Junos OS

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about Junos OS.
  • 1.  Split routes over different networks.

    Posted 11-14-2023 06:29

    /edit cant change the title. the story was a little bit different. so ignore the title please ;)

    We are in the process of splitting up a network.

    we place al servers in vlan 1 (192.168.1.0)

    al Backup in vlan 2 (192.168.2.0)

    al workstations in vlan 3 (192.168.3.0)

    all ict workstations vlan 4 (192.168.4.0) 

    to improve the speed to the servers, want to route over the ex4300 (192.168.1.251 / 192.168.2.251 / 192.168.3.251/ 192.168.4.251)

    i changed the dhcp

    In the server vlan we add a route 192.168.3.0/24 > 192.168.1.251

    in the workstation lan we add 192.168.1.0/24 > 192.168.3.251

    so all is good. 

    in the firewall we allow traffic from vlan 1 to 3 and 3 to 1

    everyone is happy and it work like a charm.

    now we want to separate the backup servers from the production vlan.

    as you can understand we want to use the switches here as well since the firewall is only 1gbit.

    So the backup server should go to the switch. however connections initiated from the servers should be blocked.

    I am used to do that on a SRX with security policies. however that is not an option. the switch only have firewall filters.

    if i add a filter from server lan to backup lan which blocks all traffic. all connections are dropped.

    So it sounds simple to solve this. but at this point i simply missing the solution.

    Hope someone can point me to the right direction.



  • 2.  RE: Split routes over different networks.

    Posted 11-14-2023 20:07

    If I follow correctly you want a local switch connection between two vlans but the flow can only be in one direction.

    You could potentially do this with firewall filters by also using the port restriction.  For the link you want to control block all the ports typically used as service endpoint 1-49151 for the client direction and allow  all the higher random assigned ports for dynamic responses are allowed. 

    So if the inbound direction is attempted towards expected clients it is blocked but allowed for server side only.



    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------