Supported Platforms
Related Documentation
- EX Series
- Configuring Firewall Filters (J-Web Procedure)
- Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX Series Switches
- Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device on EX Series Switches
- Example: Configuring a Firewall Filter on a Management Interface on an EX Series Switch
- Verifying That Firewall Filters Are Operational
- Monitoring Firewall Filter Traffic
- Configuring Policers to Control Traffic Rates (CLI Procedure)
Configuring Firewall Filters (CLI Procedure)
You configure firewall filters on EX Series switches to control traffic that enters ports on the switch or enters and exits VLANs on the network and Layer 3 (routed) interfaces. To configure a firewall filter you must configure the filter and then apply it to a port, VLAN, or Layer 3 interface.
This topic describes:
- Configuring a Firewall Filter
- Configuring a Term Specifically for IPv4 or IPv6 Traffic
- Applying a Firewall Filter to a Port on a Switch
- Applying a Firewall Filter to a Management Interface on a Switch
- Applying a Firewall Filter to a VLAN on a Network
- Applying a Firewall Filter to a Layer 3 (Routed) Interface
Configuring a Firewall Filter
Before you can apply a firewall filter to a port, VLAN, or Layer 3 interface, you must configure a firewall filter with the required details, such as type of family for the firewall filter, firewall filter name, and match conditions. A match condition in the firewall filter configuration can contain multiple terms that define the criteria for the match condition. For each term, you must specify an action to be performed if a packet matches the conditions in the term. For information on different match conditions and actions, see Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches.
To configure a firewall filter:
Configure the family address type for the firewall filter:
- For a firewall filter that is applied to a port or VLAN,
specify the family address type ethernet-switching to filter
Layer 2 (Ethernet) packets and Layer 3 (IP) packets, for example:
[edit firewall]
user@switch# set family ethernet-switching - For a firewall filter that is applied to a Layer 3 (routed)
interface:
- To filter IPv4 packets, specify the family address type inet, for example:
[edit firewall]
user@switch# set family inet - To filter IPv6 packets, specify the family address type inet6, for example:
[edit firewall]
user@switch# set family inet6
Note: You can configure firewall filters for both IPv4 and IPv6 traffic on the same Layer 3 interface.
- To filter IPv4 packets, specify the family address type inet, for example:
- For a firewall filter that is applied to a port or VLAN,
specify the family address type ethernet-switching to filter
Layer 2 (Ethernet) packets and Layer 3 (IP) packets, for example:
- Specify the filter name:
[edit firewall family ethernet-switching]
user@switch# set filter ingress-port-filterThe filter name can contain letters, numbers, and hyphens (-) and can have a maximum of 64 characters. Each filter name must be unique.
- If you want to apply a firewall filter to multiple interfaces
and name individual firewall counters specific to each interface,
configure the interface-specific option:
[edit firewall family ethernet-switching filter ingress-port-filter]
user@switch# set interface-specific - Specify a term name:
[edit firewall family ethernet-switching filter ingress-port-filter]
user@switch# set term term-oneThe term name can contain letters, numbers, and hyphens (-) and can have a maximum of 64 characters.
A firewall filter can contain one or more terms. Each term name must be unique within a filter.
The maximum number of terms allowed per firewall filter for EX Series switches is:
- 512 for EX2200 switches
- 1,436 for EX3300 switches
Note: On EX3300 switches, if you add and delete filters with a large number of terms (on the order of 1000 or more) in the same commit operation, not all the filters are installed. You must add filters in one commit operation, and delete filters in a separate commit operation.
- 7,168 for EX3200 and EX4200 switches
- 1,200 for EX4500 and EX4550 switches
- 1,400 for EX6200 switches
- 32,768 for EX8200 switches
If you attempt to configure a firewall filter that exceeds these limits, the switch returns an error message when you commit the configuration.
- In each firewall filter term, specify the match conditions
to use to match components of a packet.
To specify match conditions to match on packets that contain a specific source address and source port—for example:
[edit firewall family ethernet-switching filter ingress-port-filter term term-one]
user@switch# set from source-address 192.0.2.14
user@switch# set from source-port 80You can specify one or more match conditions in a single from statement. For a match to occur, the packet must match all the conditions in the term.
The from statement is optional, but if included in a term, the from statement cannot be empty. If you omit the from statement, all packets are considered to match.
- In each firewall filter term, specify the action to take
if the packet matches all the conditions in that term.
You can specify an action and/or action modifiers:
- To specify a filter action, for example, to discard packets
that match the conditions of the filter term:
[edit firewall family ethernet-switching filter ingress-port-filter term term-one]
user@switch# set then discardYou can specify no more than one action per filter term.
To specify an action modifier, for example, to count and classify packets in a forwarding class:
[edit firewall family ethernet-switching filter ingress-port-filter term term-one]
user@switch# set then count counter-one
user@switch# set then forwarding-class expedited-forwardingIn a then statement, you can specify the following action modifiers:
- analyzer analyzer-name—Mirror port traffic to a specified destination port or VLAN that is connected to a protocol analyzer application. An analyzer must be configured under the ethernet-switching family address type. See Configuring Port Mirroring to Analyze Traffic (CLI Procedure).
- count counter-name—Count
the number of packets that pass this filter term.
Note: We recommend that you configure a counter for each term in a firewall filter, so that you can monitor the number of packets that match the conditions specified in each filter term.
- forwarding-class class—Classify packets in a forwarding class.
- loss-priority priority—Set the priority for dropping a packet.
- policer policer-name—Apply rate limiting to the traffic.
- interface interface-name—Forward the traffic to the specified interface, bypassing the switching lookup.
- log—Log the packet's header information in the Routing Engine.
If you omit the then statement or do not specify an action, packets that match all the conditions in the from statement are accepted. However, you must always explicitly configure an action and/or action modifier in the then statement. You can include no more than one action, but you can use any combination of action modifiers. For an action or action modifier to take effect, all conditions in the from statement must match.
Note: Implicit discard is also applicable to a firewall filter applied to the loopback interface, lo0.
On Juniper Networks EX8200 Ethernet Switches, if an implicit or explicit discard action is configured on a loopback interface for IPv4 traffic, next hop resolve packets are accepted and allowed to pass through the switch. However, for IPv6 traffic, you must explicitly configure a rule to allow the next hop IPv6 resolve packets to pass through the switch.
- To specify a filter action, for example, to discard packets
that match the conditions of the filter term:
Configuring a Term Specifically for IPv4 or IPv6 Traffic
To configure a term in a firewall filter configuration specifically for IPv4 traffic:
- Verify that neither ether-type ipv6 nor ip-version ipv6 is specified in the term in the configuration. By default, a configuration that does not contain either ether-type ipv6 or ip-version ipv6 in a term applies to IPv4 traffic.
- (Optional) Perform one of these tasks:
- Define ether-type ipv4 in a term in the configuration.
- Define ip-version ipv4 in a term in the configuration.
- Define both ether-type ipv4 and ip-version ipv4 in a term in the configuration.
- Verify that neither ether-type ipv6 nor ip-version ipv6 is specified in a term in the configuration—by default, a configuration that does not contain either ether-type ipv6 or ip-version ipv6 in a term applies to IPv4 traffic if it does not contain ether-type ipv6 or ip-version ipv6.
- Ensure that other match conditions in the term are valid for IPv4 traffic.
To configure a term in a firewall filter configuration specifically for IPv6 traffic:
- Perform one of these tasks:
- Define ether-type ipv6 in a term in the configuration.
- Define ip-version ipv6 in a term in the configuration.
- Define both ether-type ipv6 and ip-version ipv4 in a term in the configuration.
Note: By default, a configuration that does not contain either ether-type ipv6 or ip-version ipv6 in a term applies to IPv4 traffic.
- Ensure that other match conditions in the term are valid for IPv6 traffic.
![]() | Note: If the term contains either of the match conditions ether-type ipv6 or ip-version ipv6, with no other IPv6 match condition specified, all IPv6 traffic is matched. |
![]() | Note: To configure a firewall filter for both IPv4 and IPv6 traffic, you must include two separate terms, one for IPv4 traffic and the other for IPv6 traffic. |
Applying a Firewall Filter to a Port on a Switch
You can apply a firewall filter to a port on a switch to filter ingress or egress traffic on the switch. When you configure the firewall filter, you can specify any match condition, action, and action modifiers specified in Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches. The action specified in the match condition indicates the action for the matched packets in the ingress or egress traffic.
To apply a firewall filter to a port to filter ingress or egress traffic:
![]() | Note: For applying a firewall filter to a management interface, see Applying a Firewall Filter to a Management Interface on a Switch |
- Specify the interface name and provide a meaningful description
of the firewall filter and the interface to which the filter is applied:
[edit interfaces]
user@switch# set ge-0/0/1 description "filter to limit tcp traffic filter at trunk port for employee-vlan and voice-vlan applied on the interface"Note: Providing the description is optional.
- Specify the unit number and family address type for the
interface:
[edit interfaces]
user@switch# set ge-0/0/1 unit 0 family ethernet-switchingFor firewall filters that are applied to ports, the family address type must be ethernet-switching.
- To apply a firewall filter to filter packets that are
entering a port:
[edit interfaces]
user@switch# set ge-0/0/1 unit 0 family ethernet-switching filter input ingress-port-filterTo apply a firewall filter to filter packets that are exiting a port:
[edit interfaces]
user@switch# set ge-0/0/1 unit 0 family ethernet-switching filter output egress-port-filterNote: You can apply no more than one firewall filter per port, per direction.
Applying a Firewall Filter to a Management Interface on a Switch
You can configure and apply a firewall filter to a management interface to control traffic that is entering or exiting the interface on a switch. You can use utilities such as SSH or Telnet to connect to the management interface over the network and then use management protocols such as SNMP to gather statistical data from the switch. Similar to configuring a firewall filter on other types of interfaces, you can configure a firewall filter on a management interface using any match condition, action, and action modifier specified in Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches except for the following action modifiers:
- loss-priority
- forwarding-class
You can apply a firewall filter to the management Ethernet interface on any EX Series switch. You can also apply a firewall filter to the virtual management Ethernet (VME) interface on the EX4200 switch. For more information on the management Ethernet interface and the VME interface, see EX Series Switches Interfaces Overview.
To apply a firewall filter on the management interface to filter ingress or egress traffic:
- Specify the interface name and provide a meaningful description
of the firewall filter and the interface to which the filter is applied:
[edit interfaces]
user@switch# set me0 description "filter to limit tcp traffic filter at management interface"Note: Providing the description is optional.
- Specify the unit number and family address type for the
management interface:
[edit interfaces]
user@switch# set me0 unit 0 family inetNote: For firewall filters that are applied to management interfaces, the family address type can be either inet or inet6.
- To apply a firewall filter to filter packets that are
entering a management interface:
[edit interfaces]
user@switch# set me0 unit 0 family inet filter input ingress-port-filterTo apply a firewall filter to filter packets that are exiting a management interface:
[edit interfaces]
user@switch# set me0 unit 0 family inet filter output egress-port-filterNote: You can apply no more than one firewall filter per management interface, per direction.
Applying a Firewall Filter to a VLAN on a Network
You can apply a firewall filter to a VLAN on a network to filter ingress or egress traffic on the network. To apply a firewall filter to a VLAN, specify the VLAN name and ID, and then apply the firewall filter to the VLAN. When you configure the firewall filter, you can specify any match condition, action, and action modifiers specified in Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches. The action specified in the match condition indicates the action for the matched packets in the ingress or egress traffic.
To apply a firewall filter to a VLAN:
- Specify the VLAN name and VLAN ID and provide a meaningful
description of the firewall filter and the VLAN to which the filter
is applied:
[edit vlans]
user@switch# set employee-vlan vlan-id (802.1Q Tagging) 20 vlan-description "filter to rate limit traffic applied on employee-vlan"Note: Providing the description is optional.
Apply firewall filters to filter packets that are entering or exiting the VLAN:
- To apply a firewall filter to filter packets that are entering the VLAN:
- To apply a firewall filter to filter packets that are
exiting the VLAN:
[edit vlans]
user@switch# set employee-vlan vlan-id 20 filter output egress-vlan-filter
Note: You can apply no more than one firewall filter per VLAN, per direction.
Applying a Firewall Filter to a Layer 3 (Routed) Interface
You can apply a firewall filter to a Layer 3 (routed) interface to filter ingress or egress traffic on the switch. When you configure the firewall filter, you can specify any match condition, action, and action modifiers specified in Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches. The action specified in the match condition indicates the action for the matched packets in the ingress or egress traffic.
To apply a firewall filter to a Layer 3 interface on a switch:
- Specify the interface name and provide a meaningful description
of the firewall filter and the interface to which the filter is applied:
[edit interfaces]
user@switch# set ge-0/1/0 description "filter to count and monitor employee-vlan traffic applied on layer 3 interface"Note: Providing the description is optional.
- Specify the unit number, family address type, and address
for the interface:
[edit interfaces]
user@switch# set ge-0/1/0 unit 0 family inet address 10.10.10.1/24For firewall filters applied to Layer 3 interfaces, the family address type must be inet (for IPv4 traffic) or inet6 (for IPv6 traffic).
- You can apply firewall filters to filter packets that
are entering or exiting a Layer 3 (routed) interface:
- To apply a firewall filter to filter packets that are
entering a Layer 3 interface:
[edit interfaces]
user@switch# set ge-0/1/0 unit 0 family inet address 10.10.10.1/24 filter input ingress-router-filter - To apply a firewall filter to filter packets that are
exiting a Layer 3 interface:
[edit interfaces]
user@switch# set ge-0/1/0 unit 0 family inet address 10.10.10.1/24 filter output egress-router-filter
Note: You can apply no more than one firewall filter per Layer 3 interface, per direction.
- To apply a firewall filter to filter packets that are
entering a Layer 3 interface:
Related Documentation
- EX Series
- Configuring Firewall Filters (J-Web Procedure)
- Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX Series Switches
- Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device on EX Series Switches
- Example: Configuring a Firewall Filter on a Management Interface on an EX Series Switch
- Verifying That Firewall Filters Are Operational
- Monitoring Firewall Filter Traffic
- Configuring Policers to Control Traffic Rates (CLI Procedure)
Published: 2013-01-06
Supported Platforms
Related Documentation
- EX Series
- Configuring Firewall Filters (J-Web Procedure)
- Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX Series Switches
- Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device on EX Series Switches
- Example: Configuring a Firewall Filter on a Management Interface on an EX Series Switch
- Verifying That Firewall Filters Are Operational
- Monitoring Firewall Filter Traffic
- Configuring Policers to Control Traffic Rates (CLI Procedure)