Technical Documentation
Related Documentation
- EX Series
- Descriptions of Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches
- Support for Match Conditions and Actions for Loopback Firewall Filters on Switches
- Understanding Firewall Filter Match Conditions
- Firewall Filter Configuration Statements Supported by Junos OS for EX Series Switches
- Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX Series Switches
- Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device on EX Series Switches
Platform Support for Firewall Filter Match Conditions, Actions, and Action Modifiers on EX Series Switches
After you define a firewall filter on a switch, you must associate the filter to a bind point so that the filter can filter the packets that enter or exist the bind point. Ports (Layer 2), VLANs, and Layer 3 interfaces are different bind points on which you can apply a firewall filter on a switch. While a port firewall filter applies to Layer 2 interfaces, a VLAN firewall filter applies to packets that enter or leave a VLAN and also to packets that are bridged within a VLAN. A Layer 3 firewall filter applies to Layer 3 (routed) interfaces and routed VLAN interfaces (RVIs).
 | Note: If you want to control the traffic that enters the Routing Engine of the switch, you must configure a firewall filter on the loopback interface (lo0) of the switch. For information on match conditions, actions, and action modifiers supported on the loopback (lo0) interface of a switch, see Support for Match Conditions and Actions for Loopback Firewall Filters on Switches. |
This topic describes in detail the supported switch platforms and bind points for match conditions, actions, and action modifiers in firewall filters on the switches. For descriptions of those match conditions, actions, and action modifiers, see Descriptions of Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches.
This topic describes:
- Firewall Filter Types and Their Bind Points
- Support for IPv4 and IPv6 Firewall Filters Per Switch
- Platform Support for Match Conditions for IPv4 Traffic
- Platform Support for Match Conditions for IPv6 Traffic
- Platform Support for Match Conditions for Non-IP Traffic
- Platform Support for Actions for IPv4 Traffic
- Platform Support for Actions for IPv6 Traffic
- Platform Support for Action Modifiers for IPv4 Traffic
- Platform Support for Action Modifiers for IPv6 Traffic
Firewall Filter Types and Their Bind Points
You can apply a firewall filter at specific bind points to filter IPv4, IPv6, or non-IP traffic. See the remaining sections in this topic for information about support on individual switch platforms for different traffic types.
Table 1 lists the firewall filter types and their associated bind points that are supported on the switches.
Table 1: Bind Points Associated With Firewall Filter Types
Bind Points | Firewall Filter Type |
|---|---|
Ports (These are Layer 2 interfaces.) | Port firewall filter |
VLANs | VLAN firewall filter |
Layer 3 interfaces (These are Layer 3 (routed) interfaces or routed VLAN interfaces (RVIs).) | Router firewall filter |
Support for IPv4 and IPv6 Firewall Filters Per Switch
You can apply a port, VLAN, or router firewall filter to filter IPv4 traffic on all EX Series switches. You can apply these firewall filters to filter IPv6 traffic on all EX Series switches except EX2200, EX3300, EX4500, and EX6200 switches.
Table 2 summarizes the support for IPv4 and IPv6 firewall filters on different switches.
Table 2: Support for IPv4 and IPv6 Firewall Filters on Switches
Switch | Support for IPv4 Firewall Filter | Support for IPv6 Firewall Filter |
|---|---|---|
EX2200 | Yes | No |
EX3200 and EX4200 | Yes | Yes |
EX3300 | Yes | No |
EX4500 | Yes | Yes |
EX6200 | Yes | No |
EX8200 | Yes | Yes |
Platform Support for Match Conditions for IPv4 Traffic
When you configure a firewall filter, you can define a term specifically for IPv4 or IPv6 traffic.
To configure a term in a firewall filter configuration specifically for IPv4 traffic:
- Perform one of these tasks:
- Define ether-type ipv4 in a term in the configuration.
- Define ip-version ipv4 in a term in the configuration.
- Define both ether-type ipv4 and ip-version ipv4 in a term in the configuration.
- Verify that neither ether-type or ip-version is specified in a term in the configuration—By default, a configuration that does not contain either ether-type or ip-version in a term applies to IPv4 traffic.
