[j-nsp] QFX5100 firewall family ethernet-switching rules
Panny Malialis
panny at hotlinks.uk
Tue May 16 16:46:23 EDT 2017
Hi all,
I am trying to configure an input filter on a LACP bundle interface but
it does not behave as expected.
Take the following examples:
firewall {
family ethernet-switching {
filter acl1 {
term a {
from {
ip-protocol icmp;
}
then accept;
}
term b {
from {
ip-source-address {
1.2.3.4/32;
}
}
then accept;
}
term c {
from {
ip-protocol [ tcp udp ];
}
then discard;
}
}
filter acl2 {
term a {
from {
ip-source-address {
1.2.3.4/32;
}
}
then discard;
}
term b {
then accept;
}
}
}
}
When I apply acl1, it seems to kill all traffic on the interface and
does not allow anything through.
When I apply acl2, it does do what you would expect.
The switch is acting simply as a layer 2 device and the input filter is
being applied on the LAG bundle connected to the upstream.
Also, if I don't specify [tcp udp] on acl1 it actually kills the LAG
towards the upstream completely, weird!
Can anyone please shed any light on what I may be doing wrong?
Thanks in advance,
Panny Malialis
More information about the juniper-nsp
mailing list