Switching

 View Only
last person joined: 4 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.

  • 1.  Intra VLAN blocking

    Posted 9 days ago
    Edited by BB 9 days ago

    Hello,

    After an audit a new requirement strted to block all intra-vlan traffic in client neworks - especially in guest VLANs.

    I already did this in another environment with L2 firewall filters like:

    filter block-intra-vlan-traffic term t1 from destination-mac-address l3gateway-mac-here

    filter block-intra-vlan-traffic term t1 then accept

    filter block-intra-vlan-traffic term t2 then discard

    Then I attach the filter to the access port range as input filter. It works well until I have 802.1X.

    But now I tested it in a real workstation VLAN and 802.1X packets are also dropped by my filter so clients are not able to authenticate.

    Does anyoone has any idea how can I achive to block intra-vlan traffic (except to gateway) but not the traffic destinated to the switch itself?

    Thanks,

    Balázs



    ------------------------------
    Balázs Bajmóczi
    ------------------------------



  • 2.  RE: Intra VLAN blocking

    Posted 8 days ago

    What device are you using? 



    ------------------------------
    Chris Floom
    ------------------------------

    Original Message


  • 3.  RE: Intra VLAN blocking
    Best Answer

    Posted 8 days ago
    Edited by BB 5 days ago

    Hi,

    Why not use matches on ip-destination-addresses? ip matches are allowed in the ingress filters for a vlan. 

    set firewall family ethernet-switching filter vlan-filter term allow_gw from ip-destination-address 10.10.100.1/32
set firewall family ethernet-switching filter vlan-filter term allow_gw then accept
set firewall family ethernet-switching filter vlan-filter term allow_gw then count gw_count
set firewall family ethernet-switching filter vlan-filter term deny_intra-vlan from ip-destination-address 10.10.100.0/24
set firewall family ethernet-switching filter vlan-filter term deny_intra-vlan then discard
set firewall family ethernet-switching filter vlan-filter term deny_intra-vlan then count deny_intra-vlan
set firewall family ethernet-switching filter vlan-filter term last then accept
set firewall family ethernet-switching filter vlan-filter term last then count allow_inter-vlan

    Ping to the gateway (10.10.100.1) from the client (10.10.100.2)

    root@linuxpc:~# ping 10.10.100.1
PING 10.10.100.1 (10.10.100.1) 56(84) bytes of data.
64 bytes from 10.10.100.1: icmp_seq=1 ttl=64 time=1.12 ms
64 bytes from 10.10.100.1: icmp_seq=2 ttl=64 time=1.21 ms
64 bytes from 10.10.100.1: icmp_seq=3 ttl=64 time=0.785 ms
64 bytes from 10.10.100.1: icmp_seq=4 ttl=64 time=0.948 ms
64 bytes from 10.10.100.1: icmp_seq=5 ttl=64 time=0.976 ms
^C
--- 10.10.100.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4030ms
rtt min/avg/max/mdev = 0.785/1.006/1.208/0.145 ms


jcluser@vEX_NV# run show firewall 

Filter: __default_bpdu_filter__                                

Filter: vlan-filter                                            
Counters:
Name                                                                            Bytes              Packets
allow_inter-vlan                                                                   60                    1 
deny_intra-vlan                                                                     0                    0
gw_count                                                                          490                    5 <<<<<<<<<--------------------

    intra-vlan ping to another client (10.10.100.3)

    root@linuxpc:~# ping 10.10.100.3
PING 10.10.100.3 (10.10.100.3) 56(84) bytes of data.
^C
--- 10.10.100.3 ping statistics ---
7 packets transmitted, 0 received, 100% packet loss, time 6151ms


jcluser@vEX_NV# run show firewall    

Filter: __default_bpdu_filter__                                

Filter: vlan-filter                                            
Counters:
Name                                                                            Bytes              Packets
allow_inter-vlan                                                                  267                    4
deny_intra-vlan                                                                   686                    7 <<<<<<<<------------
gw_count                                                                          490                    5

    Regards



    ------------------------------
    Sheetanshu Shekhar
    ------------------------------

    Original Message


  • 4.  RE: Intra VLAN blocking

    Posted 8 days ago

    Hello,

    thanks for the answer. Your filter is attached to the VLAN interface I suppose, I have that too for L3 filtering, but this does not prevent intra-vlan traffic on a L2 switch, what doesn't have any L3 interface. 

    Balázs



    ------------------------------
    Balázs Bajmóczi
    ------------------------------

    Original Message


  • 5.  RE: Intra VLAN blocking

    Posted 8 days ago
    Edited by Sheetanshu 8 days ago

    Hi,

    The filter was created and applied on a L2 switch, that didn't have irb interface for that VLAN. In the previous example, the filter was applied to the VLAN forwarding-options, and not  the VLAN l3-interface.

