Technical Documentation

Descriptions of Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches

When you define a firewall filter for an EX Series switch, you define filtering criteria (terms, with match conditions) for the packets and an action (action, or action modifier) for the switch to take if the packets match the filtering criteria. You can define a firewall filter to monitor IPv4, IPv6, or non-IP traffic.

This topic describes in detail the various match conditions, actions, and action modifiers that you can define in a firewall filter. For information on support for match conditions on various EX Series switches, see Platform Support for Firewall Filter Match Conditions, Actions, and Action Modifiers on EX Series Switches.

This topic describes:

Firewall Filter Elements

A firewall filter configuration contains a term, match condition, an action, and, optionally, an action modifier. Table 1 describes each element in a firewall filter configuration.

Table 1: Elements of a Firewall Filter Configuration

Elements Name	Description
term	Defines the filtering criteria for the packets. Each term in the firewall filter consists of match conditions and an action. You can define a single or multiple terms in the firewall filter. If you define multiple terms, each term must have a unique name.
match condition	Consists of a string (called a match statement) that defines the match condition. Match conditions are the values or fields that a packet must contain. You can define multiple, single, or no match conditions. If no match conditions are specified for the term, all packets are matched by default.
action	Specifies the action that the switch takes if a packet matches all the criteria specified in the match conditions.
action modifier	Specifies one or more actions that the switch takes if a packet matches the match conditions for the specific term.

Match Conditions Supported on Switches

Based on the type of traffic that you want to monitor, you can configure a firewall filter to monitor IPv4, IPv6, or non-IP traffic. When you configure a firewall filter to monitor a type of traffic, ensure that you specify match conditions that are supported for that particular type of traffic. For information on match conditions supported for a specific type of traffic and switches on which they are supported, see Platform Support for Firewall Filter Match Conditions, Actions, and Action Modifiers on EX Series Switches.

Table 2 describes all the match conditions that are supported for firewall filters on switches.