For all preceding tasks—Do not include either ether-type ipv6 or ip-version ipv6 in the term configuration. If you include them, the term applies to IPv6 traffic.
- Ensure that other match conditions in the term are valid for IPv4 traffic.
To configure a firewall filter for both IPv4 and IPv6 traffic, you must include two separate terms, one for IPv4 traffic and the other for IPv6 traffic.
You can define port, VLAN, and router firewall filters for ingress and egress IPv4 traffic on all EX Series switches. Table 3 summarizes support for match conditions on different bind points for ingress and egress IPv4 traffic.
Table 3: Firewall Filter Match Conditions Supported for IPv4 Traffic on Switches
Match Condition | Switch | Supported Bind Points | |
|---|---|---|---|
Ingress | Egress | ||
destination-address ip-address | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
destination-mac-address mac-address | EX2200 | Ports and VLANs | Ports and VLANs |
EX3200 and EX4200 | Ports and VLANs | Ports and VLANs | |
EX3300 | Ports and VLANs | Ports and VLANs | |
EX4500 | Ports and VLANs | Ports and VLANs | |
EX6200 | Ports and VLANs | Ports and VLANs | |
EX8200 | Ports and VLANs | Ports and VLANs | |
destination-port number | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
destination-prefix-list prefix-list | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
dot1q-tag number | EX2200 | Ports and VLANs | Ports and VLANs |
EX3200 and EX4200 | Ports and VLANs | Ports and VLANs | |
EX3300 | Ports and VLANs | Ports and VLANs | |
EX4500 | Ports and VLANs | Ports and VLANs | |
EX6200 | Ports and VLANs | Ports and VLANs | |
EX8200 | Ports and VLANs | Not supported | |
dot1q-user-priority number | EX2200 | Ports and VLANs | Ports and VLANs |
EX3200 and EX4200 | Ports and VLANs | Ports and VLANs | |
EX3300 | Ports and VLANs | Ports and VLANs | |
EX4500 | Ports and VLANs | Ports and VLANs | |
EX6200 | Ports and VLANs | Ports and VLANs | |
EX8200 | Ports and VLANs | Ports and VLANs | |
dscp number | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
ether-type (aarp | appletalk | arp | ipv4 | ipv6 | mpls-multicast | mpls-unicast | oam | ppp | pppoe-discovery | pppoe-session | sna |value) | EX2200 | Ports and VLANs | Ports and VLANs |
EX3200 and EX4200 | Ports and VLANs | Ports and VLANs | |
EX3300 | Ports and VLANs | Ports and VLANs | |
EX4500 | Ports and VLANs | Ports and VLANs | |
EX6200 | Ports and VLANs | Ports and VLANs | |
EX8200 | Ports and VLANs | Not supported | |
fragment-flags fragment-flags | EX2200 | Ports, VLANs, and Layer 3 interfaces | Not supported |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
icmp-code number | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
icmp-type number | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
interface interface-name | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
ip-options | EX2200 | Layer 3 interfaces | Not supported |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports and VLANs | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports and VLANs | |
EX4500 | Layer 3 interfaces | Not supported | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Layer 3 interfaces | Not supported | |
ip-version version [match_condition(s) ] | EX2200 | Ports and VLANs | Ports and VLANs |
EX3200 and EX4200 | Ports and VLANs | Ports and VLANs | |
EX3300 | Ports and VLANs | Ports and VLANs | |
EX4500 | Ports and VLANs | Ports and VLANs | |
EX6200 | Ports and VLANs | Ports and VLANs | |
EX8200 | Ports and VLANs | Ports and VLANs | |
is-fragment | EX2200 | Ports, VLANs, and Layer 3 interfaces | Not supported |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
precedence precedence | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
protocol list of protocols | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
source-address | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
source-mac-address mac-address | EX2200 | Ports and VLANs | Ports and VLANs |
EX3200 and EX4200 | Ports and VLANs | Ports and VLANs | |
EX3300 | Ports and VLANs | Ports and VLANs | |
EX4500 | Ports and VLANs | Ports and VLANs | |
EX6200 | Ports and VLANs | Ports and VLANs | |
EX8200 | Ports and VLANs | Ports and VLANs | |
source-port number | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
source-prefix-list prefix-list | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
tcp-established | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
tcp-flags (flags tcp-initial) | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
tcp-initial | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
ttl value | EX2200 | Layer 3 interfaces | Not supported |
EX3200 and EX4200 | Layer 3 interfaces | Not supported | |
EX3300 | Layer 3 interfaces | Not supported | |
EX4500 | Layer 3 interfaces | Not supported | |
EX6200 | Layer 3 interfaces | Not supported | |
EX8200 | Layer 3 interfaces | Not supported | |
vlan (vlan-name | vlan-id) | EX2200 | Ports and VLANs | Ports and VLANs |
EX3200 and EX4200 | Ports and VLANs | Ports and VLANs | |
EX3300 | Ports and VLANs | Ports and VLANs | |
EX4500 | Ports and VLANs | Ports | |
EX6200 | Ports and VLANs | Ports and VLANs | |
EX8200 | Ports and VLANs | Ports and VLANs | |
Platform Support for Match Conditions for IPv6 Traffic
When you configure a firewall filter, you can define a term specifically for IPv4 or IPv6 traffic.
