Related Documentation
Example: Configuring Interface-Specific Firewall Filter Counters
This example shows how to configure and apply an interface-specific standard stateless firewall filter.
Requirements
Interface-specific stateless firewall filters are supported on T Series, M120, M320, MX Series routers, and EX Series switches only.
No special configuration beyond device initialization is required before configuring this example.
Overview
In this example, you create an interface-specific stateless firewall filter that counts and accepts packets with source or destination addresses in a specified prefix and the IP protocol type field set to a specific value.
Topology
You configure the interface-specific stateless firewall filter filter_s_tcp to count and accept packets with IP source or destination addresses in the 10.0.0.0/12 prefix and the IP protocol type field set to tcp (or the numeric value 6).
The name of the firewall filter counter is count_s_tcp.
You apply the firewall filter to multiple logical interfaces:
- at-1/1/1.0 input
- ge-2/2/2.2 output
Applying the filter to these two interfaces results in two instances of the filter: filter_s_tcp-at-1/1/1.0-i and filter_s_tcp-ge-2/2/2.2-o, respectively.
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.
To configure this example, perform the following tasks:
- Configure the Interface-Specific Firewall Filter
- Apply the Interface-Specific Firewall Filter to Multiple Interfaces
- Confirm Your Candidate Configuration
- Clear the Counters and Commit Your Candidate Configuration
CLI Quick Configuration
To quickly configure this example, copy the following commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.
Configure the Interface-Specific Firewall Filter
Step-by-Step Procedure
To configure the interface-specific firewall filter:
Create the IPv4 firewall filter filter_s_tcp.
[edit]user@host# edit firewall family inet filter filter_s_tcpEnable interface-specific instances of the filter.
[edit firewall family inet filter filter_s_tcp]user@host# set interface-specificConfigure the match conditions for the term.
[edit firewall family inet filter filter_s_tcp]user@host# set term 1 from address 10.0.0.0/12user@host# set term 1 from protocol tcpConfigure the actions for the term.
[edit firewall family inet filter filter_s_tcp]user@host# set term 1 then count count_s_tcpuser@host# set term 1 then accept
Apply the Interface-Specific Firewall Filter to Multiple Interfaces
Step-by-Step Procedure
To apply the filter filter_s_tcp to logical interfaces at-1/1/1.0 and ge-2/2/2.2:
Apply the interface-specific filter to packets received on logical interface at-1/1/1.0.
[edit]user@host# set interfaces at-1/1/1 unit 0 family inet filter input filter_s_tcpApply the interface-specific filter to packets transmitted from logical interface ge-2/2/2.2.
[edit]user@host# set interfaces ge-2/2/2 unit 2 family inet filter filter_s_tcp
Confirm Your Candidate Configuration
Step-by-Step Procedure
To confirm your candidate configuration:
Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
[edit]user@host# show firewallfamily inet {filter filter_s_tcp {interface-specific;term 1 {from {address {10.0.0.0/12;}protocol tcp;}then {count count_s_tcp;accept;}}}}Confirm the configuration of the interfaces by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.
[edit]user@host# show interfacesat-1/1/1 {unit 0family inet {filter {input filter_s_tcp;}}]}ge-2/2/2 {unit 2family inet {filter {output filter_s_tcp;}}}}
Clear the Counters and Commit Your Candidate Configuration
Step-by-Step Procedure
To clear the counters and commit your candidate configuration:
- From operational command mode, use the clear firewall all command to clear the statistics for all firewall filters.
To clear only the counters used in this example, include the interface-specific filter instance names:
[edit]user@host> clear firewall filter filter_s_tcp-at-1/1/1.0-iuser@host> clear firewall filter filter_s_tcp-ge-2/2/2.2-o Commit your candidate configuration.
[edit]user@host# commit
Verification
Confirm that the configuration is working properly.
- Verifying That the Filter Is Applied to Each of the Multiple Interfaces
- Verifying That the Counters Are Collected Separately by Interface
Verifying That the Filter Is Applied to Each of the Multiple Interfaces
Purpose
Verify that the filter is applied to each of the multiple interfaces.
Action
Run the show interfaces command with the detail or extensive output level.
- Verify that the filter is applied to the input
for at-1/1/1.0:
user@host> show interfaces at-1/1/1 detailPhysical interface: at-1/1/1, Enabled, Physical link is Up Interface index: 300, SNMP ifIndex: 194, Generation: 183
...Logical interface at-1/1/1.0 (Index 64) (SNMP ifIndex 204) (Generation 5) Flags: Point-To-Point SNMP-Traps 0x4000 Encapsulation: ATM-SNAP...Protocol inet, MTU: 4470, Generation: 13, Route table: 0 Flags: Sendbcast-pkt-to-re Input Filters: filter_s_tcp-at-1/1/1.0-i,,,,, - Verify that the filter is applied to the output for ge-2/2/2.2:
user@host> show interfaces ge-2/2/2 detailPhysical interface: ge-2/2/2, Enabled, Physical link is Up Interface index: 129, SNMP ifIndex: 502, Generation: 132
...Logical interface ge-2/2/2.2 (Index 70) (SNMP ifIndex 536) (Generation 135) Flags: Point-To-Point SNMP-Traps 0x4000 Encapsulation: PPP...Protocol inet, MTU: 4470, Generation: 146, Route table: 0 Flags: Sendbcast-pkt-to-re Output Filters: filter_s_tcp-ge-2/2/2.2-o,,,,,
Verifying That the Counters Are Collected Separately by Interface
Purpose
Make sure that the count_s_tcp counters are collected separately for the two logical interfaces.
Action
Run the show firewall command.
user@host> show firewall filter filter_s_tcpFilter: filter_s_tcp Counters: Name Bytes Packets count_s_tcp-at-1/1/1.0-i 420 5 count_s_tcp-ge-2/2/2.2-o 8888 101
