Firewall Filter on Juniper's EX-series Switches
A firewall filters provide rules that define whether to permit or deny packets that are transiting an interface on a switch or router from a source address to a destination address. They can be applied to ports, VLANs, or layer 3 interfaces.
The following firewall filter types are supported for EX-series switches:
- Port (Layer 2) firewall filter—Port firewall filters apply to Layer 2 switch ports. You can apply port firewall filters only in the ingress direction on a physical port.
Example.
ge-0/0/0 {
description "voice priority and tcp and icmp traffic rate-limiting filter at ingress port";
unit 0 {
family ethernet-switching {
filter {
input ingress-port-voip-class-limit-tcp-icmp;
}
}
}
- VLAN firewall filter—VLAN firewall filters provide access control for packets that enter a VLAN, are bridged within a LAN, and leave a VLAN. You can apply VLAN firewall filters in both ingress and egress directions on a VLAN. VLAN firewall filters are applied to all packets that are forwarded to or forwarded from the VLAN.
Example.
vlans {
guest-vlan {
description "restrict guest-to-employee traffic and peer-to-peer applications on guest VLAN";
filter {
input ingress-vlan-limit-guest;
}
}
}
- Router (Layer 3) firewall filter—You can apply a router firewall filter in both ingress and egress directions on Layer 3 (routed) interfaces.
Example.
ge-0/1/0 {
unit 0 {
description "filter at egress router interface to expedite employee traffic destined for corporate network";
family inet {
filter {
output egress-router-corp-class;
}
}
}
}