iT邦幫忙

0

juniper EX3300 firewall filter 設定問題

各位前輩好:
最近小弟在玩juniper 遇到了一些疑問

set firewall family ethernet-switching filter TEST1 term A1 from source-address 192.168.200.20/24
set firewall family ethernet-switching filter TEST1 term A1 from source-address 192.168.200.25/24
set firewall family ethernet-switching filter TEST1 term A1 then accept
set firewall family ethernet-switching filter TEST1 term A2 then discard
set interfaces ge-0/0/4 unit 0 family ethernet-switching vlan members G300
set interfaces ge-0/0/5 unit 0 family ethernet-switching vlan members G300
set interfaces vlan unit 300 family inet address 192.168.200.1/24
set vlans G300 filter input TEST1
set vlans G300 l3-interface vlan.300
set vlans default l3-interface vlan.0

上面設定完成後可以Ping到192.168.200.1但同網段電腦(200.20、200.25)互ping 不通
但ethernet-switching 改成 inet 並換成下列方式

set interfaces vlan unit 100 family inet filter input TEST1

就可以ping 通Switch 跟限定的電腦
不知道 ethernet-switching 是否有限定用法?

更新:
測試將規則反過來,不允許下列IP其他IP可以通過

set firewall family ethernet-switching filter TEST1 term A1 from source-address 192.168.200.20/24
set firewall family ethernet-switching filter TEST1 term A1 from source-address 192.168.200.25/24
set firewall family ethernet-switching filter TEST1 term A1 then discard
set firewall family ethernet-switching filter TEST1 term A2 then accept

使用這樣的方式上述的IP互PING與PING SWITCH都不通,將兩台電腦改IP可以互PING也可以PING SWITCH
不知道ethernet-switching 是不是有特定規則?

請參考https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/firewall-filter-ex-series-cli.html#jd0e19

L2/L3有所不同

尚未有邦友回答

立即登入回答