Technical Documentation
Related Documentation
- EX Series
- Firewall Filters for EX Series Switches Overview
- Understanding the Use of Policers in Firewall Filters
- Understanding How Firewall Filters Are Evaluated
- Understanding Filter-Based Forwarding for EX Series Switches
- Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX Series Switches
- Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device on EX Series Switches
Understanding Planning of Firewall Filters
Before you create a firewall filter and apply it to an interface, determine what you want the firewall filter to accomplish and how to use its match conditions and actions to achieve your goals. You must understand how packets are matched to match conditions, the default and configured actions of the firewall filter, and proper placement of the firewall filter.
You can configure and apply no more than one firewall filter per port, VLAN, or router interface, per direction. The following limits apply for the number of firewall filter terms allowed per filter on various switch models:
- On EX2200 switches including the EX2200-C model, the number of
terms per filter cannot exceed 512.
Note: An EX2200-C switch is a compact, fanless model of the EX2200 switch.
- On EX3300 switches, the number of terms per filter cannot exceed 1436.
- On EX3200 and EX4200 switches, the number of terms per filter cannot exceed 7042.
- On EX4500 switches, the number of terms per filter cannot exceed 1536.
- On EX6200 switches, the number of terms per filter cannot exceed 1400.
- On EX8200 switches, the number of terms per filter cannot exceed 32768.
In addition, you should try to be conservative in the number of terms (rules) that you include in each firewall filter because a large number of terms requires longer processing time during a commit and also can make firewall filter testing and troubleshooting more difficult. Similarly, applying firewall filters across many switch and router interfaces can make testing and troubleshooting the rules of those filters difficult.
Before you configure and apply firewall filters, answer the following questions for each of those firewall filters:
- What is the purpose of the firewall filter?
For example, you can use a firewall filter to limit traffic to source and destination MAC addresses, specific protocols, or certain data rates or to prevent denial of service (DoS) attacks.
- What are the appropriate match conditions?
Determine the packet header fields that the packet must contain for a match. Possible fields include:
- Layer 2 header fields—Source and destination MAC addresses, dot1q tag, Ethernet type, and VLAN
- Layer 3 header fields—Source and destination IP addresses, protocols, and IP options (IP precedence, IP fragmentation flags, TTL type)
- TCP header fields—Source and destination ports and flags
- ICMP header fields—Packet type and code
- Determine the port, VLAN, or router interface on which the packet was received.
- What are the appropriate actions to take if a match occurs?
Possible actions to take if a match occurs are accept, discard, and forward to a routing instance.
- What additional action modifiers might be required?
Determine whether additional actions are required if a packet matches a match condition; for example, you can specify an action modifier to count, analyze, or police packets.
- On what interface should the firewall filter be applied?
Start with the following basic guidelines:
- If all the packets entering a port need to be exposed to filtering, then use port firewall filters.
- If all the packets that are bridged need filtering, then use VLAN firewall filters.
- If all the packets that are routed need filtering, then use router firewall filters.
Before you choose the interface on which to apply a firewall filter, understand how that placement can impact traffic flow to other interfaces. In general, apply a firewall filter that filters on source and destination IP addresses, IP protocols, or protocol information—such as ICMP message types, and TCP and UDP port numbers—nearest to the source devices. However, typically apply a firewall filter that filters only on a source IP address nearest to the destination devices. When applied too close to the source device, a firewall filter that filters only on a source IP address could potentially prevent that source device from accessing other services that are available on the network.
Note: Egress firewall filters do not affect the flow of locally generated control packets from the Routing Engine.
- In which direction should the firewall filter be applied?
You can apply firewall filters to ports on the switch to filter packets that are entering a port. You can apply firewall filters to VLANs, and Layer 3 (routed) interfaces to filter packets that are entering or exiting a VLAN or routed interface. Typically, you configure different sets of actions for traffic entering an interface than you configure for traffic exiting an interface.
Related Documentation
- EX Series
- Firewall Filters for EX Series Switches Overview
- Understanding the Use of Policers in Firewall Filters
- Understanding How Firewall Filters Are Evaluated
- Understanding Filter-Based Forwarding for EX Series Switches
- Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX Series Switches
- Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device on EX Series Switches
