Table of Contents
Advertisement
Step-by-Step
Procedure
Copyright © 2010, Juniper Networks, Inc.
set firewall family ethernet-switching filter ingress-vlan-rogue-block term to-gatekeeper from
destination-address 192.0.2.14
set firewall family ethernet-switching filter ingress-vlan-rogue-block term to-gatekeeper from
destination-port 80
set firewall family ethernet-switching filter ingress-vlan-rogue-block term to-gatekeeper then
accept
set firewall family ethernet-switching filter ingress-vlan-rogue-block term from-gatekeeper from
source-address 192.0.2.14
set firewall family ethernet-switching filter ingress-vlan-rogue-block term from-gatekeeper from
source-port 80
set firewall family ethernet-switching filter ingress-vlan-rogue-block term from-gatekeeper then
accept
set firewall family ethernet-switching filter ingress-vlan-rogue-block term not-gatekeeper from
destination-port 80
set firewall family ethernet-switching filter ingress-vlan-rogue-block term not-gatekeeper then
count rogue-counter
set firewall family ethernet-switching filter ingress-vlan-rogue-block term not-gatekeeper then
discard
set vlans voice-vlan description "block rogue devices on voice-vlan"
set vlans voice-vlan filter input ingress-vlan-rogue-block
To configure and apply a VLAN firewall filter on
using HTTP to mimic the gatekeeper device that manages VoIP traffic:
Define the firewall filter
1.
traffic you want to permit and restrict:
[edit firewall]
user@switch# set family ethernet-switching filter ingress-vlan-rogue-block
Define the term
to-gatekeeper
2.
address of the gatekeeper:
[edit firewall family ethernet-switching filter ingress-vlan-rogue-block]
user@switch# set term to-gatekeeper from destination-address 192.0.2.14
user@switch# set term to-gatekeeper from destination-port 80
user@switch# set term to-gatekeeper then accept
Define the term
from-gatekeeper
3.
of the gatekeeper:
[edit firewall family ethernet-switching filter ingress-vlan-rogue-block]
user@switch# set term from-gatekeeper from source-address 192.0.2.14
user@switch# set term from-gatekeeper from source-port 80
user@switch# set term from-gatekeeper then accept
Define the term
not-gatekeeper
4.
destined for the gatekeeper device:
[edit firewall family ethernet-switching filter ingress-vlan-rogue-block]
user@switch# set term not-gatekeeper from destination-port 80
user@switch# set term not-gatekeeper then count rogue-counter
user@switch# set term not-gatekeeper then discard
Apply the firewall filter
5.
interface for the VoIP telephones:
[edit]
user@switch# set vlans voice-vlan description "block rogue devices on voice-vlan"
user@switch# set vlans voice-vlan filter input ingress-vlan-rogue-block
Chapter 107: Examples of Firewall Filters Configuration
voice-vlan
ingress-vlan-rogue-block
to accept packets that match the destination IP
to accept packets that match the source IP address
to ensure all
voice-vlan
as an input filter to the VLAN
ingress-vlan-rogue-block
to prevent rogue devices from
to specify filter matching on the
traffic on TCP ports is
3271
Advertisement
Chapters
Table of Contents
Troubleshooting
