[j-nsp] Firewall filtering in EX3200
Richard A Steenbergen
ras at e-gerbil.net
Mon Apr 28 14:01:14 EDT 2008
On Sun, Apr 27, 2008 at 11:14:29PM +0300, Juha Suhonen wrote:
> Hello, Juniper gurus!
>
> We recently got few Juniper EX3200's, after paging thru the (quite
> inconsistent and scattered) documentation on Juniper's web site I still
> haven't been able to find a solution to this (probably quite simple)
> problem.
...
> In Juniper routers, I'd stick a firewall filter to the "lo0" interface and
> be happy with it, but EX3200 complains about this configuration - "Filters
> are not supported on loopback or LAG interface lo0".
Yeah I found the same problem, and I'm pretty sure there is currently no
other way to do it (short of filters on every other interface, with
hardcoded IPs). With any luck this will be fixable in future versions of
code, but technically speaking we really have no idea if this is even
supported in hardware at all. Hopefully someone from Juniper can confirm.
To me things like "oh woops we forgot to mention, no filters on the
control-plane or LAG interfaces" are 1000x more interesting than hooking
up a box to a traffic generator and watching it pass ordinary packets
successfully. Wait until you see the reduced number of things you can
match on once you actually do get a filter working. :)
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
More information about the juniper-nsp
mailing list