Configuring Filters for inet Family Type (NSM Procedure)
You can configure filters, prefix-actions, service filters,
and simple filters for Inet using the following options. See the following
topics:
Configuring Firewall Filter for inet Family Type (NSM Procedure)
You can configure a firewall filter for inet family type.
To configure the firewall filter in NSM:
- In the NSM navigation tree, select Device Manager > Devices.
- Click the Device Tree tab,
and then double-click the device to select it.
- Click the Configuration tab.
In the configuration tree, expand Firewall > Family
> Inet.
- Select Filter.
- Add or modify settings as specified in Table 1.
- Click one:
- OK—Saves the changes.
- Cancel—Cancels the modifications.
Table 1: Firewall Filter Configuration Details
| Task |
Your Action |
Configure a firewall filter to filter IPv4
packets.
|
- Expand Inet.
- Click Filter next to Inet.
- Click Add new entry next to Filter.
- Expand Filter.
- In the name box, enter the name that
identifies the filter.
- In the Comment box, enter the comment.
- Select the Interface Specific check
box to configure interface-specific names for firewall counters.
|
Configure accounting for firewall
filters.
|
- Click Accounting Profile next to
filter.
- Click Add new entry next to Accounting
Profile.
- In the New accounting-profile window,
enter the name to be assigned to the accounting profile.
|
Define firewall filter term.
|
- Click Term next to Accounting Profile.
- Click Add new entry next to Term.
- Expand Term.
- In the Name box, enter the name that
identifies the term.
- In the Comment box, enter the comment
for the term.
- From the Filter list, select the
name that identifies the filter.
- Expand From.
- In the Comment box, enter the comment.
- Select the Is Fragment check box
if the packet is a trailing fragment.
- Select the First Fragment check box
if it matches the first fragment of a fragmented packet.
- In the Fragment Flags box, enter
the IP fragmentation flags.
- Select the Tcp Initial check box
if it matches the first TCP packet of a connection.
- Select the Tcp established check
box if it matches the TCP packets other than the first packet of a
connection.
- In the Tcp Flags box, enter the TCP
flags.
- From the listed protocol-independent match conditions,
select the filters defined for the Inet family type.
The protocol-independent match conditions are Address, Ah Spi,
Destination Address, Destination Class, Destination port, Destination
prefix List, Dscp, Esp Spi, Forwarding Class, Fragment offset, Icmp
Code, Icmp Type, Interface, Interface Group, Interface Set, Ip Options,
Loss Priority, Packet Length, Port, Precedence, prefix List, Protocol,
Source Address, Source Port, Source Prefix List and Ttl.
- Expand Then.
- In the Comment box, enter the comment
for then.
- In the Count box, enter the number
of packets.
- Select the Log check box to store
the header information of a packet on the Routing Engine.
- Select Syslog to log an alert for
the packet.
- Select the Sample check box to sample
the packet traffic.
- Select the Port Mirror check box
to port-mirror the packets.
- From the Loss Priority list, set
the packet loss priority (PLP) to low, medium-low, medium-high, or
high.
- In the Forwarding Class box, enter
the packet forwarding class name.
- From the Prefix Action list, select
the prefix specific action.
- Click Accept next to Then.
- Select Accept to accept a packet.
- Select Discard to discard a packet
silently, without sending an ICMP message.
- Select Next to evaluate the next
term in the firewall filter.
- Select Routing instance to specify
a routing table to which packets are forwarded.
- Select IPsec Sa to specify an IP
Security (IPsec) security association (SA) for the packet.
- Select Reject to discard a packet,
and send an ICMP destination unreachable message.
- Click Policer next to Then.
- Select one of the following:
- Select Policer to configure a new
policer for each filter and select the policer name.
- Select three-color-policer to configure
a tricolor marking policer,
- Expand Three Color Policer.
- Click Single Rate next to Three Color
Policer.
- Select one of the following:
- single-rate—If the named tricolor
policer is a single-rate policer.
- two-rate—If the named tricolor
policer is a two-rate policer.
|
Configuring Prefix-specific Actions (NSM Procedure)
Prefix-specific actions allow you to configure policers and
counters for specific addresses or ranges of addresses. This allows
you to essentially create policers and counters on a per-prefix level.
To configure the prefix-specific actions in NSM:
- In the NSM navigation tree, select Device Manager > Devices.
- Click the Device Tree tab,
and then double-click the device to select it.
- Click the Configuration tab.
In the configuration tree, expand Firewall > Family
> Inet.
- Click Prefix Action.
- Add or modify settings as specified in Table 2.
- Click one:
- OK—Saves the changes.
