Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Overview of Firewall Filter Match Conditions and Actions on ACX Series Routers

 

Table 1 describes the types of traffic for which you can configure standard stateless firewall filters.

Table 1: Standard Firewall Filter Match Conditions by Protocol Family for ACX Series Routers

Traffic Type

Hierarchy Level at Which Match Conditions Are Specified

Protocol-independent

[edit firewall family any filter filter-name term term-name]

No match conditions are supported for this traffic type on ACX Series routers.

IPv4

[edit firewall family inet filter filter-name term term-name

For the complete list of match conditions, see Match Conditions for IPv4 Traffic (ACX Series Routers).

MPLS

[edit firewall family mpls filter filter-name term term-name]

For the complete list of match conditions, see Match Conditions for MPLS Traffic (ACX Series Routers).

Layer 2 CCC

[edit firewall family ccc filter filter-name term term-name]

No match conditions are supported for this traffic type on ACX Series routers.

Bridge

[edit firewall family bridge filter filter-name term term-name]

[edit firewall family ethernet-switching filter filter-name term term-name] (Applicable to ACX5048 and ACX5096 routers only.)

On ACX5448 router, the following ingress family filters can be scaled based on the availability of external-tcam:

  • family ethernet-switching

  • family ccc

  • family inet

  • family inet6

  • family mpls

  • family vpls

Under the then statement for a standard stateless firewall filter term, you can specify the actions to be taken on a packet that matches the term.

Table 2 summarizes the types of actions you can specify in a standard stateless firewall filter term.

Table 2: Standard Firewall Filter Action Categories for ACX Series Routers

Type of Action

Description

Comment

Terminating

Halts all evaluation of a firewall filter for a specific packet. The router performs the specified action, and no additional terms are used to examine the packet.

You can specify only one terminating action in a standard firewall filter. You can, however, specify one terminating action with one or more nonterminating actions in a single term. For example, within a term, you can specify accept with count and syslog.

See Terminating Actions (ACX Series Routers).

Nonterminating

Performs other functions on a packet (such as incriminating a counter, logging information about the packet header, sampling the packet data, or sending information to a remote host using the system log functionality), but any additional terms are used to examine the packet.

See Nonterminating Actions (ACX Series Routers).