Configuring Access Control Lists
A stateless firewall filter, also known as an access control list (ACL), is a long-standing Junos feature used to define stateless packet filtering and quality of service (QoS). You can configure firewall filters to protect Ethernet switch from malicious traffic. For example, you can use the filters to restrict the local packets that pass from the switch’s physical interfaces to the Routing Engine. Such filters are useful in protecting the IP services that run on the Routing Engine, such as SSH, from denial-of-service attacks.
To protect against DoS attacks such as SegmentStack, ACLs can be used to prevent untrusted hosts from establishing TCP connections with the MX/EX. SegmentStack requires an established connection to exist before the attack can be launched.
To configure ACLs, use the rpf-check statement, which can be included at the following hierarchy levels:
[edit interfaces interface-name unit logical-unit-number family (inet | inet6)]
[edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family (inet | inet6)]