I have three VLANs configured in my ex8208
Vlan1, Vlan2, and Vlan3
All VLANs are able to communicate with each other which is wrong.
All VLANs are configured with l3.interface.
My Requirements:
1. Can I block inter VLAN communication?
2. it is possible with a filter on specific VLANs. ?
Hi cc,
We can restrict using filters but per MAC address for a VLAN.
Sample filter to prevent ARP learning and hence IP communication (can be used even within a VLAN):
[edit]
+ firewall {
+ family ethernet-switching {
+ filter test {
+ term 1 {
+ from {
+ source-mac-address {
+ 00:00:00:11:11:11/48;
+ }
+ ether-type arp;
+ }
+ then accept;
+ }
+ term 2 {
+ from {
+ ether-type arp;
+ }
+ then {
+ count intra-vlan-discards;
+ discard;
+ }
+ }
+ }
+ }
+ }
You can also use PVLANs to achieve the same goal, however please review the features limitations.
https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/private-vlans-multiple-switches-ex-series-cli.html (Only EX8200 allow RVI/IRB between isolated and community VLANs)
Hope this helps.
Regards,
-r.
--------------------------------------------------
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated 
.
Yes, you can. Confgiure and apply firewall filter on port or vlan or l3 interface. Please refer the URL for more details:
Hi cc,
Slight correction on this - "We can restrict using filters but per MAC address for a VLAN.". We can also use a match condition "user-vlan-id" and/or "dot1q-tag" based on the Junos version you're using. That should work.
Hope this helps.
Regards,
-r.
--------------------------------------------------
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated .
Hello cc,
You can disable inter-vlan routing by configuring your vlans as community vlans, and creating a single primary vlan. Hosts within a community vlan will be able to communicate within the vlan, but won't be able to communicate with hosts from another community vlan. You can read more on this topic:
http://www.mustbegeek.com/configure-private-vlans-in-juniper-switch/
https://www.juniper.net/documentation/en_US/junos/topics/topic-map/private-vlans.html
Best regards,
Sergii
-------------------------------------------------------------------
Please accept the solution if your problem is resolved 
------------------------------------------------------------------
Still around Carlos ?
Hi Alan,
yep busy days I am reviewing your questions now.
We are experiencing a very odd issue with our QFX5100 switching and the routing tables.
Issue:
Ubuntu Test Server (96.126.81.60) making any TCP or UDP connection to off-net services is unable to connect.
After spending a few weeks trying to identify the issue, we found the following to be happening:
1) When no default route is populated on the QFX5100 switch, and only the full BGP table, the Loopback0.0 filter is being applied to all transit traffic.
2) When a default route is populated on the QFX5100 switch, and a full BGP table, only the default route is utilized, the BGP forwarding table appears to be ignored, and the Loopback0.0 filter is not applied.
Below is a simplified network topology showing how all of the Juniper devices are interconnected, as well as how the routing tables are being populated.
I say simplified, because there are actually two MX80 routers, with full BGP tables from two different carriers.
The QFX5100 switches are two physical switches in a VC, using LACP bonding connectivity ( ae[0-5] ) setup for "flexible-vlan-tagging".
Can anyone throw out some ideas as to why the the lo0.0 input filter is being processed on transit traffic?
To my understanding, and all of our research and training, transit traffic should never touch the RE unless exceptions in the packets are experienced.
However, when digging into this issue, I ran across this KB article, but I don't think it applies to my setup (or is even relevant) as I do not run any firewalls on this equipment other than the lo0.0 firewall policy to protect the RE (management, etc).
https://kb.juniper.net/InfoCenter/index?page=content&id=KB32041&cat=QFX_SERIES&actp=LIST
https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1080758
Let me know what you would like to see for configurations or routing table output and I will gladly show it.
Actually, my requirement is to allow IPs only from specific VLAN, not from other VLANs.
E.g 1.1.1.1 vlan1
2.2.2.2 vlan2
So when I applied a filter on vlan1 it should accept only 1.1.1.0/24 IP queries only not from vlan2.
Hello,
It looks like You got used to MX-style lo0 filters which typically do not have match on dst.IP, it is not needed there.
Well, QFX is different in this regard and KB article clearly spells the workaround
to work around the issue, set the firewall filter separately for transit traffic and for traffic to the switch. Make sure that they do not clash.
Which means - introduce the dst.IP match in Your lo0 filter and You are going to be fine.
