[j-nsp] EX4200 firewall only filters on physical ingress/egress?
Charlie Allom
charlie at playlouder.com
Tue Mar 23 14:10:45 EDT 2010
JTAC have confirmed that the port has to be crossed to have the filter
come into effect.
Hence why L2 vlan filters (VACLs) have their input/output meaning
reversed.
Not sure if my previous email makes sense, but thought I would update
here anyway.
Regards,
C.
On Thu, Mar 11, 2010 at 01:25:27AM +0000, Charlie Allom wrote:
> Hello,
>
> has anyone come up against this with the EX4200's? That a firewall
> filter will only affect a packet traversing a physical interface..
>
> ==trunk==>[port A] (RVI A)..(RVI B) [port B]--access-->
> ^
> filter applied here --------|
>
> I was expecting the filter on 'input' on RVI B to block traffic, but it
> only works entirely when you filter on its 'output'.
>
> Else the host behind [port B] gets the SYN, SYNACKs back, and /then/ it
> is blocked by the ethernet-switching or inet filter.
>
> The docs don't mention this, except they never give an example of
> filtering on an RVI, just physical routed interfaces. But they DO say
> you can do it.. page 1368 of the "Software Guide for EX Series Ethernet
> Switches, Release 10.0".
>
> What gives? (I have a case open with JTAC but it's hopeless trying to
> convince them to grasp and replicate, so far)
>
>
> C.
> --
> 020 7729 4797
> http://blog.playlouder.com/
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
--
020 7729 4797
http://blog.playlouder.com/
More information about the juniper-nsp
mailing list