- play_arrow Understanding and Configuring Junos Routing Policies
- play_arrow Overview
- Policy Framework Overview
- Comparison of Routing Policies and Firewall Filters
- Prefix Prioritization Overview
- FIB Prefix Prioritization
- Accounting of the Policer Overhead Attribute at the Interface Level
- Configuring the Accounting of Policer Overhead in Interface Statistics
- Understanding Routing Policies
- Protocol Support for Import and Export Policies
- Example: Applying Routing Policies at Different Levels of the BGP Hierarchy
- Default Routing Policies
- Example: Configuring a Conditional Default Route Policy
- play_arrow Evaluating Routing Policies Using Match Conditions, Actions, Terms, and Expressions
- How a Routing Policy Is Evaluated
- Categories of Routing Policy Match Conditions
- Routing Policy Match Conditions
- Route Filter Match Conditions
- Actions in Routing Policy Terms
- Summary of Routing Policy Actions
- Example: Configuring a Routing Policy to Advertise the Best External Route to Internal Peers
- Example: Configuring BGP to Advertise Inactive Routes
- Example: Using Routing Policy to Set a Preference Value for BGP Routes
- Example: Enabling BGP Route Advertisements
- Example: Rejecting Known Invalid Routes
- Example: Using Routing Policy in an ISP Network
- Understanding Policy Expressions
- Understanding Backup Selection Policy for OSPF Protocol
- Configuring Backup Selection Policy for the OSPF Protocol
- Configuring Backup Selection Policy for IS-IS Protocol
- Example: Configuring Backup Selection Policy for the OSPF or OSPF3 Protocol
- play_arrow Evaluating Complex Cases Using Policy Chains and Subroutines
- play_arrow Configuring Route Filters and Prefix Lists as Match Conditions
- Understanding Route Filters for Use in Routing Policy Match Conditions
- Understanding Route Filter and Source Address Filter Lists for Use in Routing Policy Match Conditions
- Understanding Load Balancing Using Source or Destination IP Only
- Configuring Load Balancing Using Source or Destination IP Only
- Walkup for Route Filters Overview
- Configuring Walkup for Route Filters to Improve Operational Efficiency
- Example: Configuring Route Filter Lists
- Example: Configuring Walkup for Route Filters Globally to Improve Operational Efficiency
- Example: Configuring Walkup for Route Filters Locally to Improve Operational Efficiency
- Example: Configuring a Route Filter Policy to Specify Priority for Prefixes Learned Through OSPF
- Example: Configuring the MED Using Route Filters
- Example: Configuring Layer 3 VPN Protocol Family Qualifiers for Route Filters
- Understanding Prefix Lists for Use in Routing Policy Match Conditions
- Example: Configuring Routing Policy Prefix Lists
- Example: Configuring the Priority for Route Prefixes in the RPD Infrastructure
- Configuring Priority for Route Prefixes in RPD Infrastructure
- play_arrow Configuring AS Paths as Match Conditions
- Understanding AS Path Regular Expressions for Use as Routing Policy Match Conditions
- Example: Using AS Path Regular Expressions
- Understanding Prepending AS Numbers to BGP AS Paths
- Example: Configuring a Routing Policy for AS Path Prepending
- Understanding Adding AS Numbers to BGP AS Paths
- Example: Advertising Multiple Paths in BGP
- Improve the Performance of AS Path Lookup in BGP Policy
- play_arrow Configuring Communities as Match Conditions
- Understanding BGP Communities, Extended Communities, and Large Communities as Routing Policy Match Conditions
- Understanding How to Define BGP Communities and Extended Communities
- How BGP Communities and Extended Communities Are Evaluated in Routing Policy Match Conditions
- Example: Configuring Communities in a Routing Policy
- Example: Configuring Extended Communities in a Routing Policy
- Example: Configuring BGP Large Communities
- Example: Configuring a Routing Policy Based on the Number of BGP Communities
- Example: Configuring a Routing Policy That Removes BGP Communities
- play_arrow Increasing Network Stability with BGP Route Flapping Actions
