[j-nsp] QFX5100 firewall family ethernet-switching rules
Nitzan Tzelniker
nitzan.tzelniker at gmail.com
Tue May 16 16:51:30 EDT 2017
As this is also applied to L2 it might also kill l2 traffic like LACP/ARP
...
Try to add another term with then accept in the end of acl1 like you did in
acl2
Nitzan
On Tue, May 16, 2017 at 11:46 PM, Panny Malialis <panny at hotlinks.uk> wrote:
> Hi all,
>
>
> I am trying to configure an input filter on a LACP bundle interface but it
> does not behave as expected.
>
> Take the following examples:
>
> firewall {
> family ethernet-switching {
> filter acl1 {
> term a {
> from {
> ip-protocol icmp;
> }
> then accept;
> }
> term b {
> from {
> ip-source-address {
> 1.2.3.4/32;
> }
> }
> then accept;
> }
> term c {
> from {
> ip-protocol [ tcp udp ];
> }
> then discard;
> }
> }
> filter acl2 {
> term a {
> from {
> ip-source-address {
> 1.2.3.4/32;
> }
> }
> then discard;
> }
> term b {
> then accept;
> }
> }
> }
> }
>
>
> When I apply acl1, it seems to kill all traffic on the interface and does
> not allow anything through.
>
> When I apply acl2, it does do what you would expect.
>
> The switch is acting simply as a layer 2 device and the input filter is
> being applied on the LAG bundle connected to the upstream.
>
> Also, if I don't specify [tcp udp] on acl1 it actually kills the LAG
> towards the upstream completely, weird!
>
> Can anyone please shed any light on what I may be doing wrong?
>
> Thanks in advance,
>
> Panny Malialis
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list