[j-nsp] Port (layer 2) firewall filters
Chuck Anderson
cra at WPI.EDU
Fri Oct 29 08:20:25 EDT 2010
On Fri, Oct 29, 2010 at 04:07:19PM +0400, Muhammad Rehan wrote:
> Dear Team,
>
> [edit firewall family ethernet-switching filter My_filter]
> {
> term A
> {
> from source-address 10.0.0.10/32
> then discard
> }
> term B
> {
> then accept
> }
> }
>
>
>
> [edit interface ge-0/0/0 unit 0 family ethernet-switching filter]
>
> set input filter My_filter
>
> user1 connected to ge-0/0/0 has IP 10.0.0.10/8
>
> user2 connected to ge-0/0/4 has IP 10.0.0.30/8
>
> both ge-0/0/0 and ge-0/0/4 are in same VLAN 10
>
> but when i applied this configuration on my EX-4200 switch
>
> on both users that is connected to ge-0/0/0 and ge0/0/4 give me request time
> out when i am trying to ping each other,after removing this filter ping is
> successfull.
>
> can you guys please explain me why this behaviour occurs ?
Ping requests & replies from user1 have a source address of 10.0.0.10
and show up as input to ge-0/0/0, therefore they get dropped by the
filter. So pings time out in both directions, user1 -> user2 because
the ping request is filtered, user2 -> user1 because the ping reply is
filtered.
More information about the juniper-nsp
mailing list