.html

    https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/concept/firewall-filter-ex-series-understanding.html

    https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/concept/firewall-filter-ex-series-evaluation-understanding.html

    Small section:

    Start with the following basic guidelines:

    • If all the packets entering a port need to be exposed to filtering, then use port firewall filters.
    • If all the packets that are bridged need filtering, then use VLAN firewall filters.
    • If all the packets that are routed need filtering, then use router firewall filters.

    Also worth to note:

    When you apply a filter to an IRB interface associated with a given VLAN, the filter is executed on any Layer 3 interface with a matching VLAN ID. This is because the filter matches on all Layer 3 interfaces with the corresponding VLAN tag.

    There is a path for the checks:

    port firewall filter -> VLAN firewall filter -> router firewall filter.

    If these are the only rules, and your irb from example 2 is associated with the vlan from example 1, it does not matter which one you use.

    Example configuration can be found here: https://supportportal.juniper.net/s/article/EX-Understanding-VLAN-IRB-firewall-filter-behavior-on-EX4300?language=en_US



    ------------------------------
    Michael Behrns
    ------------------------------