Table of Contents
Advertisement
Complete Software Guide for Junos
Overview
Table 384: Configuration Components: Firewall Filters
Component
Port firewall filter,
ingress-port-voip-class-limit-tcp-icmp
VLAN firewall filter,
ingress-vlan-rogue-block
VLAN firewall filter,
egress-vlan-watch-employee
VLAN firewall filter,
ingress-vlan-limit-guest
3040
®
OS for EX Series Ethernet Switches, Release 10.3
One Juniper Networks EX-UM-4SFP uplink module
One Juniper Networks J-series router
Before you configure and apply the firewall filters in this example, be sure you have:
An understanding of firewall filter concepts, policers, and CoS
Installed the uplink module in the distribution switch. See Installing an Uplink Module
in an EX3200 or EX4200 Switch.
This configuration example show how to configure and apply firewall filters to provide
rules to evaluate the contents of packets and determine when to discard, forward, classify,
count, and analyze packets that are destined for or originating from the EX Series switches
that handle all
,
voice-vlan
employee-vlan
shows the firewall filters that are configured for the EX Series switches in this example.
Purpose/Description
This firewall filter performs two functions:
Assigns priority queueing to packets with a source MAC address that matches the
phone MAC addresses. The forwarding class
loss, low delay, low jitter, assured bandwidth, and end-to-end service for all
traffic.
voice-vlan
Performs rate limiting on packets that enter the ports for
rate for TCP and ICMP packets is limited to 1 Mbps with a burst size up to 30,000
bytes.
This firewall filter is applied to port interfaces on the access switch.
Prevents rogue devices from using HTTP sessions to mimic the gatekeeper device
that manages call registration, admission, and call status for VoIP calls. Only TCP or
UDP ports should be used; and only the gatekeeper uses HTTP. That is, all
traffic on TCP ports should be destined for the gatekeeper device. This firewall filter
applies to all phones on
on the VLAN and all communication between the gatekeeper device and VLAN
phones.
This firewall filter is applied to VLAN interfaces on the access switch.
Accepts
employee-vlan
this traffic. Employee traffic destined for the Web is counted and analyzed.
This firewall filter is applied to vlan interfaces on the access switch.
Prevents guests (non-employees) from talking with employees or employee hosts
on
employee-vlan
, but allows guests to access the Web.
guest-vlan
This firewall filter is applied to VLAN interfaces on the access switch.
, and
guest-vlan
expedited-forwarding
, including communication between any two phones
voice-vlan
traffic destined for the corporate subnet, but does not monitor
. Also prevents guests from using peer-to-peer applications on
traffic. Table 384 on page 3040
provides low
. The traffic
employee-vlan
voice-vlan
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Chapters
Table of Contents
Troubleshooting