You can "collect" the local subnets automatically using JUNOS apply-path:
set policy-options prefix-list CONNECTED_IPv4_SUBNETS apply-path "interfaces <*> unit <*> family inet address <*>"
HTH
Thx
Alex
I tried this but the users connected with vlan1 not able to access the internet.
I am using ex3300 switch in the access layer, where two VLANs are configured vlan1 and vlan2. In current situation both switches are able to communicate with each other. But my requirement is they should not communicate with each other.
I tried several filters on input/output on vlans but no success.
Vlan1 users IPs are in 1.1.1.0/24 (first 24 ports are in vlan1 ) and vlan2 users IPs are in 2.2.2.0/24 (last 23 ports are in vlan2 ) Total 47 users on a single switch.
With the above filters, vlan1 access is denied but the users failed to reach the internet.
admin# show interfaces vlan
unit 1 {
family inet {
address 1.1.1.2/24;
}
}
admin# show vlans
vlan1 {
vlan-id 1;
l3-interface vlan.1;
}
vlan2 {
vlan-id 2;
}
admin# show interfaces ge-0/0/47
unit 0 {
family ethernet-switching {
port-mode trunk;
vlan {
members [ 1 2 ];
}
}
}
Hi denystc,
Thanks for the info. Please try this:
set firewall family ethernet-switching filter VLAN1-filter term 1 from vlan 2
set firewall family ethernet-switching filter VLAN1-filter term 1 then discard
set firewall family ethernet-switching filter VLAN1-filter term 2 then accept
set vlans vlan1 filter output VLAN1-filter
set firewall family ethernet-switching filter VLAN2-filter term 1 from vlan 1
set firewall family ethernet-switching filter VLAN2-filter term 1 then discard
set firewall family ethernet-switching filter VLAN2-filter term 2 then accept
set vlans vlan2 filter output VLAN2-filter
Hope this helps.
Regards,
-r.
--------------------------------------------------
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated .
Hi denystc,
Please also include the input direction i.e:
set firewall family ethernet-switching filter VLAN1-filter term 1 from vlan 2
set firewall family ethernet-switching filter VLAN1-filter term 1 then discard
set firewall family ethernet-switching filter VLAN1-filter term 2 then accept
set vlans vlan1 filter output VLAN1-filter
set vlans vlan1 filter input VLAN1-filter
set firewall family ethernet-switching filter VLAN2-filter term 1 from vlan 1
set firewall family ethernet-switching filter VLAN2-filter term 1 then discard
set firewall family ethernet-switching filter VLAN2-filter term 2 then accept
set vlans vlan2 filter output VLAN2-filter
set vlans vlan2 filter input VLAN2-filter
Hope this helps.
Regards,
-r.
--------------------------------------------------
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated .
wrote: Hi
denystc,cc,
Please also include the input direction i.e:
set firewall family ethernet-switching filter VLAN1-filter term 1 from vlan 2
set firewall family ethernet-switching filter VLAN1-filter term 1 then discard
set firewall family ethernet-switching filter VLAN1-filter term 2 then acceptset vlans vlan1 filter output VLAN1-filter
set vlans vlan1 filter input VLAN1-filter
set firewall family ethernet-switching filter VLAN2-filter term 1 from vlan 1
set firewall family ethernet-switching filter VLAN2-filter term 1 then discard
set firewall family ethernet-switching filter VLAN2-filter term 2 then acceptset vlans vlan2 filter output VLAN2-filter
set vlans vlan2 filter input VLAN2-filter
Hope this helps.
Regards,
-r.--------------------------------------------------
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Another way to do it is:
set firewall family ethernet-switching filter VLAN1_IN term 1 from destination-address 2.2.2.0/24
set firewall family ethernet-switching filter VLAN1_IN term 1 then discard
set firewall family ethernet-switching filter VLAN1_IN term 1 then count discard_vlan2_on_vlan1
set firewall family ethernet-switching filter VLAN1_IN term 2 then accept
set firewall family ethernet-switching filter VLAN1_IN term 2 then count allow_vlan1_internet
set vlans vlan1 filter input VLAN1_IN
set firewall family ethernet-switching filter VLAN2_IN term 1 from destination-address 1.1.1.0/24
set firewall family ethernet-switching filter VLAN2_IN term 1 then discard
set firewall family ethernet-switching filter VLAN2_IN term 1 then count discard_vlan1_on_vlan2
set firewall family ethernet-switching filter VLAN2_IN term 2 then accept
set firewall family ethernet-switching filter VLAN2_IN term 2 then count allow_vlan2_internet
set vlans vlan2 filter input VLAN2_IN
Reference: https://kb.juniper.net/InfoCenter/index?page=content&id=KB12021&cat=switch_products&actp=LIST
Hope this helps.