- play_arrow Tracking Traffic Usage with Source Class Usage and Destination Class Usage Actions
- Understanding Source Class Usage and Destination Class Usage Options
- Source Class Usage Overview
- Guidelines for Configuring SCU
- System Requirements for SCU
- Terms and Acronyms for SCU
- Roadmap for Configuring SCU
- Roadmap for Configuring SCU with Layer 3 VPNs
- Configuring Route Filters and Source Classes in a Routing Policy
- Applying the Policy to the Forwarding Table
- Enabling Accounting on Inbound and Outbound Interfaces
- Configuring Input SCU on the vt Interface of the Egress PE Router
- Mapping the SCU-Enabled vt Interface to the VRF Instance
- Configuring SCU on the Output Interface
- Associating an Accounting Profile with SCU Classes
- Verifying Your SCU Accounting Profile
- SCU Configuration
- SCU with Layer 3 VPNs Configuration
- Example: Grouping Source and Destination Prefixes into a Forwarding Class
- play_arrow Avoiding Traffic Routing Threats with Conditional Routing Policies
- Conditional Advertisement and Import Policy (Routing Table) with certain match conditions
- Conditional Advertisement Enabling Conditional Installation of Prefixes Use Cases
- Example: Configuring a Routing Policy for Conditional Advertisement Enabling Conditional Installation of Prefixes in a Routing Table
- play_arrow Protecting Against DoS Attacks by Forwarding Traffic to the Discard Interface
- play_arrow Improving Commit Times with Dynamic Routing Policies
- play_arrow Testing Before Applying Routing Policies
-
- play_arrow Configuring Traffic Policers
- play_arrow Understanding Traffic Policers
- Policer Implementation Overview
- ARP Policer Overview
- Example: Configuring ARP Policer
- Understanding the Benefits of Policers and Token Bucket Algorithms
- Determining Proper Burst Size for Traffic Policers
- Controlling Network Access Using Traffic Policing Overview
- Traffic Policer Types
- Order of Policer and Firewall Filter Operations
- Understanding the Frame Length for Policing Packets
- Supported Standards for Policing
- Hierarchical Policer Configuration Overview
- Understanding Enhanced Hierarchical Policers
- Packets-Per-Second (pps)-Based Policer Overview
- Guidelines for Applying Traffic Policers
- Policer Support for Aggregated Ethernet Interfaces Overview
- Example: Configuring a Physical Interface Policer for Aggregate Traffic at a Physical Interface
- Firewall and Policing Differences Between PTX Series Packet Transport Routers and T Series Matrix Routers
- Hierarchical Policers on ACX Series Routers Overview
- Guidelines for Configuring Hierarchical Policers on ACX Series Routers
- Hierarchical Policer Modes on ACX Series Routers
- Processing of Hierarchical Policers on ACX Series Routers
- Actions Performed for Hierarchical Policers on ACX Series Routers
- Configuring Aggregate Parent and Child Policers on ACX Series Routers
- play_arrow Configuring Policer Rate Limits and Actions
- play_arrow Configuring Layer 2 Policers
- Hierarchical Policers
- Configuring a Policer Overhead
- Two-Color and Three-Color Policers at Layer 2
- Layer 2 Traffic Policing at the Pseudowire Overview
- Configuring a Two-Color Layer 2 Policer for the Pseudowire
- Configuring a Three-Color Layer 2 Policer for the Pseudowire
- Applying the Policers to Dynamic Profile Interfaces
- Attaching Dynamic Profiles to Routing Instances
- Using Variables for Layer 2 Traffic Policing at the Pseudowire Overview
- Configuring a Policer for the Complex Configuration
- Creating a Dynamic Profile for the Complex Configuration
- Attaching Dynamic Profiles to Routing Instances for the Complex Configuration
- Verifying Layer 2 Traffic Policers on VPLS Connections
- Understanding Policers on OVSDB-Managed Interfaces
- Example: Applying a Policer to OVSDB-Managed Interfaces
- play_arrow Configuring Two-Color and Three-Color Traffic Policers at Layer 3
- Two-Color Policer Configuration Overview
- Basic Single-Rate Two-Color Policers
- Bandwidth Policers
- Prefix-Specific Counting and Policing Actions
- Policer Overhead to Account for Rate Shaping in the Traffic Manager