To configure a term in a port or VLAN firewall filter configuration specifically for IPv6 traffic:
- Perform these tasks:
- For EX3200 and EX4200 switches—Define ether-type ipv6 in a term in the firewall filter configuration.
- For EX8200 switches—Define ether-type ipv6 or ip-version ipv6 in a term or define both ether-type ipv6 and ip-version ipv6 in a term in the firewall filter configuration.
- Ensure that other match conditions in the term are valid for IPv6 traffic.
If the term contains the match condition ether-type ipv6 or ip-version ipv6, with no other IPv6 match condition specified, all IPv6 traffic is matched. To configure a firewall filter for both IPv4 and IPv6 traffic, you must include two separate terms, one for IPv4 traffic and the other for IPv6 traffic.
You can define port, VLAN, and router firewall filters for ingress and egress IPv6 traffic on EX3200, EX4200, and EX8200 switches, and router firewall filters for ingress and egress IPv6 traffic on EX4500 switches. Table 4 summarizes support for match conditions on different bind points for ingress and egress IPv6 traffic.
Table 4: Firewall Filter Match Conditions Supported For IPv6 Traffic on Switches
Match Condition | Switch | Supported Bind Points | |
|---|---|---|---|
Ingress | Egress | ||
destination-address ip-address | EX3200 and EX4200 | Layer 3 interfaces | Layer 3 interfaces |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Layer 3 interfaces | |
destination-mac-address mac-address | EX3200 and EX4200 | Ports and VLANs | Ports and VLANs |
EX4500 | Not supported | Not supported | |
EX8200 | Ports and VLANs | Ports and VLANs | |
destination-port number | EX3200 and EX4200 | Layer 3 interfaces | Layer 3 interfaces |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
destination-prefix-list prefix-list | EX3200 and EX4200 | Layer 3 interfaces | Layer 3 interfaces |
EX4500 | Not supported | Not supported | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
dot1q-tag number | EX3200 and EX4200 | Ports and VLANs | Ports and VLANs |
EX4500 | Not supported | Not supported | |
EX8200 | Ports and VLANs | Not supported | |
dot1q-user-priority number | EX3200 and EX4200 | Ports and VLANs | Ports and VLANs |
EX4500 | Not supported | Not supported | |
EX8200 | Ports and VLANs | Ports and VLANs | |
ether-type (ipv6)value | EX3200 and EX4200 | Ports and VLANs | Ports and VLANs |
EX4500 | Not supported | Not supported | |
EX8200 | Ports and VLANs | Ports and VLANs. | |
icmp-code number | EX3200 and EX4200 | Layer 3 interfaces | Layer 3 interfaces |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
icmp-type number | EX3200 and EX4200 | Layer 3 interfaces | Layer 3 interfaces |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
interface interface-name | EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX4500 | Not supported | Not supported | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
ip-version version [ match_condition(s) ] | EX3200 and EX4200 | Not supported | Not supported |
EX4500 | Not supported | Not supported | |
EX8200 | Ports and VLANs | Ports and VLANs | |
next-header bytes | EX3200 and EX4200 | Layer 3 interfaces | Layer 3 interfaces |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
packet-length bytes | EX3200 and EX4200 | Not supported | Not supported |
EX4500 | Not supported | Not supported | |
EX8200 | Layer 3 interfaces | Not supported | |
source-address | EX3200 and EX4200 | Layer 3 interfaces | Layer 3 interfaces |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
source-mac-address mac-address | EX3200 and EX4200 | Ports and VLANs | Ports and VLANs |
EX4500 | Not supported | Not supported | |
