Switching

 View Only
last person joined: 20 hours ago 

Ask questions and share experiences about EX and QFX portfolios and all switching solutions across your data center, campus, and branch locations.
  • 1.  Firewall Filter

    This message was posted by a user wishing to remain anonymous
    Posted 11-21-2022 12:04
    This message was posted by a user wishing to remain anonymous

    I want to create a firewall filter that should discard the NTP traffic forwarding through irb.100 having management IP- 10.85.241.50 and traffic should be forwarded only to respective two ntp servers i.e 10.4.10.36 & 10.4.10.37.




     



  • 2.  RE: Firewall Filter

    Posted 11-21-2022 15:08
    Is this traffic originating from or destined to the Junos device itself or transit traffic passing through the irb.100 interface between an outside device and the ntp servers?

    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------



  • 3.  RE: Firewall Filter

    Posted 11-22-2022 10:02
    The traffic is generated from irb.100 towards NTP servers.

    ------------------------------
    Sanam Kaur
    ------------------------------



  • 4.  RE: Firewall Filter

    Posted 11-29-2022 20:28
    For traffic that has a source or destination of the Junos device itself we apply the firewall filter to the loopback address and this then applies to all traffic for the device.  These are called protect RE filters.  There is a full discussion on creating a comprehensive filter in this free day one book.

    https://supportportal.juniper.net/s/article/Securing-the-Routing-Engine-on-M-MX-and-T-Series?language=en_US

    You could just have the ntp only filtered by create a filter in the same format applied to the loopback with three terms
    • allow the ntp port out to the ntp server address
    • reject all ntp port outbound
    • allow all final rule


    ------------------------------
    Steve Puluka BSEET - Juniper Ambassador
    IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP - Retired)
    http://puluka.com/home
    ------------------------------