JTAC have confirmed that the port has to be crossed to have the filter come into effect.
Hence why L2 vlan filters (VACLs) have their input/output meaning reversed. Not sure if my previous email makes sense, but thought I would update here anyway. Regards, C. On Thu, Mar 11, 2010 at 01:25:27AM +0000, Charlie Allom wrote: > Hello, > > has anyone come up against this with the EX4200's? That a firewall > filter will only affect a packet traversing a physical interface.. > > ==trunk==>[port A] (RVI A)..(RVI B) [port B]--access--> > ^ > filter applied here --------| > > I was expecting the filter on 'input' on RVI B to block traffic, but it > only works entirely when you filter on its 'output'. > > Else the host behind [port B] gets the SYN, SYNACKs back, and /then/ it > is blocked by the ethernet-switching or inet filter. > > The docs don't mention this, except they never give an example of > filtering on an RVI, just physical routed interfaces. But they DO say > you can do it.. page 1368 of the "Software Guide for EX Series Ethernet > Switches, Release 10.0". > > What gives? (I have a case open with JTAC but it's hopeless trying to > convince them to grasp and replicate, so far) > > > C. > -- > 020 7729 4797 > http://blog.playlouder.com/ > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp -- 020 7729 4797 http://blog.playlouder.com/ _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp