Supported Platforms
Related Documentation
- QFabric System, QFX Series standalone switches
- Understanding Firewall Filter Planning
- Understanding Firewall Filter Processing Points for Bridged and Routed Packets
- Understanding How Firewall Filters Are Evaluated
- Understanding Firewall Filter Match Conditions
- Overview of Policers
- Configuring Firewall Filters
Overview of Firewall Filters
Firewall filters provide rules that define whether to accept or discard packets that are transiting an interface. If a packet is accepted, you can configure additional actions to perform on the packet, such as class-of-service (CoS) marking (grouping similar types of traffic together and treating each type of traffic as a class with its own level of service priority) and traffic policing (controlling the maximum rate of traffic sent or received). You configure firewall filters to determine whether to accept or discard a packet before it enters or exits any of these:
- Port
- VLAN
- Layer 3 (routed) interface
- Routed VLAN interface (RVI)
An ingress firewall filter is applied to packets that are entering an interface or VLAN, and an egress firewall filter is applied to packets that are exiting an interface or VLAN.
 | Note: Firewall filters are sometimes called access control lists (ACLs). |
Firewall Filter Types
The following firewall filter types are supported:
- Port (Layer 2) firewall filter—Port firewall filters apply to Layer 2 traffic transiting system ports.
- VLAN firewall filter—VLAN firewall filters provide access control for packets that enter a VLAN, are bridged within a VLAN, or leave a VLAN.
- Router (Layer 3) firewall filter—You can apply a
router firewall filter in both ingress and egress directions on IPv4
or IPv6 Layer 3 (routed) interfaces, routed VLAN interfaces (RVI)
and a loopback interface, which filters traffic sent to the switch
itself or generated by the switch. (You apply a filter to a loopback
interface in the input direction to protect the switch from unwanted
traffic. You also might want to apply a filter to a loopback interface
in the output direction so that you can set the forwarding class and
DSCP bit value for packets that originate on the switch itself. This
feature gives you very fine control over the classification of CPU
generated packets. For example, you might want to assign different
DSCP values and forwarding classes to traffic generated by different
routing protocols so the traffic for those protocols can be treated
in a differentiated manner by other devices. You can apply a filter
to a loopback interface in the output direction starting with Junos
OS 13.2X51-D15.)
Note: You can apply a firewall filter to a management interface (for example, me0) on a QFX and EX4600 standalone switch. You cannot apply a firewall filter to a management interface on a QFX3000-G or QFX3000-M system.
- MPLS filter—You can apply a firewall filter to an MPLS interface
To apply a firewall filter:
- Configure the firewall filter.
- Apply the firewall filter to a port, VLAN, or router interface.
| Note: You can apply only one firewall filter to a port, VLAN, or interface for a given direction. For example, for interface ge-0/0/6.0, you can apply one filter for the ingress direction and one for the egress direction. |
Firewall Filter Components
In a firewall filter, you first define the family address type (ethernet-switching, inet (for IPv4), inet6 (for IPv6), or mpls) and then define one or more terms that specify the filtering criteria and the action to take if a match occurs.
Each term consists of the following components:
- Match conditions—Specify values that a packet must contain to be considered a match. You can specify values for most fields in the IP, TCP, UDP, or ICMP headers. You can also match on interface names.
- Action—Specifies what to do if a packet matches the match conditions. A filter can accept, discard, or reject a matching packet and then perform additional actions, such as counting, classifying, and policing. If no action is specified for a term, the default is to accept the matching packet.
Firewall Filter Processing
If there are multiple terms in a filter, the order of the terms is important. If a packet matches the first term, the switch executes the action defined by that term, and no other terms are evaluated. If the switch does not find a match between the packet and the first term, it compares the packet to the next term. If no match occurs between the packet and the second term, the system continues to compare the packet to each successive term in the filter until a match is found. If the packet does not match any terms in the filter, the switch discards the packet by default.
Related Documentation
- QFabric System, QFX Series standalone switches
- Understanding Firewall Filter Planning
- Understanding Firewall Filter Processing Points for Bridged and Routed Packets
- Understanding How Firewall Filters Are Evaluated
- Understanding Firewall Filter Match Conditions
- Overview of Policers
- Configuring Firewall Filters
Published: 2014-07-23
Supported Platforms
Related Documentation
- QFabric System, QFX Series standalone switches
- Understanding Firewall Filter Planning
- Understanding Firewall Filter Processing Points for Bridged and Routed Packets
- Understanding How Firewall Filters Are Evaluated
- Understanding Firewall Filter Match Conditions
- Overview of Policers
- Configuring Firewall Filters