- Three-Color Policer Configuration Overview
- Applying Policers
- Three-Color Policer Configuration Guidelines
- Basic Single-Rate Three-Color Policers
- Basic Two-Rate Three-Color Policers
- Example: Configuring a Two-Rate Three-Color Policer
- play_arrow Configuring Logical and Physical Interface Traffic Policers at Layer 3
- play_arrow Configuring Policers on Switches
- Overview of Policers
- Traffic Policer Types
- Understanding the Use of Policers in Firewall Filters
- Understanding Tricolor Marking Architecture
- Configuring Policers to Control Traffic Rates (CLI Procedure)
- Configuring Tricolor Marking Policers
- Understanding Policers with Link Aggregation Groups
- Understanding Color-Blind Mode for Single-Rate Tricolor Marking
- Understanding Color-Aware Mode for Single-Rate Tricolor Marking
- Understanding Color-Blind Mode for Two-Rate Tricolor Marking
- Understanding Color-Aware Mode for Two-Rate Tricolor Marking
- Example: Using Two-Color Policers and Prefix Lists
- Example: Using Policers to Manage Oversubscription
- Assigning Forwarding Classes and Loss Priority
- Configuring Color-Blind Egress Policers for Medium-Low PLP
- Configuring Two-Color and Three-Color Policers to Control Traffic Rates
- Verifying That Two-Color Policers Are Operational
- Verifying That Three-Color Policers Are Operational
- Troubleshooting Policer Configuration
- Troubleshooting Policer Configuration
-
- play_arrow Configuration Statements and Operational Commands
- play_arrow Troubleshooting
- play_arrow Knowledge Base
-
Firewall Filter Flexible Match Conditions
Standard firewall filter match conditions vary based on the protocol family of the traffic being matched. For example, the terms available for bridge protocol traffic are different from those available for the inet or inet6 protocol families. The fields available for matching within each protocol family are, however, fixed or pre-defined. This means that filters can match on patterns within those pre-defined fields only.
Using flexible match conditions, firewall filters can be constructed that start the match at layer-2, layer-3, layer-4 or payload locations. From there, additional offset criteria can be specified thereby enabling pattern matches at custom, user-defined locations within a packet.
Flexible match filter terms are applied to MPC or MIC interfaces as either input or
output filters just as any other firewall filter terms. Flexible match filter terms can also
be created as templates at the [edit firewall] hierarchy level. These templates
can then be referenced within a flexible match term.
For MX series routers, flexible match conditions are only supported with MPCs or MICs. For environments where FPCs, PICs, and or DPCs are installed along with MPCs or MICs, be sure to only apply the flexible match firewall filter criteria to the MPC or MIC interfaces.
For MX Series routers with MPCs, you need to initialize the filter counter for
Trio-only match filters in the MIB by walking the corresponding SNMP MIB. For
example, for any filter that is configured or changed with respect to their
Trio-only filters, you need to run a command such as the following: show
snmp mib walk (ascii | decimal) object-id. This
forces Junos to learn the filter counters and ensure that the filter statistics are
displayed (this is because the first poll to filter statistics may not show all
counters). Trio-only match filters are those that include at least one match
condition or action that is only supported by the Trio chipset.
This guidance applies to all enhanced-mode firewall filters. It also applies to Firewall Filter Match Conditions for IPv4 Traffic with flexible match filter terms for offset-range or offset-mask,
gre-key, and Firewall Filter Match Conditions for IPv6 Traffic with any of the
following match conditions: payload-protocol, extension
headers, is_fragment. It also applies to filters with
either of the following Firewall Filter Terminating Actions:
encapsulate or decapsulate, or either of the
following Firewall Filter Nonterminating Actions:
policy-map, and clear-policy-map.
