Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Example: Configuring a Filter to Match on Two Unrelated Criteria

This example shows how to configure a standard stateless firewall filter to match on two unrelated criteria.

Requirements

No special configuration beyond device initialization is required before configuring this example.

Overview

In this example, you use a standard stateless firewall filter to match IPv4 packets that are either OSPF packets or packets that come from an address in the prefix 10.108/16, and send an administratively-prohibited ICMP message for all packets that do not match.

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To configure this example, perform the following tasks:

CLI Quick Configuration

To quickly configure this example, copy the following configuration commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.

set firewall family inet filter ospf_or_131 term protocol_match from protocol ospfset firewall family inet filter ospf_or_131 term address-match from source-address 10.108.0.0/16set interfaces ge-0/0/1 unit 0 family inet address 10.1.2.3/30set interfaces ge-0/0/1 unit 0 family inet filter input ospf_or_131

Configuring the IPv4 Firewall Filter

Step-by-Step Procedure

To configure the IPv4 firewall filter:

  1. Enable configuration of the IPv4 firewall filter.

    [edit]user@host# edit firewall family inet filter ospf_or_131

  2. Configure the first term to accept OSPF packets.

    [edit firewall family inet filter ospf_or_131]user@host# set term protocol_match from protocol ospf
    Packets that match the condition are accepted by default. Because another term follows this term, packets that do not match this condition are evaluated by the next term.

  3. Configure the second term to accept packets from any IPv4 address in a particular prefix.

    [edit firewall family inet filter ospf_or_131]user@host# set term address_match from source-address 10.108.0.0/16
    Packets that match this condition are accepted by default. Because this is the last term in the filter, packets that do not match this condition are discarded by default.

Results

Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

[edit]user@host# show firewall
family inet {filter ospf_or_131 {term protocol_match {from {protocol ospf;}}term address_match {from {source-address {10.108.0.0/16;}}}}}

Applying the IPv4 Firewall Filter to a Logical Interface

Step-by-Step Procedure

To apply the stateless firewall filter to a logical interface:

  1. Enable configuration of a logical interface.

    [edit]user@host# edit interfaces ge-0/0/1 unit 0 family inet

  2. Configure an IP address for the logical interface.

    [edit interfaces ge-0/0/1 unit 0 family inet]user@host# set address 10.1.2.3/30

  3. Apply the IPv4 firewall filter to the logical interface.

    [edit interfaces ge-0/0/1 unit 0 family inet]user@host# set filter input ospf_or_131

Results

Confirm the configuration of the interface by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

[edit]user@host# show interfaces
ge-0/0/1 {unit 0 {family inet {filter {input ospf_or_131;}address 10.1.2.3/30;}}}

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, enter the show firewall filter ospf_or_131 operational mode command.

 

Related Documentation

 

Published: 2013-04-10

Previous Page Next Page