- Cancel—Cancels the modifications.
Table 2: Prefix Actions Details
| Task |
Your Action |
Configure prefix-specific actions.
|
- Click Prefix Action next to Inet.
- In the Name box, enter the action
name.
- From the Policer list, select the
actions to be taken.
- Select the Count check box to include
count as the action modifier.
- Select the Filter Specific check
box to configure a policer to act as a filter-specific policer.
- From the Subnet Prefix Length list,
select the subnet prefix length.
Range: 0 to 32
- Click Source Prefix Length next to
prefix-action.
- Select source-prefix-length to configure
the source address range specified for a prefix-specific policer or
counter and select the source prefix length.
- Select destination-prefix-length to
configure the destination address range specified for a prefix-specific
policer or counter and select the destination prefix length.
|
Configuring Service Filters (NSM Procedure)
A service filter identifies packets on which one or more
services are to be applied, and which PIC performs the service.
To configure the service filters for inet in NSM:
- In the NSM navigation tree, select Device Manager > Devices.
- Click the Device Tree tab,
and then double-click the device to select it.
- Click the Configuration tab.
In the configuration tree, expand Firewall > Family
> Inet.
- Click Prefix Action.
- Add or modify settings as specified in Table 3.
- Click one:
- OK—Saves the changes.
- Cancel—Cancels the modifications.
Table 3: Service Filter Configuration Details
| Task |
Your Action |
Configure service filter.
|
- Click Service Filter next to Inet.
- Click Add new entry next to Service
Filter.
- Expand service-filter.
- In the Name box, enter the name that
identifies the service filter.
|
Define firewall filter term.
|
- Click Term next to service-filter.
- Click Add new entry next to Term.
- Expand Term.
- In the Name box, enter the name that
identifies the term.
- In the Comment box, enter the comment
for the term.
- Expand From.
- In the Comment box, enter the comment.
- Check the Is Fragment check box
if the packet is a trailing fragment.
- Check the First Fragment check box
if it matches the first fragment of a fragmented packet.
- In the Fragment Flags box, enter
the IP fragmentation flags.
- From the listed protocol-independent match conditions,
select the filters defined for the Inet family type.
The protocol-independent match conditions are Address, Ah Spi,
Destination Address, Destination port, Destination prefix List, Esp
Spi, Fragment offset, Interface Group, , Ip Options, Loss Priority,
Port, Prefix List, Protocol, Source Address, Source Port, and Source
Prefix List.
- Click Then next to From.
- In the Comment box, enter the comment
for then.
- In the Count box, enter the number
of packets.
- Select the Log check box to store
the header information of a packet on the Routing Engine.
- Select the Sample check box to sample
the packet traffic.
- Select the Port Mirror check box
to port-mirror the packets.
- Select Service to direct packets
for stateful-firewall service.
- Select Skip to let packets bypass
stateful-firewall service.
|
Configuring Simple Filters (NSM Procedure)
Simple filters are used to support Ethernet IQ2 PICs.
A simple filter is a subset of a firewall filter with the following
limitations:
- The next-term action is not supported.
- The except and protocol-except match conditions are not supported.
- Noncontiguous masks are not supported.
- Only one source-address and one destination-address prefix are allowed for each filter
term.
To configure the simple filters for inet in NSM:
- In the NSM navigation tree, select Device Manager > Devices.
- Click the Device Tree tab,
and then double-click the device to select it.
- Click the Configuration tab.
In the configuration tree, expand Firewall > Family
> Inet.
- Select Simple Filters.
- Add or modify settings as specified in Table 4.
- Click one:
- OK—Saves the changes.
- Cancel—Cancels the modifications.
Table 4: Simple Filter Details
| Task |
Your Action |
Configure simple filter.
|
- Click Simple Filter next to Inet.
- Click Add new entry next to Simple
Filter.
- In the Name box, enter the name that
identifies the simple filter.
|
Define a term.
|
- Click Term next to simple-filter.
- Click Add new entry next to Term.
- Expand Term.
- In the Name box, enter the name that
identifies the term.
- In the Comment box, enter the comment.
- Expand From.
- From the listed protocol-independent match conditions,
select the filters defined for the Inet family type.
The protocol-independent match conditions are Destination Address,
Destination port, Forwarding Class, Protocol, Source Address, and
Source Port.
- Click Then next to From.
- In the Comment box, enter the comment.
- From the Loss Priority list, select
the packet loss priority (PLP) level to set it as low, medium-low,
medium-high, or high.
- In the Forwarding Class box, enter
the packet forwarding class name.
|
Published: 2009-08-23
