[j-nsp] ex4200 egress filter
Emmanuel Halbwachs
Emmanuel.Halbwachs at obspm.fr
Thu Apr 28 08:30:15 EDT 2011
Hello,
Nick Ryce a écrit (Thu, Apr 28, 2011 at 10:35:53AM +0100) :
> We currently have an issue where we are unable to use
> tcp-established on egress firewall filters. We need this as we have
> firewall filters per customer applied to their own vlan. If the
> server initiates a connection we want the return traffic allowed (
> normally we use tcp-established in cisco land ).
We hit the same problem.
> Is there any known work around?
No. Juniper told us this is a hardware limitation. tcp-flags will
never be supported on EX4200 (don't know for EX8200).
I don't have any knowledge in switch design, but I don't understand
why pattern-matching some bits in TCP headers is difficult on egress.
Also note that syslog on egress firewall filters is also not possible.
Cheers,
--
Emmanuel Halbwachs Observatoire de Paris-Meudon
Resp. Réseau/Sécurité 5 Place Jules Janssen
tel : +33 1 45 07 75 54 F 92195 MEUDON CEDEX
fax : +33 1 45 07 01 89 véhicules : 11 av. Marcellin Berthelot
More information about the juniper-nsp
mailing list