Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Understanding Planning of Firewall Filters

 

Before you create a firewall filter and apply it to an interface, determine what you want the firewall filter to accomplish and how to use its match conditions and actions to achieve your goals. You must understand how packets are matched to match conditions, the default and configured actions of the firewall filter, and proper placement of the firewall filter.

You can configure and apply no more than one firewall filter per port, VLAN, or router interface, per direction. The following limits apply for the number of firewall filter terms allowed per filter on various switch models:

  • On EX3300 switches, the number of terms per filter cannot exceed 1436.

  • On EX3200 and EX4200 switches, the number of terms per filter cannot exceed 7042.

  • On EX2300 switches, the following maximum number of terms are supported for ingress and egress traffic, for firewall filters configured on a port, VLAN and Layer 3 interface:

    • For ingress traffic:

      • 256 terms for firewall filters configured on a port

      • 256 terms for firewall filters configured on a VLAN

      • 256 terms for firewall filters configured on Layer 3 interfaces for IPv4 traffic

      • 256 terms for firewall filters configured on Layer 3 interfaces for IPv6 traffic

    • For egress traffic:

      • 512 terms for firewall filters configured on a port

      • 128 terms for firewall filters configured on a VLAN

      • 512 terms for firewall filters configured on Layer 3 interfaces for IPv4 traffic

      • 512 terms for firewall filters configured on Layer 3 interfaces for IPv6 traffic

    On EX3400 switches, the following maximum number of terms are supported for ingress and egress traffic, for firewall filters configured on a port, VLAN and Layer 3 interface:

    • For ingress traffic:

      • 512 terms for firewall filters configured on a port

      • 512 terms for firewall filters configured on a VLAN

      • 512 terms for firewall filters configured on Layer 3 interfaces for IPv4 traffic

      • 512 terms for firewall filters configured on Layer 3 interfaces for IPv6 traffic

    • For egress traffic:

      • 512 terms for firewall filters configured on a port

      • 256 terms for firewall filters configured on a VLAN

      • 1024 terms for firewall filters configured on Layer 3 interfaces for IPv4 traffic

      • 1024 terms for firewall filters configured on Layer 3 interfaces for IPv6 traffic

    On EX4300 switches, the following maximum number of terms are supported for ingress and egress traffic, for firewall filers configured on a port, VLAN and Layer 3 interface:

    • For ingress traffic:

      • 3500 terms for firewall filters configured on a port

      • 3500 terms for firewall filters configured on a VLAN

      • 7000 terms for firewall filters configured on Layer 3 interfaces for IPv4 traffic

      • 3500 terms for firewall filters configured on Layer 3 interfaces for IPv6 traffic

      Note

      The ternary content addressable memory (TCAM) limit for ingress traffic on the EX4300 switch is 256 entries.

    • For egress traffic:

      • 512 terms for firewall filters configured on a port

      • 256 terms for firewall filters configured on a VLAN

      • 512 terms for firewall filters configured on Layer 3 interfaces for IPv4 traffic

      • 512 terms for firewall filters configured on Layer 3 interfaces for IPv6 traffic

      Note

      You can configure the maximum number of terms only when you configure one type of firewall filter (port, VLAN, or router (Layer 3) firewall filter) on the switch, and when storm control is not enabled on any interface in the switch.

  • On EX4500 and EX4550 switches, the number of terms per filter cannot exceed 1200.

  • On EX6200 switches, the number of terms per filter cannot exceed 1400.

  • On EX8200 switches, the number of terms per filter cannot exceed 32,768.

In addition, try to be conservative in the number of terms (rules) that you include in each firewall filter because a large number of terms requires longer processing time during a commit and also can make firewall filter testing and troubleshooting more difficult. Similarly, applying firewall filters across many switch and router interfaces can make testing and troubleshooting the rules of those filters difficult.

Before you configure and apply firewall filters, answer the following questions for each of those firewall filters:

  1. What is the purpose of the firewall filter?

    For example, you can use a firewall filter to limit traffic to source and destination MAC addresses, specific protocols, or certain data rates or to prevent denial of service (DoS) attacks.

  2. What are the appropriate match conditions?
    1. Determine the packet header fields that the packet must contain for a match. Possible fields include:

      • Layer 2 header fields—Source and destination MAC addresses, dot1q tag, Ethernet type, and VLAN

      • Layer 3 header fields—Source and destination IP addresses, protocols, and IP options (IP precedence, IP fragmentation flags, TTL type)

      • TCP header fields—Source and destination ports and flags

      • ICMP header fields—Packet type and code

    2. Determine the port, VLAN, or router interface on which the packet was received.
  3. What are the appropriate actions to take if a match occurs?

    Possible actions to take if a match occurs are accept, discard, and forward to a routing instance.

  4. What additional action modifiers might be required?

    Determine whether additional actions are required if a packet matches a match condition; for example, you can specify an action modifier to count, analyze, or police packets.

  5. On what interface should the firewall filter be applied?

    Start with the following basic guidelines:

    • If all the packets entering a port need to be exposed to filtering, then use port firewall filters.

    • If all the packets that are bridged need filtering, then use VLAN firewall filters.

    • If all the packets that are routed need filtering, then use router firewall filters.

    Before you choose the interface on which to apply a firewall filter, understand how that placement can impact traffic flow to other interfaces. In general, apply a firewall filter that filters on source and destination IP addresses, IP protocols, or protocol information—such as ICMP message types, and TCP and UDP port numbers—nearest to the source devices. However, typically apply a firewall filter that filters only on a source IP address nearest to the destination devices. When applied too close to the source device, a firewall filter that filters only on a source IP address could potentially prevent that source device from accessing other services that are available on the network.

    Note

    Egress firewall filters do not affect the flow of locally generated control packets from the Routing Engine.

  6. In which direction should the firewall filter be applied?

    You can apply firewall filters to ports on the switch to filter packets that are entering a port. You can apply firewall filters to VLANs, and Layer 3 (routed) interfaces to filter packets that are entering or exiting a VLAN or routed interface. Typically, you configure different sets of actions for traffic entering an interface than you configure for traffic exiting an interface.