TechLibrary

Firewall Filters
Overview of Firewall Filters Understanding Filter-Based Forwarding Understanding How Firewall Filters Are Evaluated Understanding How Firewall Filters Control Packet Flows Understanding Firewall Filter Match Conditions Firewall Filter Match Conditions and Actions Understanding How a Firewall Filter Tests a Protocol Understanding Firewall Filter Planning Planning the Number of Firewall Filters to Create Understanding Firewall Filter Processing Points for Bridged and Routed Packets Applying Firewall Filters to Interfaces

Firewall Filters

Overview of Firewall Filters

Understanding Filter-Based Forwarding

Understanding How Firewall Filters Are Evaluated

Understanding How Firewall Filters Control Packet Flows

Understanding Firewall Filter Match Conditions

Firewall Filter Match Conditions and Actions

Understanding How a Firewall Filter Tests a Protocol

Understanding Firewall Filter Planning

Planning the Number of Firewall Filters to Create

Understanding Firewall Filter Processing Points for Bridged and Routed Packets

Applying Firewall Filters to Interfaces

Policers
Overview of Policers Understanding Policers with Link Aggregation Groups Understanding Color-Blind Mode for Single-Rate Tricolor Marking Understanding Color-Aware Mode for Single-Rate Tricolor Marking Understanding Color-Blind Mode for Two-Rate Tricolor Marking Understanding Color-Aware Mode for Two-Rate Tricolor Marking

Policers

Overview of Policers

Understanding Policers with Link Aggregation Groups

Understanding Color-Blind Mode for Single-Rate Tricolor Marking

Understanding Color-Aware Mode for Single-Rate Tricolor Marking

Understanding Color-Blind Mode for Two-Rate Tricolor Marking

Understanding Color-Aware Mode for Two-Rate Tricolor Marking

Port Security
Overview of Access Port Protection Port Security Overview Understanding DHCP Snooping for Port Security Understanding DAI for Port Security Understanding MAC Limiting and MAC Move Limiting for Port Security Understanding Trusted and Untrusted Ports Understanding Trusted DHCP Servers for Port Security Understanding DHCP Option 82 for Port Security Understanding Static ARP Entries

Port Security

Overview of Access Port Protection

Port Security Overview

Understanding DHCP Snooping for Port Security

Understanding DAI for Port Security

Understanding MAC Limiting and MAC Move Limiting for Port Security

Understanding Trusted and Untrusted Ports

Understanding Trusted DHCP Servers for Port Security

Understanding DHCP Option 82 for Port Security

Understanding Static ARP Entries

Device Security
Understanding Storm Control Understanding Unicast RPF Understanding Unknown Unicast Forwarding

Device Security

Understanding Storm Control

Understanding Unicast RPF

Understanding Unknown Unicast Forwarding

Firewall and Policer Configuration Examples
Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device Example: Using Two-Color Policers and Prefix Lists Example: Using Policers to Manage Oversubscription

Firewall and Policer Configuration Examples

Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device

Example: Using Two-Color Policers and Prefix Lists

Example: Using Policers to Manage Oversubscription

Device Security Configuration Example (ELS CLI Only)
Example: Configuring Storm Control to Prevent Network Outages

Firewall and Policer Configuration Tasks
Configuring Firewall Filters Applying Firewall Filters to Interfaces Assigning Forwarding Classes and Loss Priority Configuring Color-Blind Egress Policers for Medium-Low PLP Configuring Two-Color and Three-Color Policers to Control Traffic Rates Configuring MPLS Firewall Filters and Policers Configuring a Firewall Filter to De-encapsulate GRE Traffic on a QFX5100 Switch

Firewall and Policer Configuration Tasks

Configuring Firewall Filters

Applying Firewall Filters to Interfaces

Assigning Forwarding Classes and Loss Priority

Configuring Color-Blind Egress Policers for Medium-Low PLP

Configuring Two-Color and Three-Color Policers to Control Traffic Rates

Configuring MPLS Firewall Filters and Policers

Configuring a Firewall Filter to De-encapsulate GRE Traffic on a QFX5100 Switch

Device Security Configuration Tasks
Configuring Unicast RPF (CLI Procedure) Disabling Unicast RPF (CLI Procedure) Configuring Unknown Unicast Forwarding (CLI Procedure)