EX8200 | Ports and VLANs | Ports and VLANs | |
source-port number | EX3200 and EX4200 | Layer 3 interfaces | Layer 3 interfaces |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
source-prefix-list prefix-list | EX3200 and EX4200 | Layer 3 interfaces | Layer 3 interfaces |
EX4500 | Not supported | Not supported | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
tcp-established | EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
tcp-flags (flags tcp-initial) | EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
tcp-initial | EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
traffic-class number | EX3200 and EX4200 | Layer 3 interfaces | Layer 3 interfaces |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
vlan (vlan-id | vlan-name) | EX3200 and EX4200 | Ports and VLANs | Ports and VLANs |
EX4500 | Not supported | Not supported | |
EX8200 | Ports and VLANs | Not supported | |
Platform Support for Match Conditions for Non-IP Traffic
You can define port, VLAN, and router firewall filters for ingress and egress non-IP traffic on all EX Series switches. Table 5 summarizes support for match conditions on different bind points for ingress and egress non-IP traffic.
Table 5: Firewall Filter Match Condition Supported For Non-IP Traffic on Switches
Match Condition | Switch | Supported Bind Points | |
|---|---|---|---|
Ingress | Egress | ||
l2-encap-type llc-non-snap | EX2200 | Ports and VLANs | Ports and VLANs |
EX3200 and EX4200 | Ports and VLANs | Ports and VLANs | |
EX3300 | Ports and VLANs | Ports and VLANs | |
EX4500 | Ports and VLANs | Ports and VLANs | |
EX6200 | Ports and VLANs | Ports and VLANs | |
EX8200 | Ports and VLANs | Ports and VLANs | |
Platform Support for Actions for IPv4 Traffic
Table 6 summarizes the support for actions on different bind points for ingress and egress IPv4 traffic. You can define actions listed in Table 6 in a port, VLAN, and router firewall filter for ingress and egress IPv4 traffic on all EX Series switches.
Table 6: Firewall Filter Actions Supported For IPv4 Traffic on Switches
Action | Switch | Supported Bind Points | |
|---|---|---|---|
Ingress | Egress | ||
accept | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
discard | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
reject message-type | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Layer 3 interfaces | Not supported | |
EX3300 | Layer 3 interfaces | Not supported | |
EX4500 | Not supported | Not supported | |
EX6200 | Layer 3 interfaces | Not supported | |
EX8200 | Layer 3 interfaces | Not supported | |
routing-instance routing-instance-name | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Layer 3 interfaces | Not supported | |
EX3300 | Not supported | Not supported | |
EX4500 | Not supported | Not supported | |
EX6200 | Layer 3 interfaces | Not supported | |
EX8200 | Layer 3 interfaces | Not supported | |
vlan vlan-name | EX2200 | Ports and VLANs | Not supported |
EX3200 and EX4200 | Ports and VLANs | Not supported | |
EX3300 | Ports and VLANs | Ports and VLANs | |
EX4500 | Ports and VLANs | Ports | |
EX6200 | Ports and VLANs | Ports and VLANs | |
EX8200 | Ports and VLANs Note: Supported only when used in conjunction with the interface action modifier. On EX8200 Virtual Chassis, the vlan action is supported only for VLANs. | Not supported | |
Platform Support for Actions for IPv6 Traffic
Table 7 summarizes support for actions on different bind points for ingress and egress IPv6 traffic. You can define actions listed in Table 7 in a port, VLAN, and router firewall filter for ingress and egress IPv6 traffic on EX3200, EX4200, and EX8200 switches.
