Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation

Supported Platforms

 

Related Documentation

 

Example: Filtering Packets Received on an Interface Set

This example shows how to configure a standard stateless firewall filter to match packets tagged for a particular interface set.

Requirements

No special configuration beyond device initialization is required before configuring this example.

Overview

In this example, you apply a stateless firewall filter to the input of the router or switch loopback interface. The firewall filter includes a term that matches packets tagged for a particular interface set.

Topology

You create the firewall filter L2_filter to apply rate limits to the protocol-independent traffic received on the following interfaces:

  • fe-0/0/0.0
  • fe-1/0/0.0
  • fe-1/1/0.0

Note: The interface type in this topic is just an example. The fe- interface type is not supported by EX Series switches.

First, for protocol-independent traffic received on fe-0/0/0.0, the firewall filter term t1 applies policer p1.

For protocol-independent traffic received on any other Fast Ethernet interfaces, firewall filter term t2 applies policer p2. To define an interface set that consists of all Fast Ethernet interfaces, you include the interface-set interface-set-name interface-name statement at the [edit firewall] hierarchy level. To define a packet-matching criteria based on the interface on which a packet arrives to a specified interface set, you configure a term that uses the interface-set firewall filter match condition.

Finally, for any other protocol-independent traffic, firewall filter term t3 applies policer p3.

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To configure this example, perform the following tasks:

CLI Quick Configuration

To quickly configure this example, copy the following configuration commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.

set interfaces fe-0/0/0 unit 0 family inet address 10.1.1.1/30set interfaces fe-1/0/0 unit 0 family inet address 10.2.2.1/30set interfaces fe-1/1/0 unit 0 family inet address 10.4.4.1/30set firewall policer p1 if-exceeding bandwidth-limit 5mset firewall policer p1 if-exceeding burst-size-limit 10mset firewall policer p1 then discardset firewall policer p2 if-exceeding bandwidth-limit 40mset firewall policer p2 if-exceeding burst-size-limit 100mset firewall policer p2 then discardset firewall policer p3 if-exceeding bandwidth-limit 600mset firewall policer p3 if-exceeding burst-size-limit 1gset firewall policer p3 then discardset firewall interface-set ifset fe-*set firewall family any filter L2_filter term t1 from interface fe-0/0/0.0set firewall family any filter L2_filter term t1 then count c1set firewall family any filter L2_filter term t1 then policer p1set firewall family any filter L2_filter term t2 from interface-set ifsetset firewall family any filter L2_filter term t2 then count c2set firewall family any filter L2_filter term t2 then policer p2set firewall family any filter L2_filter term t3 then count c3set firewall family any filter L2_filter term t3 then policer p3set interfaces lo0 unit 0 family inet address 1.1.1.157/30set interfaces lo0 unit 0 filter input L2_filter

Configuring the Interfaces for Which the Stateless Firewall Filter Terms Take Rate-Limiting Actions

Step-by-Step Procedure

To configure the interfaces for which the stateless firewall filter terms take rate-limiting actions:

  1. Configure the logical interface whose input traffic will be matched by the first term of the firewall filter.

    [edit]user@host# set interfaces fe-0/0/0 unit 0 family inet address 10.1.1.1/30

  2. Configure the logical interfaces whose input traffic will be matched by the second term of the firewall filter.

    [edit ]user@host# set interfaces fe-1/0/0 unit 0 family inet address 10.2.2.1/30user@host# set interfaces fe-1/1/0 unit 0 family inet address 10.4.4.1/30

  3. If you are done configuring the device, commit the configuration.

    [edit]user@host# commit

Results

Confirm the configuration of the router (or switch) transit interfaces by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

[edit]user@host# show interfaces
fe-0/0/0 {unit 0 {family inet {address 10.1.1.1/30;}}}
fe-1/0/0 {unit 0 {family inet {address 10.2.2.1/30;}}}
fe-1/1/0 {unit 0 {family inet {address 10.4.4.1/30;}}}

Configuring the Stateless Firewall Filter That Rate-Limits Protocol-Independent Traffic Based on the Interfaces on Which Packets Arrive

