[j-nsp] Firewall filtering in EX3200

Kaj Niemi kajtzu at basen.net
Mon Apr 28 15:40:10 EDT 2008 

On Apr 28, 2008, at 21:01, Richard A Steenbergen wrote:

> On Sun, Apr 27, 2008 at 11:14:29PM +0300, Juha Suhonen wrote:
>> Hello, Juniper gurus!
>>
>> We recently got few Juniper EX3200's, after paging thru the (quite
>> inconsistent and scattered) documentation on Juniper's web site I  
>> still
>> haven't been able to find a solution to this (probably quite simple)
>> problem.
> ...
>> In Juniper routers, I'd stick a firewall filter to the "lo0"  
>> interface and
>> be happy with it, but EX3200 complains about this configuration -  
>> "Filters
>> are not supported on loopback or LAG interface lo0".
>
> Yeah I found the same problem, and I'm pretty sure there is  
> currently no
> other way to do it (short of filters on every other interface, with
> hardcoded IPs). With any luck this will be fixable in future  
> versions of
> code, but technically speaking we really have no idea if this is even
> supported in hardware at all. Hopefully someone from Juniper can  
> confirm.
>
> To me things like "oh woops we forgot to mention, no filters on the
> control-plane or LAG interfaces" are 1000x more interesting than  
> hooking
> up a box to a traffic generator and watching it pass ordinary packets
> successfully. Wait until you see the reduced number of things you can
> match on once you actually do get a filter working. :)

IMNSHO, control-plane filtering (and CoPP) should have been there from  
FCS. While technically the box seems nice and the per-port price seems  
to be a bit lower than vendor C some features just need to be there  
for the box to participate in the internet as we know it today. ;-)  
This holds true especially if you're planning to use the EX as a  
router instead of a layer 2 switch with the management interface  
protected in a management lan (or something). The lack of filtering  
isn't obvious when one reads through the documentation either (until  
you try it and are negatively surprised). The closest thing to an  
unsupported statement list is Table 123 on page 820 which lists  
specific filter features not supported in EX.

To be fair, the manual does state that filters aren't supported on LAG  
interfaces (page 748 ;-)) but there is no mention on loopbacks at all.




HTH

Kaj
-- 
Kaj J. Niemi
<kajtzu at basen.net>
+358 45 63 12000

More information about the juniper-nsp mailing list