Table of Contents
Advertisement
Step-by-Step
Procedure
Copyright © 2010, Juniper Networks, Inc.
[edit]
set firewall family ethernet-switching filter ingress-vlan-rogue-block term to-gatekeeper from
destination-address 192.0.2.14
set firewall family ethernet-switching filter ingress-vlan-rogue-block term to-gatekeeper from
destination-port 80
set firewall family ethernet-switching filter ingress-vlan-rogue-block term to-gatekeeper then
accept
set firewall family ethernet-switching filter ingress-vlan-rogue-block term from-gatekeeper
from source-address 192.0.2.14
set firewall family ethernet-switching filter ingress-vlan-rogue-block term from-gatekeeper
from source-port 80
set firewall family ethernet-switching filter ingress-vlan-rogue-block term from-gatekeeper
then accept
set firewall family ethernet-switching filter ingress-vlan-rogue-block term not-gatekeeper
from destination-port 80
set firewall family ethernet-switching filter ingress-vlan-rogue-block term not-gatekeeper
then count rogue-counter
set firewall family ethernet-switching filter ingress-vlan-rogue-block term not-gatekeeper
then discard
set vlans voice-vlan description "block rogue devices on voice-vlan"
set vlans voice-vlan filter input ingress-vlan-rogue-block
To configure and apply a VLAN firewall filter on
using HTTP to mimic the gatekeeper device that manages VoIP traffic:
Define the firewall filter
1.
traffic you want to permit and restrict:
[edit firewall]
user@switch# set family ethernet-switching filter ingress-vlan-rogue-block
Define the term
to-gatekeeper
2.
address of the gatekeeper:
[edit firewall family ethernet-switching filter ingress-vlan-rogue-block]
user@switch# set term to-gatekeeper from destination-address 192.0.2.14
user@switch# set term to-gatekeeper from destination-port 80
user@switch# set term to-gatekeeper then accept
Define the term
from-gatekeeper
3.
of the gatekeeper:
[edit firewall family ethernet-switching filter ingress-vlan-rogue-block]
user@switch# set term from-gatekeeper from source-address 192.0.2.14
user@switch# set term from-gatekeeper from source-port 80
user@switch# set term from-gatekeeper then accept
Define the term
not-gatekeeper
4.
destined for the gatekeeper device:
[edit firewall family ethernet-switching filter ingress-vlan-rogue-block]
user@switch# set term not-gatekeeper from destination-port 80
user@switch# set term not-gatekeeper then count rogue-counter
user@switch# set term not-gatekeeper then discard
Apply the firewall filter
5.
interface for the VoIP telephones:
[edit]
user@switch# set vlans voice-vlan description "block rogue devices on voice-vlan"
user@switch# set vlans voice-vlan filter input ingress-vlan-rogue-block
Chapter 101: Examples of Firewall Filters Configuration
voice-vlan
ingress-vlan-rogue-block
to accept packets that match the destination IP
to accept packets that match the source IP address
to ensure all
voice-vlan
ingress-vlan-rogue-block
to prevent rogue devices from
to specify filter matching on the
traffic on TCP ports is
as an input filter to the VLAN
3049
Advertisement
Chapters
Table of Contents
Troubleshooting
Related Manuals for Juniper JUNOS OS 10.3 - SOFTWARE
Related Products for Juniper JUNOS OS 10.3 - SOFTWARE
- Juniper IDP OS 5.1R1 - S REV 1
- Juniper JUNOS OS 10.4 - S REV 5
- Juniper JUNOS OS 10.4 - FOR EX REV 1
- Juniper JUNOS OS 10.4 - XML API OPERATIONAL
- Juniper IDP OS 5.1R1
- Juniper JUNOS SOFTWARE 10.2 - SOFTWARE INSTALLATION AND UPGRADE GUIDE 4-28-2010
- Juniper OCX1100
- Juniper ADVANCED INSIGHT SCRIPTS 2.5 - S REV 1