Switching

last person joined: 2 days ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
  • 1.  Firewall Ethernet-switching Input Not working

    Posted 02-22-2018 06:59

    Hello all,

     

    I am new to the firewall settings in junos and made the following setup with the outcome the only the ICMP rule works but I have no connectivity on the other rules into the vlan. The idea was to leave the vlans send outbound what ever they like and on vlans I like to protect, I would set an ingress firewall rule on the vlan. I have tried for h to see why or why not to use ethernet-switching as famalie or inet. As inet I can not use on vlans here is my take:

     

    root@juniper# show firewall
    family ethernet-switching {
        filter VoIP {
            term VoIP-UDP {
                from {
                    destination-port [ 5060 5090 9000-9500 ];
                    ip-protocol udp;
                }
                then {
                    accept;
                    log;
                    count voip_udp;
                }
            }
            term VoIP-TCP {
                from {
                    destination-port [ 5060 5061 5090 80 443 ];
                    ip-protocol tcp;
                }
                then {
                    accept;
                    log;
                    count voip_tcp;
                }
            }
            term VoIP-ICMP {
                from {
                    ip-protocol [ icmp icmp6 ];
                }
                then {
                    accept;
                    count voip_icmp;
                }
            }
            term VoIP-Remote {
                from {
                    destination-port 22;
                    ip-source-address {
                        10.32.0.22/32;
                    }
                    ip-destination-address {
                        10.12.0.20/32;
                    }
                    ip-protocol tcp;
                }
                then {
                    accept;
                    log;
                    count voip_remote;
                }
            }
        }
    }
    

    mapped to the Vlan

    root@juniper# show vlans Production-VoIP
    vlan-id 12;
    l3-interface irb.12;
    forwarding-options {
        filter {
            input VoIP;
        }
        dhcp-security;
    }
    

    and only ICMP works, for all others even the count is 0

    root@juniper# run show firewall
    
    Filter: VoIP
    Counters:
    Name                                                Bytes              Packets
    voip_icmp                                           15744                  192
    voip_remote                                             0                    0
    voip_tcp                                                0                    0
    voip_udp                                                0                    0
    

    would someone be so kind to tell me where I went wrong?



  • 2.  RE: Firewall Ethernet-switching Input Not working
    Best Answer

    Posted 02-22-2018 08:17

    Hello,

    You forgot to allow ARP in Your  filter and I reckon that all Your devices on this VLAN are actually not able to communicate hence all counters except VoIP-ICMP are zeros. As for VoIP-ICMP, this term did allow ICMPv6 (which is equivalent to IPv4 ARP) and it seems that You are getting only short ICMPv6 packets  15744/192=82 Bytes/packet.

    Please add the following line to Your filter, re-test and report back:

    set firewall family ethernet-switching filter VoIP term ARP from ether-type arp then accept

    HTH

    Thx
    Alex

     


    #AcceptasSolution+Kudo=YouareaStar!


  • 3.  RE: Firewall Ethernet-switching Input Not working

    Posted 02-22-2018 23:49

    Hello aarsenelv,

     

    thank you for your assistance. I have added

    term ARP {
        from {
            ether-type arp;
        }
        then accept;
    }
    

    however still only PING is working. from the test PC in vlan32 to the destination vlan12 (Production-VoIP).

     

    Can I add one more quesiton, why or when shall I use in firewall famaly "ethernet-switching" or "inet"? 



  • 4.  RE: Firewall Ethernet-switching Input Not working

    Posted 02-23-2018 00:32

    Hello,


    @sonicsw wrote:

     

     

    Can I add one more quesiton, why or when shall I use in firewall famaly "ethernet-switching" or "inet"? 


    "family inet" filter can be only added to :

    1/ L3 interface under "family inet" stanza

    2/ as a forwarding-table filter

    "family inet" filter cannot be added to a VLAN.

    Back to Your original pb - I believe You could have accomplished the same thing (blocking/allowing comms between 2 VLANs) with a "family inet" filter on IRB.

    HTH

    Thx
    Alex



  • 5.  RE: Firewall Ethernet-switching Input Not working

    Posted 02-23-2018 00:40

    in my pain i tried it but i guess still due the mixup input and output usage mapping the result was the same...

     

    would you prefer to go on the IRB then map to the Vlan?

     

    Thx for your input! Highly appricated!



  • 6.  RE: Firewall Ethernet-switching Input Not working

    Posted 02-23-2018 04:12

    Hello,

    For this specific purpose (blocking/allowing comms between two VLANs and only for IPv4) I would go with single "family inet" IRB filter.

    However, if You also have IPv6 (which is not matched in Your current filter apart from icmpv6) then You have to write another "family inet6" filter, as opposed to combining IPv4 and IPv6 match terms in a single "family ethernet-switching" filter.

    HTH

    Thx
    Alex



  • 7.  RE: Firewall Ethernet-switching Input Not working

    Posted 02-23-2018 00:26

    After banging my head on the table, i called the shoots to go back to RTF: https://www.juniper.net/documentation/en_US/junos/topics/concept/firewall-filter-ex-series-packet-understanding.html

     

    and the error became clear. It must be in output filter on the Vlan and not input.

    Altering from:

     

     

    vlan-id 12;
    l3-interface irb.12;
    forwarding-options {
        filter {
            input VoIP;
        }
        dhcp-security;
    }
    
    

    to

     

    vlan-id 12;
    l3-interface irb.12;
    forwarding-options {
        filter {
            output VoIP;
        }
        dhcp-security;
    }
    

    while keeping your adviced ARP term, all is working (without it is not working).

     

    Thank you so much, this I would had never done