Step-by-Step Procedure

To configure the standard stateless firewall L2_filter that uses policers (p1, p2, and p3) to rate-limit protocol-independent traffic based on the interfaces on which the packets arrive:

  1. Configure the firewall statements.

    [edit]user@host# edit firewall

  2. Configure the policer p1 to discard traffic that exceeds a traffic rate of 5m bps or a burst size of 10m bytes.

    [edit firewall]user@host# set policer p1 if-exceeding bandwidth-limit 5muser@host# set policer p1 if-exceeding burst-size-limit 10muser@host# set policer p1 then discard

  3. Configure the policer p2 to discard traffic that exceeds a traffic rate of 40m bps or a burst size of 100m bytes .

    [edit firewall]user@host# set policer p2 if-exceeding bandwidth-limit 40muser@host# set policer p2 if-exceeding burst-size-limit 100muser@host# set policer p2 then discard

  4. Configure the policer p3 to discard traffic that exceeds a traffic rate of 600m bps or a burst size of 1g bytes.

    [edit firewall]user@host# set policer p3 if-exceeding bandwidth-limit 600muser@host# set policer p3 if-exceeding burst-size-limit 1guser@host# set policer p3 then discard

  5. Define the interface set ifset to be the group of all Fast Ethernet interfaces on the router.

    [edit firewall]user@host# set interface-set ifset fe-*

  6. Create the stateless firewall filter L2_filter.

    [edit firewall]user@host# edit family any filter L2_filter

  7. Configure filter term t1 to match IPv4, IPv6, or MPLS packets received on interface fe-0/0/0.0 and use policer p1 to rate-limit that traffic.

    [edit firewall family any filter L2_filter]user@host# set term t1 from interface fe-0/0/0.0user@host# set term t1 then count c1user@host# set term t1 then policer p1

  8. Configure filter term t2 to match packets received on interface-set ifset and use policer p2 to rate-limit that traffic.

    [edit firewall family any filter L2_filter]user@host# set term t2 from interface-set ifsetuser@host# set term t2 then count c2user@host# set term t2 then policer p2

  9. Configure filter term t3 to use policer p3 to rate-limit all other traffic.

    [edit firewall family any filter L2_filter]user@host# set term t3 then count c3user@host# set term t3 then policer p3

  10. If you are done configuring the device, commit the configuration.

    [edit]user@host# commit

Results

Confirm the configuration of the stateless firewall filter and the policers referenced as firewall filter actions by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

[edit]user@host# show firewall
family any {filter L2_filter {term t1 {from {interface fe-0/0/0.0;}then {policer p1;count c1;}}term t2 {from {interface-set ifset;}then {policer p2;count c2;}}term t3 {then {policer p3;count c3;}}}}
policer p1 {if-exceeding {bandwidth-limit 5m;burst-size-limit 10m;}then discard;}
policer p2 {if-exceeding {bandwidth-limit 40m;burst-size-limit 100m;}then discard;}
policer p3 {if-exceeding {bandwidth-limit 600m;burst-size-limit 1g;}then discard;}
interface-set ifset {fe-*;}

Applying the Stateless Firewall Filter to the Routing Engine Input Interface

Step-by-Step Procedure

To apply the stateless firewall filter to the Routing Engine input interface:

  1. Apply the stateless firewall filter to the Routing Engine interface in the input direction.

    [edit]user@host# set interfaces lo0 unit 0 family inet address 1.1.1.157/30user@host# set interfaces lo0 unit 0 filter input L2_filter

  2. If you are done configuring the device, commit the configuration.

    [edit]user@host# commit

Results

Confirm the application of the firewall filter to the Routing Engine input interface by entering the show interfaces command again. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

user@host# show interfaces
fe-0/0/0 {...}
fe-1/0/0 {...}
fe-1/1/0 {...}
lo0 {unit 0 {filter {input L2_filter;}family inet {address 1.1.1.157/30;}}}

Verification

To confirm that the configuration is working properly, use the show firewall filter L2_filter operational mode command to monitor traffic statistics about the firewall filter and three counters.

 

Related Documentation

 

Published: 2013-04-10

Supported Platforms

 

Related Documentation

 

Published: 2013-04-10

Previous Page Next Page