Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
/edit cant change the title. the story was a little bit different. so ignore the title please ;)
We are in the process of splitting up a network.
we place al servers in vlan 1 (192.168.1.0)
al Backup in vlan 2 (192.168.2.0)
al workstations in vlan 3 (192.168.3.0)
all ict workstations vlan 4 (192.168.4.0)
to improve the speed to the servers, want to route over the ex4300 (192.168.1.251 / 192.168.2.251 / 192.168.3.251/ 192.168.4.251)
i changed the dhcp
In the server vlan we add a route 192.168.3.0/24 > 192.168.1.251
in the workstation lan we add 192.168.1.0/24 > 192.168.3.251
so all is good.
in the firewall we allow traffic from vlan 1 to 3 and 3 to 1
everyone is happy and it work like a charm.
now we want to separate the backup servers from the production vlan.
as you can understand we want to use the switches here as well since the firewall is only 1gbit.
So the backup server should go to the switch. however connections initiated from the servers should be blocked.
I am used to do that on a SRX with security policies. however that is not an option. the switch only have firewall filters.
if i add a filter from server lan to backup lan which blocks all traffic. all connections are dropped.
So it sounds simple to solve this. but at this point i simply missing the solution.
Hope someone can point me to the right direction.
If I follow correctly you want a local switch connection between two vlans but the flow can only be in one direction.
You could potentially do this with firewall filters by also using the port restriction. For the link you want to control block all the ports typically used as service endpoint 1-49151 for the client direction and allow all the higher random assigned ports for dynamic responses are allowed.
So if the inbound direction is attempted towards expected clients it is blocked but allowed for server side only.