Regards,
-r.
--------------------------------------------------
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated .
@Alex
I'm not understanding how this answers the question - Why is transit traffic getting to the RE?
In this above specific example, I am attempting a DNS query to Google DNS from my testing server.
The server is on-net, connected to my EX4200 switch. The destination server is off-net.
All traffic is "transit" of the QFX5100.
Here is a relevant snip of my term that has anything to do with DNS, with a implicit deny at the end. This rule would allow the traffic as there is no defined source or destination and has an accept.
set firewall family inet filter PROTECT_RE_v4 term accept-dns from protocol udp set firewall family inet filter PROTECT_RE_v4 term accept-dns from protocol tcp set firewall family inet filter PROTECT_RE_v4 term accept-dns from source-port 53 set firewall family inet filter PROTECT_RE_v4 term accept-dns then count accept-dns set firewall family inet filter PROTECT_RE_v4 term accept-dns then accept
Also, in some of the terms, where required, I am calling dynamic prefix-lists.
set policy-options prefix-list ROUTER_IP4 apply-path "interfaces <*> unit <*> family inet address <*>" set policy-options prefix-list ROUTER_IP6 apply-path "interfaces <*> unit <*> family inet6 address <*>"
Attached is a full export (display set) of the PROTECT_RE_v4 policy.
Hello,
wrote: @Alex
I'm not understanding how this answers the question - Why is transit traffic getting to the RE?
Because QFX5100 imlementation of lo0.0 filter is accepting+redirecting matching packets to RE.
Perhaps it would be more understandable if the QFX5100 filter CLI could say "accept+punt" rather than "accept"
So, if I rewrite it this way, would it be more understandable? (it is not an actual JUNOS CLI):
set firewall family inet filter PROTECT_RE_v4 term accept-dns from protocol udp set firewall family inet filter PROTECT_RE_v4 term accept-dns from protocol tcp set firewall family inet filter PROTECT_RE_v4 term accept-dns from source-port 53 set firewall family inet filter PROTECT_RE_v4 term accept-dns then count accept-dns set firewall family inet filter PROTECT_RE_v4 term accept-dns then accept+punt
This is specific to QFX5K (AFAIK, and ACX5K too) filter implementation. On MX or EX or SRX You won't see this behaviour because MX/EX/SRX use chipsets that are different from Broadcom one used by QFX5K/ACX5K.
And if You narrow the filter term match to only returning self-terminating DNS packets by adding/introducing dst.IP match, then You won't see this behaviour.
HTH
Thx
Alex
Hey Guys
has anyone had this issue before. I have a switch EX4200 and a phone and PC connected to an access port. the PC uses dot1x authentication while the phone uses mac address to authenticate. Both are all defined in the Radius server.
Now only one of the devices can authenticate at a time not both. when the devices are chained, the phone authenticates. When the phone is bypassed, the PC authenticates and I also get the error below:
Config:
set vlans vl0029 description Voice_VLAN
set vlans vl0029 vlan-id 29
set vlans vl0029 l3-interface irb.29
set vlans vl0500 description Corporate_users
set vlans vl0500 vlan-id 500
set vlans vl0500 l3-interface irb.500
set interfaces interface-range voip member-range ge-0/0/0 to ge-0/0/44
set protocols lldp-med interface voip
set switch-options voip interface voip vlan vl0029
set interfaces irb unit 500 family inet address 10.211.80.252/24
set interfaces irb unit 29 family inet address 10.215.10.252/24
set interfaces ge-0/0/16 unit 0 family ethernet-switching vlan members vl0500
set interfaces ge-0/0/16 unit 0 family ethernet-switching storm-control default
set protocols dot1x authenticator interface ge-0/0/16.0 supplicant single-secure
set protocols dot1x authenticator interface ge-0/0/16.0 mac-radius
ERROR:
Mar 28 10:44:21.911 2019 ukbslan002 pfex: DFWE DFW: Cannot program filter dot1x_ge-0/0/16 (type IRACL_LO) - TCAM has 0 free entries and the filter change requires 2 free entries
