Switching

 View Only
last person joined: 10 hours ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.

QFX5100 - Firewall filter ethernet-switching blocks LACP on aggregated interface

  • 1.  QFX5100 - Firewall filter ethernet-switching blocks LACP on aggregated interface

    Posted 09-08-2024 14:49

    I would like to whitelist the IP addresses on the aggregated interface. I've done the configure on EX4200 and it works as expected.

    This is what I've done on EX4200:

    > show configuration interfaces ae11
    aggregated-ether-options {
        lacp {
            active;
        }
    }
    unit 0 {
        family ethernet-switching {
            port-mode trunk;
            vlan {
                members [ 1 2 3 4 5 ];
            }
            filter {
                input F1;
            }
        }
    }

    > show configuration firewall family ethernet-switching
    filter F1 {
        term ARP {
            from {
                ether-type arp;
            }
            then accept;
        }
        term T1 {
            from {
                source-prefix-list {
                    LIST-IPv4;
                }
            }
            then accept;
        }
        term T2 {
            then discard;
        }
    }

    > show configuration policy-options
    prefix-list LIST-IPv4 {
        1.2.3.4/32;
    }

    I've applied the same configure on the QFX5100 but it dropped packets immediately.

    This is the firewall logs:

    > show firewall log
    Log :
    Time      Filter    Action Interface           Protocol        Src Addr                         Dest Addr
    23:50:15  pfe       D      xe-1/0/40.0         8809            8c:60:4f:96:ea:b3                01:80:c2:00:00:02
    23:50:14  pfe       D      xe-0/0/40.0         8809            8c:60:4f:96:ea:b2                01:80:c2:00:00:02
    23:50:14  pfe       D      xe-1/0/40.0         8809            8c:60:4f:96:ea:b3                01:80:c2:00:00:02
    23:50:13  pfe       D      xe-0/0/40.0         8809            8c:60:4f:96:ea:b2                01:80:c2:00:00:02
    23:50:13  pfe       D      xe-0/0/40.0         8809            8c:60:4f:96:ea:b2                01:80:c2:00:00:02
    23:50:13  pfe       D      xe-0/0/40.0         8809            8c:60:4f:96:ea:b2                01:80:c2:00:00:02
    23:50:13  pfe       D      xe-1/0/40.0         8809            8c:60:4f:96:ea:b3                01:80:c2:00:00:02
    23:50:13  pfe       D      xe-1/0/40.0         8809            8c:60:4f:96:ea:b3                01:80:c2:00:00:02
    23:50:13  pfe       D      xe-1/0/40.0         8809            8c:60:4f:96:ea:b3                01:80:c2:00:00:02
    23:50:13  pfe       D      ae11.0              e465:0032       8c:60:4f:96:ea:b3                01:00:0c:cc:cc:cd
    23:50:13  pfe       D      ae11.0              e464:0032       8c:60:4f:96:ea:b3                01:00:0c:cc:cc:cd
    23:50:12  pfe       D      xe-0/0/40.0         88cc            8c:60:4f:96:ea:b2                01:80:c2:00:00:0e

    So why the firewall also discard the LACP EtherType?

    Did I miss something or need to add more term to get it works?

    Thank you guys in advance.



    ------------------------------
    TRUONG TA
    ------------------------------