[j-nsp] EX-4200 Firewall Filter Placement

[Emil Katzarski]

Hi,

Placing the firewall filter at the L3 interface will not affect any
traffic traversing the switch! As I understand there is only one VLAN
and only one L3 interface. That means that there is no L3 routing for
user traffic. All user traffic is forwarded via Ethernet switching.
Only traffic for the switch itself will be affected.

The place to put firewall filter to protect the control plane of the
switch is lo0. If you would like to filter transit traffic you should
place the firewall filter at the interfaces or on the VLAN.

On Tue, Apr 27, 2010 at 7:30 PM, Mark Tinka <mtinka at globaltransit.net> wrote:
> On Tuesday 27 April 2010 07:00:43 pm Walaa Abdel razzak
> wrote:
>
>> I have EX-4200 switch with JUNOS 9.6R2.11. all interfaces
>>  are put in VLAN 1 and L3 interface is configured in the
>>  same VLAN for reachability. I need to know what is the
>>  best place to put the firewall filter on the switch (lo0
>>  or vlan.1 or uplink interface).
>
> If the firewall is meant to filter traffic destined for the
> switch, e.g., SSH, TACACS+, e.t.c., place it on the Loopback
> interface in the inbound direction.
>
> If the firewall is meant to filter traffic transiting the
> switch, e.g., BCP-38, filtering of user traffic, e.t.c.,
> place it on the l3 interface in the appropriate direction.
>
> Cheers,
>
> Mark.
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>