Understanding How Firewall Filters Test a Packet's Protocol
When examining match conditions, Juniper Networks Junos operating system (Junos OS) for Juniper Networks EX Series Ethernet Switches tests only the field that is specified. The software does not implicitly test the IP header to determine whether a packet is an IP packet. Therefore, in some cases, you must specify protocol field match conditions in conjunction with other match conditions to ensure that the filters are performing the expected matches.
If you specify a protocol match condition or a match of the ICMP type or TCP flags field, there is no implied protocol match. For the following match conditions, you must explicitly specify the protocol match condition in the same term:
destination-port—Specify the match protocol tcp or protocol udp.
source-port—Specify the match protocol tcp or protocol udp.
If you do not specify the protocol when using the preceding fields, design your filters carefully to ensure that they perform the expected matches. For example, if you specify a match of destination-port ssh, the switch deterministically matches any packets that have a value of 22 in the two-byte field that is two bytes beyond the end of the IP header without ever checking the IP protocol field.