[j-nsp] Firewall filtering in EX3200
Juha Suhonen
juhas at mmd.net
Sun Apr 27 16:14:29 EDT 2008
Hello, Juniper gurus!
We recently got few Juniper EX3200's, after paging thru the (quite
inconsistent and scattered) documentation on Juniper's web site I still
haven't been able to find a solution to this (probably quite simple)
problem.
So.. What's the recommended way of making a firewall filter to protect
management access to the actual device, when I'm using vlan subinterfaces
to route L3 traffic?
In Juniper routers, I'd stick a firewall filter to the "lo0" interface and
be happy with it, but EX3200 complains about this configuration - "Filters
are not supported on loopback or LAG interface lo0".
Naturally, I can apply filters to vlan interfaces, but then they affect
all traffic passing that particular vlan. I haven't yet discovered a way
to say "if target of this packet is the local unit, then match", so every
time the unit gets a new IP, I'd also need to update all the firewall
filters in place. Also, since the unit doesnt seem to support using
prefix-lists with firewall filters, doing it this way seems like a future
management headache.
Surely there's some quick & smart way to firewall the device - I just
haven't been able to find it yet.. So any suggestions or ideas?
-- juhas
More information about the juniper-nsp
mailing list