Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EX] Understanding VLAN/IRB firewall filter behavior on EX4300

0

1
Article ID: KB34013 KB Last Updated: 13 Apr 2019Version: 1.0 Summary:

On EX4300 Series switches, firewall filters can be configured to accept, count, and discard packets among other actions based on matching criteria. These filters can be applied in ingress and egress directions on VLANs and on physical or logical (including IRBs) interfaces. To properly apply filters on VLANs and IRBs, it is necessary to understand how a switch behaves while analyzing inbound and outbound traffic flows.

This article explains how EX4300 switches react and handle matching destination and source filter criteria on IRBs and VLANs.

 

Symptoms:

Consider the following filter traffic from Host A to Host B and from Host B to Host A.

 

Solution:

When using matching criteria for the source and destination firewall filters, such as IP addresses on IRBs and VLANs, traffic will pass through the filter only if the filter is applied in the right direction.

VLAN A > B

If the goal is to capture traffic from Host A to B, then filters must be applied in the ingress direction on VLAN A and/or in the egress direction on VLAN B:

  1. Example configuration on VLAN filters

set firewall family ethernet-switching filter L2_From_A_To_B term 1 from icmp-type echo-request
set firewall family ethernet-switching filter L2_From_A_To_B term 1 from ip-source-address 10.10.10.2/32
set firewall family ethernet-switching filter L2_From_A_To_B term 1 from ip-destination-address 20.20.20.2/32
set firewall family ethernet-switching filter L2_From_A_To_B term 1 then discard
set firewall family ethernet-switching filter L2_From_A_To_B term 1 then count L2_Counter
set firewall family ethernet-switching filter L2_From_A_To_B term 2 then accept

set vlans Vlan_A vlan-id 1
set vlans Vlan_A l3-interface irb.1
set vlans Vlan_A forwarding-options filter input L2_From_A_To_B
set vlans Vlan_B vlan-id 2
set vlans Vlan_B l3-interface irb.2
set vlans Vlan_B forwarding-options filter output L2_From_A_To_B
 

Result (filter either on VLAN A or VLAN B)

  
HostA> ping 20.20.20.2    
PING 20.20.20.2 (20.20.20.2): 56 data bytes
...
--- 20.20.20.2 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

show firewall    
Filter: L2_From_A_To_B                                         
Counters:
Name                                                Bytes              Packets
L2_Counter                                            204                    2
 

  1. Example configuration on IRB filters

set firewall family inet filter L3_From_A_To_B term 1 from source-address 10.10.10.2/32
set firewall family inet filter L3_From_A_To_B term 1 from destination-address 20.20.20.2/32
set firewall family inet filter L3_From_A_To_B term 1 from icmp-type echo-request
set firewall family inet filter L3_From_A_To_B term 1 then count L3_Counter
set firewall family inet filter L3_From_A_To_B term 1 then discard
set firewall family inet filter L3_From_A_To_B term 2 then accept

set interfaces irb unit 1 family inet address 10.10.10.1/24
set interfaces irb unit 1 family inet filter input L3_From_A_To_B

set interfaces irb unit 2 family inet address 20.20.20.1/24
set interfaces irb unit 2 family inet filter output L3_From_A_To_B
 

Result (IRB.1 incoming traffic)

  
HostA> ping 20.20.20.2    
PING 20.20.20.2 (20.20.20.2): 56 data bytes
...
--- 20.20.20.2 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

show firewall 
Filter: L3_From_A_To_B-irb.1-i                                 
Counters:
Name                                                Bytes              Packets
L3_Counter-irb.1-i                                    204                    2
 

Result (IRB.2 outgoing traffic)

  
HostA> ping 20.20.20.2    
PING 20.20.20.2 (20.20.20.2): 56 data bytes
...
--- 20.20.20.2 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss

show firewall 
Filter: L3_From_A_To_B-irb.2-o                                 
Counters:
Name                                                Bytes              Packets
L3_Counter-irb.2-o                                    204                    2
 

VLAN B > A

If, on the other hand, we need to capture traffic from Host B to Host A, filters must be configured as ingress on VLAN B and as egress on VLAN A:

  1. Example configuration on VLAN filters

set firewall family ethernet-switching filter L2_From_B_To_Aterm 1 from icmp-type echo-reply
set firewall family ethernet-switching filter L2_From_B_To_Aterm 1 from ip-source-address 20.20.20.2/32
set firewall family ethernet-switching filter L2_From_B_To_Aterm 1 from ip-destination-address 10.10.10.2/32
set firewall family ethernet-switching filter L2_From_B_To_Aterm 1 then discard
set firewall family ethernet-switching filter L2_From_A_To_B term 1 then count L2_Counter
set firewall family ethernet-switching filter L2_From_B_To_Aterm 2 then accept

set vlans Vlan_A vlan-id 1
set vlans Vlan_A l3-interface irb.1
set vlans Vlan_A forwarding-options filter output From_B_To_A

set vlans Vlan_B vlan-id 2
set vlans Vlan_B l3-interface irb.2
set vlans Vlan_B forwarding-options filter input From_B_To_A
 

The result in this case is the same as that in example 1.

  1. Example configuration on IRB filters

set firewall family inet filter L3_From_B_To_A term 1 from source-address 20.20.20.2/32
set firewall family inet filter L3_From_B_To_A term 1 from destination-address 10.10.10.2/32
set firewall family inet filter L3_From_B_To_A term 1 from icmp-type echo-reply
set firewall family inet filter L3_From_B_To_A term 1 then discard
set firewall family inet filter L3_From_B_To_A term 2 then accept

set interfaces irb unit 1 family inet address 10.10.10.1/24
set interfaces irb unit 1 family inet filter output L3_From_B_To_A

set interfaces irb unit 2 family inet address 20.20.20.1/24
set interfaces irb unit 2 family inet filter input L3_From_B_To_A
 

The result in this case is the same as that in example 2 but in the opposite direction.

 

Note: When inter-VLAN traffic handling occurs, the packets are moved internally from one VLAN to the next one. This under-layer movement goes beyond firewall filter capabilities, which means that filters will not analyze PFE traffic moving from VLAN A to VLAN B and from VLAN B to VLAN A.

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search