[j-nsp] EX4200 firewall only filters on physical ingress/egress?
Charlie Allom
charlie at playlouder.com
Wed Mar 10 20:25:27 EST 2010
Hello,
has anyone come up against this with the EX4200's? That a firewall
filter will only affect a packet traversing a physical interface..
==trunk==>[port A] (RVI A)..(RVI B) [port B]--access-->
^
filter applied here --------|
I was expecting the filter on 'input' on RVI B to block traffic, but it
only works entirely when you filter on its 'output'.
Else the host behind [port B] gets the SYN, SYNACKs back, and /then/ it
is blocked by the ethernet-switching or inet filter.
The docs don't mention this, except they never give an example of
filtering on an RVI, just physical routed interfaces. But they DO say
you can do it.. page 1368 of the "Software Guide for EX Series Ethernet
Switches, Release 10.0".
What gives? (I have a case open with JTAC but it's hopeless trying to
convince them to grasp and replicate, so far)
C.
--
020 7729 4797
http://blog.playlouder.com/
More information about the juniper-nsp
mailing list