    Here, for clarity, I have applied the filter on the access-port facing the client. The filter still works to prevent intra-VLAN traffic, with it's gatway and any external IP being reachable.

    jcluser@L2_switch# show firewall | display set 
set firewall family ethernet-switching filter block_intera-vlan term gw_allow from ip-destination-address 10.10.100.1/32
set firewall family ethernet-switching filter block_intera-vlan term gw_allow then accept
set firewall family ethernet-switching filter block_intera-vlan term gw_allow then count gw_permit
set firewall family ethernet-switching filter block_intera-vlan term deny_intra-vlan from ip-source-address 10.10.100.0/24
set firewall family ethernet-switching filter block_intera-vlan term deny_intra-vlan from ip-destination-address 10.10.100.0/24
set firewall family ethernet-switching filter block_intera-vlan term deny_intra-vlan then discard
set firewall family ethernet-switching filter block_intera-vlan term deny_intra-vlan then count deny_intra-vlan
set firewall family ethernet-switching filter block_intera-vlan term last then accept
set firewall family ethernet-switching filter block_intera-vlan term last then count external


jcluser@L2_switch# show interfaces ge-0/0/1 | display set 
set interfaces ge-0/0/1 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/1 unit 0 family ethernet-switching vlan members v100
set interfaces ge-0/0/1 unit 0 family ethernet-switching filter input block_intera-vlan

jcluser@L2_switch# show interfaces ge-0/0/2 | display set 
set interfaces ge-0/0/2 unit 0 family ethernet-switching interface-mode access
set interfaces ge-0/0/2 unit 0 family ethernet-switching vlan members v100
set interfaces ge-0/0/2 unit 0 family ethernet-switching filter input block_intera-vlan

jcluser@L2_switch# run show interfaces terse | match 10.10.100      

[edit]
jcluser@L2_switch# show interfaces irb | display inheritance | display set 

[edit]
jcluser@L2_switch#

    Ping from the end-host to the gateway,

    root@linuxpc:~# ping 10.10.100.1
PING 10.10.100.1 (10.10.100.1) 56(84) bytes of data.
64 bytes from 10.10.100.1: icmp_seq=1 ttl=64 time=27.1 ms
64 bytes from 10.10.100.1: icmp_seq=2 ttl=64 time=1.87 ms
64 bytes from 10.10.100.1: icmp_seq=3 ttl=64 time=2.17 ms
64 bytes from 10.10.100.1: icmp_seq=4 ttl=64 time=1.74 ms
64 bytes from 10.10.100.1: icmp_seq=5 ttl=64 time=2.23 ms
^C
--- 10.10.100.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 1.738/7.018/27.078/10.031 ms


jcluser@L2_switch# run show firewall                                          

Filter: __default_bpdu_filter__                                

Filter: block_intera-vlan                                      
Counters:
Name                                                                            Bytes              Packets
deny_intra-vlan                                                                   392                    4
external                                                                        34721                  337
gw_permit                                                                         686                    7

    Ping to another host in the same VLAN doesn't work. The counters show the term being matched.

    root@linuxpc:~# ping 10.10.100.3
PING 10.10.100.3 (10.10.100.3) 56(84) bytes of data.
^C
--- 10.10.100.3 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4102ms

jjcluser@L2_switch# run show firewall                                          

Filter: __default_bpdu_filter__                                

Filter: block_intera-vlan                                      
Counters:
Name                                                                            Bytes              Packets
deny_intra-vlan                                                                   392                    8
external                                                                        34721                  337
gw_permit                                                                         686                    7

    external ping

    root@linuxpc:~# ping 192.168.1.2
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=63 time=26.7 ms
64 bytes from 192.168.1.2: icmp_seq=2 ttl=63 time=3.61 ms
64 bytes from 192.168.1.2: icmp_seq=3 ttl=63 time=2.57 ms
64 bytes from 192.168.1.2: icmp_seq=4 ttl=63 time=2.84 ms
64 bytes from 192.168.1.2: icmp_seq=5 ttl=63 time=2.92 ms
^C
--- 192.168.1.2 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4007ms
rtt min/avg/max/mdev = 2.574/7.732/26.717/9.498 ms

    Regards

    Regards



    ------------------------------
    Sheetanshu Shekhar
    ------------------------------

    Original Message


  • 6.  RE: Intra VLAN blocking

    Posted 5 days ago

    Dear Sheetanshu ,

    Thanks, I tested in my lab and it really block the intra VLAN traffic. I havent tried it before because it is against the basic rules  - what are in the documentation too - that L2 attached filter can filter L2 traffic, not L3.

    Thanks, 

    Balázs



    ------------------------------
    Balázs Bajmóczi
    ------------------------------

    Original Message


  • 7.  RE: Intra VLAN blocking

    Posted 5 days ago
    Edited by Sheetanshu 5 days ago

    Hi,

    Glad to know that it worked in your scenario.

    Can you kindly share the documentation that says we can't use the ip-destination-address match condition in an "ingress"  port or VLAN family ethernet-switching filters? These can't be used in an egress family ethernet-switching filter, but can be used in ingress.

    Regards



    ------------------------------
    Sheetanshu Shekhar
    ------------------------------

    Original Message


  • 8.  RE: Intra VLAN blocking

    Posted 8 days ago

    I have plenty of ex3400s and couple old ex2200s at the acces layer, and QFXs at the core. I want to enforce it at port level, so I plan to attach the filter to port-range input. I also have a filter at QFX at irb.xxx input for every VLAN. But that does not prevent  the communication between two computers at the access level.

    Balázs



    ------------------------------
    Balázs Bajmóczi
    ------------------------------

    Original Message


  • 9.  RE: Intra VLAN blocking

    Posted 8 days ago
    Edited by Chris Floom 8 days ago

    I'm not very familiar with the EX2200s. Maybe look into private vlans?

    just a suggestion. 



    ------------------------------
    Chris Floom
    ------------------------------

    Original Message