Junos OS

 View Only
last person joined: 6 hours ago 

Ask questions and share experiences about Junos OS.
  • 1.  VLAN Filtering/Restrictions EX4200

    Posted 12-16-2014 07:27


    A am looking at creating a VLAN with access restrictions to other VLANs on our network, but to be controlled via Layer 3 EX 4200 switches.


    I would like the VLAN to have some access to basic services such as DNS and DHCP located on a separate VLAN.



    restricted-vlan 10
    corporate-vlan 20


    Restricted-vlan 10 should be able to access vlan 20 for DNS & DHCP but no other traffic.
    However, vlan 20, should not be able to initiate a connection with vlan 10.


    Is this sort of configuration possible?

    If so, how would I go about implementing this? Would PVLAN be what I need?


    Thank you



  • 2.  RE: VLAN Filtering/Restrictions EX4200
    Best Answer

    Posted 12-16-2014 08:33

    Is the EX4200 performing routing between the VLANs or is there a separate router/firewall upstream?  I would say that PVLAN is not the way to go here.  If the EX4200 is performing routing, you can create routed firewall filters and apply them to the layer 3 VLAN interfaces.  If there's an upstream device performing the routing, you can do the same on that device or you can create VLAN-based filters and apply them to one or both VLANs at the layer 2 level.


    Firewall Filter Overview for EX Series:



    Understanding Firewall Filter Processing Points in EX Series:



    I personally would want a firewall upstream doing this filtering rather than relying on the stateless filtering of an EX switch, but if that's not possible, you gotta work with what you have.

  • 3.  RE: VLAN Filtering/Restrictions EX4200

    Posted 12-19-2014 04:59

    Thank you for your reply, this certainly looks like the correct place to start.