Device Security Configuration Tasks

Configuring Unicast RPF (CLI Procedure)

Disabling Unicast RPF (CLI Procedure)

Configuring Unknown Unicast Forwarding (CLI Procedure)

Configuration Statements for Firewall Filters
family filter filter (Layer 2 and Layer 3 Interfaces) filter (VLANs) firewall from interface-specific term then (Filters)

Configuration Statements for Firewall Filters

family

filter

filter (Layer 2 and Layer 3 Interfaces)

Configuration Statements for Policers
action bandwidth-limit burst-size-limit color-aware color-blind committed-burst-size committed-information-rate excess-burst-size filter-specific firewall if-exceeding loss-priority high then discard peak-burst-size peak-information-rate policer single-rate then (Policers) three-color-policer two-rate

Configuration Statements for Policers

committed-information-rate

loss-priority high then discard

peak-burst-size

peak-information-rate

Configuration Statements for Port Security
circuit-id dhcp-snooping-file fc-map fcoe-trusted mac-move-limit no-allowed-mac-log no-gratuitous-arp-request persistent-learning port-error-disable vendor-id write-interval

Configuration Statements for Port Security

no-gratuitous-arp-request

Configuration Statements for Port Security (ELS CLI Only)
accept-source-mac arp-inspection dhcp-security dhcp-service group interface (DHCP Security) interface-mac-limit no-dhcp-snooping no-option-82 option-82 overrides recovery-timeout static-ip switch-options trusted untrusted

Configuration Statements for Port Security (ELS CLI Only)

interface (DHCP Security)

Configuration Statements for Device Security
action-shutdown interface (Unknown Unicast Forwarding) no-broadcast no-multicast no-unknown-unicast rpf-check unknown-unicast-forwarding

Configuration Statements for Device Security

action-shutdown

interface (Unknown Unicast Forwarding)

unknown-unicast-forwarding

Configuration Statements for Device Security (ELS CLI Only)
bandwidth-level bandwidth-percentage no-registered-multicast no-unregistered-multicast storm-control storm-control-profiles

Configuration Statements for Device Security (ELS CLI Only)

bandwidth-level

bandwidth-percentage

no-registered-multicast

no-unregistered-multicast

storm-control

storm-control-profiles

Routine Monitoring
Monitoring Firewall Filter Traffic Monitoring Port Security Verifying That Firewall Filters Are Operational Verifying That DAI Is Working Correctly Verifying That DHCP Snooping Is Working Correctly Verifying That MAC Limiting Is Working Correctly Verifying That MAC Move Limiting Is Working Correctly Verifying That the Port Error Disable Setting Is Working Correctly Verifying Unicast RPF Status Verifying That a Trusted DHCP Server Is Working Correctly Verifying That Three-Color Policers Are Operational Verifying That Two-Color Policers Are Operational

Routine Monitoring

Monitoring Firewall Filter Traffic

Monitoring Port Security

Verifying That Firewall Filters Are Operational

Verifying That DAI Is Working Correctly

Verifying That DHCP Snooping Is Working Correctly

Verifying That MAC Limiting Is Working Correctly

Verifying That MAC Move Limiting Is Working Correctly

Verifying That the Port Error Disable Setting Is Working Correctly

Verifying Unicast RPF Status

Verifying That a Trusted DHCP Server Is Working Correctly

Verifying That Three-Color Policers Are Operational

Verifying That Two-Color Policers Are Operational

Monitoring Commands
clear arp inspection statistics clear dhcp snooping binding clear ethernet-switching port-error clear firewall show arp inspection statistics show dhcp snooping binding show firewall show firewall policer show interfaces filters

Monitoring Commands

clear arp inspection statistics

clear dhcp snooping binding

clear ethernet-switching port-error

clear firewall

show arp inspection statistics

show dhcp snooping binding

show firewall

show firewall policer

show interfaces filters