Table 2: Firewall Filter Match Conditions Supported on Switches

Match Condition	Description
destination-address ip-address	IP destination address field, which is the address of the final destination node.
destination-mac-address mac-address	Destination media access control (MAC) address of the packet. You can define a destination MAC address with a prefix, such as destination-mac-address 00:01:02:03:04:05/24. If no prefix is specified, the default value 48 is used.
destination-port number	TCP or User Datagram Protocol (UDP) destination port field. Typically, you specify this match condition in conjunction with the protocol match statement to determine which protocol is used on the port. For number, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813),radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), xdmcp (177), zephyr-clt (2103), zephyr-hm (2104)
destination-prefix-list prefix-list	IP destination prefix list field. You can define a list of IP address prefixes under a prefix-list alias for frequent use. You make this definition at the [edit policy-options] hierarchy level.
dot1q-tag number	The tag field in the Ethernet header. The tag values can be 1 through 4095. The dot1q-tag match condition and the vlan match condition are mutually exclusive.
dot1q-user-priority number	User-priority field of the tagged Ethernet packet. User-priority values can be 0–7. For number, you can specify one of the following text synonyms (the field values are also listed): background (1)—Background best-effort (0)—Best effort controlled-load (4)—Controlled load excellent-load (3)—Excellent load network-control (7)—Network control reserved traffic standard (2)—Standard or Spare video (5)—Video voice (6)—Voice
dscp number	Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant six bits of this byte form the DSCP. You can specify DSCP in hexadecimal, binary, or decimal form. For number, you can specify one of the following text synonyms (the field values are also listed): ef (46)—as defined in RFC 2598, An Expedited Forwarding PHB. af11 (10), af12 (12), af13 (14); af21 (18), af22 (20), af23 (22); af31 (26), af32 (28), af33 (30); af41 (34), af42 (36), af43 (38) These four classes, with three drop precedences in each class, are defined for 12 code points, in RFC 2597, Assured Forwarding PHB Group.
ether-type (aarp \| appletalk \| arp \| ipv4 \| ipv6 \| mpls-multicast \| mpls-unicast \| oam \| ppp \| pppoe-discovery \| pppoe-session \| sna \|value)	Ethernet type field of a packet. The EtherType value specifies what protocol is being transported in the Ethernet frame. For value, you can specify one of the following text synonyms: aarp—EtherType value AARP (0x80F3) appletalk—EtherType value AppleTalk (0x809B) arp—EtherType value ARP (0x0806) ipv4—EtherType value IPv4 (0x0800) ipv6—EtherType value IPv6 (0x08DD) mpls multicast—EtherType value MPLS multicast (0x8848) mpls unicast—EtherType value MPLS unicast (0x8847) oam—EtherType value OAM (0x88A8) ppp—EtherType value PPP (0x880B) pppoe-discovery—EtherType value PPPoE Discovery Stage (0x8863) pppoe-session—EtherType value PPPoE Session Stage (0x8864) sna—EtherType value SNA (0x80D5) Note: The following match conditions are not supported when ether-type is set to ipv6: dscp fragment-flags is-fragment precedence protocol
fragment-flags fragment-flags	IP fragmentation flags, specified in symbolic or hexadecimal formats. You can specify one of the following options: dont-fragment (0x4000), more-fragments (0x2000), or reserved (0x8000)
icmp-code number	ICMP code field. This value or option provides more specific information than icmp-type. Because the value’s meaning depends upon the associated icmp-type, you must specify icmp-type along with icmp-code. For number, you can specify one of the following text synonyms (the field values are also listed). The options are grouped by the ICMP type with which they are associated: parameter-problem—ip-header-bad (0), required-option-missing (1) redirect—redirect-for-host (1), redirect-for-network (0), redirect-for-tos-and-host (3), redirect-for-tos-and-net (2) time-exceeded—ttl-eq-zero- during-reassembly (1), ttl-eq-zero-during-transit (0) unreachable—communication- prohibited-by-filtering (13), destination-host-prohibited (10), destination-host-unknown (7), destination-network-prohibited (9), destination-network-unknown (6), fragmentation-needed (4), host-precedence-violation (14), host-unreachable (1), host-unreachable-for-TOS (12), network-unreachable (0), network-unreachable-for-TOS (11), port-unreachable (3), precedence-cutoff-in-effect (15), protocol-unreachable (2), source-host-isolated (8), source-route-failed (5)
icmp-type number	ICMP packet type field. Typically, you specify this match condition in conjunction with the protocol match statement to determine which protocol is being used on the port. For number, you can specify one of the following text synonyms (the field values are also listed): echo-reply (0), echo-request (8), info-reply (16), info-request (15), mask-request (17), mask-reply (18), parameter-problem (12), redirect (5), router-advertisement (9), router-solicit (10), source-quench (4), time-exceeded (11), timestamp (13), timestamp-reply (14), unreachable (3)
interface interface-name	Interface on which the packet is received. You can specify the wildcard character () as part of an interface name. Note:* The interface match condition is not supported on an EX8200 Virtual Chassis for egress traffic.
ip-options	Presence of the options field in the IP header.
ip-version version [match_condition(s) ]	Version of the IP protocol for port and VLAN firewall filters. The value for version can be ipv4 or ipv6. For match condition (s), you can specify one or more of the following match conditions: destination-address destination-port destination-prefix-list dscp fragment-flags icmp-code icmp-type is-fragment precedence protocol source-address source-port source-prefix-list tcp-established tcp-flags tcp-initial
is-fragment	If the packet is a trailing fragment, this match condition does not match the first fragment of a fragmented packet. Use two terms to match both first and trailing fragments.
l2-encap-type llc-non-snap	Match on logical link control (LLC) layer packets for non-Subnet Access Protocol (SNAP) Ethernet Encapsulation type.
next-header bytes	8-bit protocol field that identifies the type of header immediately following the IPv6 header. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ah (51), dstops (60), egp (8), esp (50), fragment (44), gre (47), hop-by-hop (0), icmp (1), icmp6 (1), igmp (2), ipip (4), ipv6 (41), no-next-header (59), ospf (89), pim (103), routing (43), rsvp (46), sctp (132), tcp (6), udp (17), or vrrp (112).
packet-length bytes	Length of the received packet, in bytes. The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead.
precedence precedence	IP precedence. For precedence, you can specify one of the following text synonyms (the field values are also listed): critical-ecp (5), flash (3), flash-override (4), immediate (2), internet-control (6), net-control (7), priority (1), or routine (0).
protocol list of protocol	IPv4 protocol value. For protocols, you can specify one of the following text synonyms: egp (8), esp (50), gre (47), icmp (1), igmp (2), ipip (4), ospf (89), pim (103), rsvp (46), tcp (6), udp (17)
source-address ip-address	IP source address field, which is the address of the source node sending the packet. For IPV6, the source-address field is 128 bits in length. The filter description syntax supports the text representations for IPv6 addresses that are described in RFC 2373, IP Version 6 Addressing Architecture.
source-mac-address mac-address	Source MAC address. You can define a source MAC address with a prefix, such as source-mac-address 00:01:02:03:04:05/24. If no prefix is specified, the default value 48 is used.
source-port number	TCP or UDP source-port field. Typically, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. For number, you can specify one of the text synonyms listed under destination-port.
source-prefix-list prefix-list	IP source prefix list field. You can define a list of IP address prefixes under a prefix-list alias for frequent use. You make this definition at the [edit policy-options] hierarchy level.
tcp-established	TCP packets of an established TCP connection. This condition matches packets other than the first packet of a connection. tcp-established is a synonym for the bit names "(ack\|rst)". tcp-established does not implicitly check whether the protocol is TCP. To do so, specify the next-header tcp match condition.
tcp-flags (flags tcp-initial)	One or more TCP flags: bit-name—fin, syn, rst, push, ack, urgent logical operators—& (logical AND), \| (logical OR), ! (negation) numerical value—0x01 through 0x20 text synonym—tcp-initial To specify multiple flags, use logical operators.
tcp-initial	Match the first TCP packet of a connection. tcp-initial is a synonym for the bit names "(syn&!ack)". tcp-initial does not implicitly check whether the protocol is TCP. To do so, specify the protocol tcp match condition.
traffic-class number	Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant six bits of this byte form the DSCP. You can specify DSCP in hexadecimal, binary, or decimal form. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ef (46)—as defined in RFC 2598, An Expedited Forwarding PHB. af11 (10), af12 (12), af13 (14); af21 (18), af22 (20), af23 (22); af31 (26), af32 (28), af33 (30); af41 (34), af42 (36), af43 (38) These four classes, with three drop precedences in each class, are defined for 12 code points, in RFC 2597, Assured Forwarding PHB.
ttl value	TTL type to match. The value can be 1–255.
vlan (vlan-name \| vlan-id)	The VLAN that is associated with the packet. For vlan-id, you can either specify the VLAN ID or a VLAN range. The vlan match condition and the dot1q-tag match condition are mutually exclusive.