Statement Hierarchy
Flexible match filter terms are available in three variations as shown in Table 1. The flexible-match variation is configured at the [edit
firewall] hierarchy level. It is used to define flexible match
templates. The flexible-filter-match-mask and
flexible-match-range are configured at the [edit
firewall family [inet|inet6|bridge|ethernet-switching|ccc|vpls] filter
<filter-name> term
<term-name> from] hierarchy. Use the
family ethernet-switching filter for EX9200 switches.
Flexible Filter Match Types
Flexible Filter Match Type | Available Attributes | Description |
|---|---|---|
|
| Create a flexible-match template named as the <name> attribute. |
| Length of the data to be matched in bits, not needed for string input (0..32) For QFX5120 and EX4650 switches, 16 and 32 are the only valid bit lengths. | |
| Bit offset after the (match-start + byte) offset (0..7) | |
| Byte offset after the match start point | |
| Start point to match in packet | |
|
| Length of the data to be matched in bits, not needed for string input (0..128) |
| Bit offset after the (match-start + byte) offset (0..7) | |
| Byte offset after the match start point | |
| Select a flexible match from predefined template field. Required
unless | |
| Mask out bits in the packet data to be matched. | |
| Start point to match in packet. Required unless
| |
| Value data/string to be matched. | |
|
| Length of the data to be matched in bits. (0..32) Required unless
|
| Bit offset after the (match-start + byte) offset. (0..7) | |
| Byte offset after the match start point | |
| Select a flexible match from predefined template. | |
| Start point to match in packet. Required unless
| |
| Range of values to be matched. | |
| Range of values to be not matched. |
flexible-match-range is not supported on EX2300,
EX3400, EX4100 and EX4400.
Flexible Filter Match Start Locations
Flexible match filter terms are constructed by giving a start location or anchor
point within the packet. The start locations can be any of: layer-2, layer-3,
layer-4 or payload, depending on the protocol family in use. Table 2 shows available flexible filter match start locations by protocol family. You use
these available start locations as the match-start locations for
the flexible match filter terms.
From these start locations, specific byte and bit offsets can be utilized to allow the filter to match patterns at very specific locations within the packet.
Protocol Family | Available Start Locations |
|---|---|
|
For QFX5120 and EX4650 switches, support for layer-2 and layer-3 (only) flexible match filters was added in Junos Release 20.1R1. |
|
For QFX5120 and EX4650 switches, support for layer-2 and layer-3 (only) flexible match filters was added in Junos Release 20.1R1. |
|
|
|
|
|
|
|
|
| (EX9200 switches) For, QFX5120 and EX4650 switches, support for layer-2 and layer-3 (only) flexible match filters was added in Junos Release 20.1R1. An example of using a layer-2 packet offset and match length can be found below. |
Flexible Filter Match Examples
The following example illustrates the use and context for
flexible-match-mask.
from {
flexible-match-mask {
flexible-mask-name <mask-name>;
mask-in-hex <mask>;
prefix <pattern>;
}
}The <mask-name> specifies for flexible-mask-name which predefined template is used for the flexible match condition. Templates can be defined to specify at which place (position) in the packet the flexible match condition should be executed.
The <mask> for mask-in-hex is in
hexadecimal format. For example, a configured mask of 0xf0fc
specifies a match for the fist four bits in first byte (as referred by
<mask-name>), and for the first six bits in the second
byte. If the packet is IPv4 packet, and <mask-name> refers
to first two bytes in L3 header, the search is for the IP version field and DSCP
field. As another example, a configured mask 0xffc0 specifies a
search for entire first byte and for two bits from the second byte. If the
<mask-name> refers to first two bytes in L3 header, and
the packet is IPv6 packet, this specifies the IP version field and DSCP in the
Traffic Class field.