Table 7: Firewall Filter Actions Supported For IPv6 Traffic on Switches
Action | Switch | Supported Bind Points | |
|---|---|---|---|
Ingress | Egress | ||
accept | EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
discard | EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
reject message-type | EX3200 and EX4200 | Layer 3 interfaces | Not supported |
EX4500 | Not supported | Not supported | |
EX8200 | Layer 3 interfaces | Not supported | |
routing-instance routing-instance-name | EX3200 and EX4200 | Layer 3 interfaces | Not supported |
EX4500 | Not supported | Not supported | |
EX8200 | Layer 3 interfaces | Not supported | |
vlan vlan-name | EX3200 and EX4200 | Ports and VLANs | Not supported |
EX4500 | Not supported | Not supported | |
EX8200 | Ports and VLANs Note: Supported only when used in conjunction with the interface action modifier. On EX8200 Virtual Chassis, the vlan action is supported only for VLANs. | Not supported | |
Platform Support for Action Modifiers for IPv4 Traffic
Table 8 summarizes support for action modifiers on different bind points for ingress and egress IPv4 traffic. You can define action modifiers listed in Table 8 in a port, VLAN, and router firewall filter for ingress and egress IPv4 traffic on all EX Series switches.
Table 8: Firewall Filter Action Modifiers Supported For IPv4 Traffic on Switches
Action Modifier | Switch | Supported Bind Points | |
|---|---|---|---|
Ingress | Egress | ||
analyzer | EX2200 | Ports, VLANs, and Layer 3 interfaces | Not supported |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
count | EX2200 | VLANs | Not supported |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
forwarding-class class | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces | |
interface interface-name | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Ports and VLANs | Not supported | |
EX3300 | Not supported | Not supported | |
EX4500 | Ports and VLANs | Not supported | |
EX6200 | Ports and VLANs | Not supported | |
EX8200 | Ports and VLANs Note: On EX8200 Virtual Chassis, the interface action modifier is supported only for VLANs. | Not supported | |
log | EX2200 | Ports, VLANs, and Layer 3 interfaces | Not supported |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
loss-priority (high | low) | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces | |
policer policer-name | EX2200 | Ports, VLANs, and Layer 3 interfaces | Not supported |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
syslog | EX2200 | Ports, VLANs, and Layer 3 interfaces | Not supported |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
three-color-policer | EX2200 | Ports, VLANs, and Layer 3 interfaces | Not supported |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX3300 | Not supported | Not supported | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Not supported | Not supported | |
Platform Support for Action Modifiers for IPv6 Traffic
Table 9 summarizes support for action modifiers on different bind points for ingress and egress IPv6 traffic. You can define action modifiers listed in Table 9 in a port, VLAN, and router firewall filter for ingress and egress IPv6 traffic on EX3200, EX4200, and EX8200 switches.
Table 9: Firewall Filter Action Modifiers Supported For IPv6 Traffic on Switches
Action Modifier | Switch | Supported Bind Points | |
|---|---|---|---|
Ingress | Egress | ||
analyzer | EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Not supported |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
count | EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
forwarding-class class | EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces | |
interface interface-name | EX3200 and EX4200 | Ports and VLANs | Not supported |
EX4500 | Not supported | Not supported | |
EX8200 | Ports and VLANs Note: On EX8200 Virtual Chassis, the interface action modifier is supported only for VLANs. | Not supported | |
log | EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Not supported |
EX4500 | Not supported | Not supported | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
loss-priority (high | low) | EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces | |
policer policer-name | EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Not supported |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
syslog | EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Not supported |
EX4500 | Not supported | Not supported | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
three-color-policer | EX3200 and EX4200 | Not Supported | Not Supported |
EX4500 | Not supported | Not supported | |
EX8200 | Not Supported | Not Supported | |
Related Documentation
- EX Series
- Descriptions of Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches
- Support for Match Conditions and Actions for Loopback Firewall Filters on Switches
- Understanding Firewall Filter Match Conditions
- Firewall Filter Configuration Statements Supported by Junos OS for EX Series Switches
- Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX Series Switches
- Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device on EX Series Switches
