I would like to whitelist the IP addresses on the aggregated interface. I've done the configure on EX4200 and it works as expected.
This is what I've done on EX4200:
> show configuration interfaces ae11
aggregated-ether-options {
lacp {
active;
}
}
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ 1 2 3 4 5 ];
}
filter {
input F1;
}
}
}
> show configuration firewall family ethernet-switching
filter F1 {
term ARP {
from {
ether-type arp;
}
then accept;
}
term T1 {
from {
source-prefix-list {
LIST-IPv4;
}
}
then accept;
}
term T2 {
then discard;
}
}
> show configuration policy-options
prefix-list LIST-IPv4 {
1.2.3.4/32;
}
I've applied the same configure on the QFX5100 but it dropped packets immediately.
This is the firewall logs:
> show firewall log
Log :
Time Filter Action Interface Protocol Src Addr Dest Addr
23:50:15 pfe D xe-1/0/40.0 8809 8c:60:4f:96:ea:b3 01:80:c2:00:00:02
23:50:14 pfe D xe-0/0/40.0 8809 8c:60:4f:96:ea:b2 01:80:c2:00:00:02
23:50:14 pfe D xe-1/0/40.0 8809 8c:60:4f:96:ea:b3 01:80:c2:00:00:02
23:50:13 pfe D xe-0/0/40.0 8809 8c:60:4f:96:ea:b2 01:80:c2:00:00:02
23:50:13 pfe D xe-0/0/40.0 8809 8c:60:4f:96:ea:b2 01:80:c2:00:00:02
23:50:13 pfe D xe-0/0/40.0 8809 8c:60:4f:96:ea:b2 01:80:c2:00:00:02
23:50:13 pfe D xe-1/0/40.0 8809 8c:60:4f:96:ea:b3 01:80:c2:00:00:02
23:50:13 pfe D xe-1/0/40.0 8809 8c:60:4f:96:ea:b3 01:80:c2:00:00:02
23:50:13 pfe D xe-1/0/40.0 8809 8c:60:4f:96:ea:b3 01:80:c2:00:00:02
23:50:13 pfe D ae11.0 e465:0032 8c:60:4f:96:ea:b3 01:00:0c:cc:cc:cd
23:50:13 pfe D ae11.0 e464:0032 8c:60:4f:96:ea:b3 01:00:0c:cc:cc:cd
23:50:12 pfe D xe-0/0/40.0 88cc 8c:60:4f:96:ea:b2 01:80:c2:00:00:0e
So why the firewall also discard the LACP EtherType?
Did I miss something or need to add more term to get it works?
Thank you guys in advance.
------------------------------
TRUONG TA
------------------------------