The <pattern> specified for prefix is an
ASCII string. If first two characters are 0x, then the string is
processed as a hexadecimal number encoding appropriate bits. For example, the
configured prefix 0x40c0 in combination with mask
0xf0fc and <mask-name> referring first
two bytes in L3 header, indicates a search for 0100 in the first
four bits (version field is equal to 4) and 1100 00 in IPv4 DSCP
field (DSCP is equal to cs6). Or, using the configured prefix
0x6c00 in combination with mask 0xffc0 and
<mask-name> referring first two bytes in L3 header,
specifies a search for for 0110 in the first four bits (version
field is equal to 6), and 1100 00 in IPv6 DSCP field (DSCP is equal
to cs6).
The first example defines a mask template that selects first two bytes (16 bits) from L3 header for flexible match:
firewall {
flexible-match FM-FIRST-TWO-L3-BYTES {
match-start layer-3;
byte-offset 0;
bit-offset 0;
bit-length 16;
}
}The next example defines a mask template that selects the third through sixth byte (32 bits) of the packet payload for flexible match:
firewall {
flexible-match FM-FOUR-PAYLOAD-BYTES {
match-start payload;
byte-offset 2;
bit-offset 0;
bit-length 32;
}
}This example shows an ASCII character match for the string JNPR (ASCII
characters: 0x4a, 0x4e, 0x50,
0x52) in the third through sixth byte of the packet payload.
The filter uses the FM-FOUR-PAYLOAD-BYTES mask template defined in
the previous example.
firewall {
family ccc filter FF-COUNT-JNPR-PACKETS {
term JNPR-STRING {
from {
flexible-match-mask {
mask-in-hex 0xffffffff;
prefix JNPR;
flexible-mask-name FM-FOUR-PAYLOAD-BYTES;
}
}
then {
count CNT-JNPR-YES
accept;
}
}
term DEAFULT {
then {
count CNT-JNPR-NO
accept;
}
}
}
}This example shows a family ccc filter looking for DSCP equal to cs6
and DSCP ef, regardless whether the encapsulated packets are IPv4
or IPv6. It uses the the FM-FIRST-TWO-L3-BYTES mask template
defined in the first example.
firewall {
family ccc filter FF-DSCP-CLASSIFY {
term ROUTING-IPV4 {
from {
flexible-match-mask {
mask-in-hex 0xf0fc;
prefix 0x40c0; # DSCP=cs6 in IPv4 header
flexible-mask-name FM-FIRST-TWO-L3-BYTES;
}
}
then {
count ROUTING-IPV4;
accept;
}
}
term ROUTING-IPV6 {
from {
flexible-match-mask {
mask-in-hex 0xffc0;
prefix 0x6c00; # DSCP=cs6 in IPv6 header
flexible-mask-name FM-FIRST-TWO-L3-BYTES;
}
}
then {
count ROUTING-IPV6;
accept;
}
}
term VOICE-IPV4 {
from {
flexible-match-mask {
mask-in-hex 0xf0fc;
prefix 0x40b8; # DSCP=ef in IPv4 header
flexible-mask-name FM-FIRST-TWO-L3-BYTES;
}
}
then {
count VOICE-IPV4;
accept;
}
}
term VOICE-IPV6 {
from {
flexible-match-mask {
mask-in-hex 0xffc0;
prefix 0x6b80; # DSCP=ef in IPv6 header
flexible-mask-name FM-FIRST-TWO-L3-BYTES;
}
}
then {
count VOICE-IPV6;
accept;
}
}
term DEFAULT {
then {
accept;
}
}
}
}This example shows how to use a match length, starting from a layer-2 packet offset,
in a firewall filter for a QFX5120-32C, QFX5120-48Y, or EX4650 device running Junos
Release 20.1R1. Here, we use a bit-length of 32 bits and the
ethernet-switching family (inet and
inet6 are also supported, as is using a layer-3 offset).
user@device# show firewall family ethernet-switching
filter udf_eth {
term t1 {
from {
flexible-match-mask {
match-start layer-2;
byte-offset 8;
bit-length 32;
prefix 168430090;
}
}
then count c1;
}
}Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.
