Juniper JUNOS OS 10.3 - SOFTWARE Manual page 3148

Complete Software Guide for Junos
Configuring a VLAN Firewall Filter to Restrict Guest-to-Employee Traffic and Peer-to-Peer
Applications on the Guest VLAN
CLI Quick
Configuration
3052
®
OS for EX Series Ethernet Switches, Release 10.3
family ethernet-switching {
filter egress-vlan-watch-employee {
term employee-to-corp {
from {
destination-address 192.0.2.16/28
}
then {
accept;
}
}
term employee-to-web {
from {
destination-port 80;
}
then {
count employee-web-counter:
analyzer employee-monitor;
}
}
}
}
}
vlans {
employee-vlan {
description "filter at egress VLAN to count and analyze employee to Web traffic";
filter {
output egress-vlan-watch-employee;
}
}
}
To configure and apply firewall filters for port, VLAN, and router interfaces, perform these
tasks:
In the following example, the first filter term permits guests to talk with other guests but
not employees on employee-vlan
prevents them from using peer-to-peer applications on
To quickly configure a VLAN firewall filter to restrict guest-to-employee traffic, blocking
guests from talking with employees or employee hosts on
to use peer-to-peer applications on
them into the switch terminal window:
[edit]
set firewall family ethernet-switching filter ingress-vlan-limit-guest term guest-to-guest from
destination-address 192.0.2.33/28
set firewall family ethernet-switching filter ingress-vlan-limit-guest term guest-to-guest then
accept
set firewall family ethernet-switching filter ingress-vlan-limit-guest term
no-guest-employee-no-peer-to-peer from destination-mac-address 00.05.85.00.00.DF
set firewall family ethernet-switching filter ingress-vlan-limit-guest term
no-guest-employee-no-peer-to-peer then accept
. The second filter term allows guests Web access but
guest-vlan
employee-vlan
, copy the following commands and paste
guest-vlan
Copyright © 2010, Juniper Networks, Inc.
.
or attempting