I'm trying to get a full grasp of firewall filters and how to apply them on a Juniper EX4200 switch - to be able to block ports, police traffic and shape traffic.

The network architecture is as follows

internet  >-<  vlan4000  >-<  vlan43

• vlan4000 is a public "routed" block (where all the IPs are routed to and the internet gw is)
• vlan43 is a vlan with public IPs with devices (servers) attached

There are static routes and RVI's on the EX4200 to send all traffic via vlan4000's gateway to reach the internet.

I've set up filters on both input and output of the respective RVI's and VLAN's - with simple counters, to measure traffic flow from a server inside of vlan43 and a server on the internet.

Using a combination of iperf for UDP and TCP tests and fping for ICMP tests - I observed the following,

icmp                  vlan43>internet  internet>vlan43
unit4000-counter-in   0                0
unit4000-counter-out  0                0
unit43-counter-in     100              100
unit43-counter-out    0                0
vlan4000-counter-in   6                4
vlan4000-counter-out  107              104
vlan43-counter-in     101              100
vlan43-counter-out    100              100

tcp                   vlan43>internet  internet>vlan43
unit4000-counter-in   0                0
unit4000-counter-out  0                0
unit43-counter-in     73535            38480
unit43-counter-out    0                0
vlan4000-counter-in   7                8
vlan4000-counter-out  73543            38489
vlan43-counter-in     73535            38481
vlan43-counter-out    38938            75880

udp                   vlan43>internet  internet>vlan43
unit4000-counter-in   0                0
unit4000-counter-out  0                0
unit43-counter-in     81410            1
unit43-counter-out    0                0
vlan4000-counter-in   18               7
vlan4000-counter-out  81429            8
vlan43-counter-in     81411            1
vlan43-counter-out    1                85472

My key goals are to set up a few filters and policers, as there will be many more VLANs - that all need protecting from each other and the internet. Then globally limit/police all outbound traffic to the internet

• Block inbound ports to vlan43 (eg. 22)
• Limit outbound traffic from vlan43 (to the internet)
• Limit outbound traffic from vlan43 (to other vlans)
• Limit outbound traffic from vlan4000 (to the internet from all vlans)
• Route traffic from vlans via specific routing instances (FBF)

The question

What I want to understand is why there isn't ever any activity on unit4000 or vlan4000 inbound or outbound counter - is this because there isn't a device on this VLAN - and that the traffic is only traversing it?

And with regards to the TCP test - why is there twice as many packets on unit43-counter-in, vlan4000-counter-out and vlan43-counter-in - is this counting both the inbound and outbound traffic?