Actions for Firewall Filters

You can define an action for the switch to take if a packet matches the filtering criteria defined in a match condition. Table 3 describes the actions supported in a firewall filter configuration.

Table 3: Actions for Firewall Filters

Action	Description
accept	Accept a packet.
discard	Discard a packet silently without sending an Internet Control Message Protocol (ICMP) message.
reject message-type	Discard a packet, and send an ICMPv4 message (type 3) destination unreachable. You can log the rejected packets if you configure the syslog action modifier. You can specify one of the following message codes: administratively-prohibited (default), bad-host-tos, bad-network-tos, host-prohibited, host-unknown, host-unreachable, network-prohibited, network-unknown, network-unreachable, port-unreachable, precedence-cutoff, precedence-violation, protocol-unreachable, source-host-isolated, source-route-failed, or tcp-reset. If you specify tcp-reset, a TCP reset is returned if the packet is a TCP packet. Otherwise nothing is returned. If you do not specify a message type, the ICMP notification destination unreachable is sent with the default message communication administratively filtered.
routing-instance routing-instance-name	Forward matched packets to a virtual routing instance. Note: EX4200 switches do not support firewall-filter-based redirection to the default routing instance.
vlan vlan-name	Forward matched packets to a specific VLAN. Ensure that you specify the VLAN name or VLAN ID and not a VLAN range, because the vlan action does not support the vlan-range option. Note: If you have defined a VLAN that is enabled for dot1q tunneling, then that particular VLAN is not supported as an action (using the vlan vlan-name action) for an ingress VLAN firewall filter.

Action Modifiers for Firewall Filters

In addition to the actions described in Table 3, you can define action modifiers that a switch can perform if packets match the filtering criteria defined in the match condition. Table 4 describes the action modifiers supported in a firewall filter configuration.

Table 4: Action Modifiers for Firewall Filters

Action Modifier	Description
analyzer analyzer-name	Mirror port traffic to a specified destination port or VLAN that is connected to a protocol analyzer application. Mirroring copies all packets seen on one switch port to a network monitoring connection on another switch port. The analyzer name must be configured under [edit ethernet-switching-options analyzer]. Note: analyzer is not a supported action modifier for a management interface. On EX4500 switches, you can configure only one analyzer and include it in a firewall filter. If you configure multiple analyzers, you cannot include any one of those analyzers in a firewall filter.
count counter-name	Count the number of packets that pass this filter, term, or policer.
forwarding-class class	Classify the packet in one of the following forwarding classes: assured-forwarding best-effort expedited-forwarding network-control
interface interface-name	Forward the traffic to the specified interface bypassing the switching lookup.
log	Log the packet's header information in the Routing Engine. To view this information, issue the show firewall log command in the CLI. Note: If the log or the syslog action modifier is configured along with a vlan action or an interface action modifier, the events might not be logged. However, the redirect interface functionality works as expected.
loss-priority (high \| low)	Set the packet loss priority (PLP).
policer policer-name	Apply rate limits to the traffic. You can specify a policer in a firewall filter only for ingress traffic on a port, VLAN, and router. Note: A counter for a policer is not supported on EX8200 switches.
syslog	Log an alert for this packet. You can specify that the log be sent to a server for storage and analysis. Note: If the log or the syslog action modifier is configured along with a vlan action or an interface action modifier, the events might not be logged. However, the redirect interface functionality works as expected.
three-color-policer	Apply a three-color policer.

Choose Country

North America

Europe

Asia Pacific