Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring Interface-Specific Firewall Filter Counters

    This example shows how to configure and apply an interface-specific standard stateless firewall filter.

    Requirements

    Interface-specific stateless firewall filters are supported on T Series, M Series, MX Series and PTX Series routers, and on EX Series switches only.

    No special configuration beyond device initialization is required before configuring this example.

    Overview

    In this example, you create an interface-specific stateless firewall filter that counts and accepts packets with source or destination addresses in a specified prefix and the IP protocol type field set to a specific value.

    Topology

    You configure the interface-specific stateless firewall filter filter_s_tcp to count and accept packets with IP source or destination addresses in the 10.0.0.0/12 prefix and the IP protocol type field set to tcp (or the numeric value 6).

    The name of the firewall filter counter is count_s_tcp.

    You apply the firewall filter to multiple logical interfaces:

    • at-1/1/1.0 input

    • ge-2/2/2.2 output

    Applying the filter to these two interfaces results in two instances of the filter: filter_s_tcp-at-1/1/1.0-i and filter_s_tcp-ge-2/2/2.2-o, respectively.

    Configuration

    The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

    To configure this example, perform the following tasks:

    CLI Quick Configuration

    To quickly configure this example, copy the following commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.

    set firewall family inet filter filter_s_tcp interface-specific
    set firewall family inet filter filter_s_tcp term 1 from address 10.0.0.0/12
    set firewall family inet filter filter_s_tcp term 1 from protocol tcp
    set firewall family inet filter filter_s_tcp term 1 then count count_s_tcp
    set firewall family inet filter filter_s_tcp term 1 then accept
    set interfaces at-1/1/1 unit 0 family inet filter input filter_s_tcp
    set interfaces ge-2/2/2 unit 2 family inet filter output filter_s_tcp

    Configure the Interface-Specific Firewall Filter

    Step-by-Step Procedure

    To configure the interface-specific firewall filter:

    1. Create the IPv4 firewall filter filter_s_tcp.

      [edit]
      user@host# edit firewall family inet filter filter_s_tcp
    2. Enable interface-specific instances of the filter.

      [edit firewall family inet filter filter_s_tcp]
      user@host# set interface-specific
    3. Configure the match conditions for the term.

      [edit firewall family inet filter filter_s_tcp]
      user@host# set term 1 from address 10.0.0.0/12
      user@host# set term 1 from protocol tcp
    4. Configure the actions for the term.

      [edit firewall family inet filter filter_s_tcp]
      user@host# set term 1 then count count_s_tcp
      user@host# set term 1 then accept

    Apply the Interface-Specific Firewall Filter to Multiple Interfaces

    Step-by-Step Procedure

    To apply the filter filter_s_tcp to logical interfaces at-1/1/1.0 and ge-2/2/2.2:

    1. Apply the interface-specific filter to packets received on logical interface at-1/1/1.0.

      [edit]
      user@host# set interfaces at-1/1/1 unit 0 family inet filter input filter_s_tcp
    2. Apply the interface-specific filter to packets transmitted from logical interface ge-2/2/2.2.

      [edit]
      user@host# set interfaces ge-2/2/2 unit 2 family inet filter output filter_s_tcp

    Confirm Your Candidate Configuration

    Step-by-Step Procedure

    To confirm your candidate configuration:

    1. Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

      [edit]
      user@host# show firewall
      family inet {
      filter filter_s_tcp {
      interface-specific;
      term 1 {
      from {
      address {
      10.0.0.0/12;
      }
      protocol tcp;
      }
      then {
      count count_s_tcp;
      accept;
      }
      }
      }
      }
    2. Confirm the configuration of the interfaces by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

      [edit]
      user@host# show interfaces
      at-1/1/1 {
      unit 0
      family inet {
      filter {
      input filter_s_tcp;
      }
      }
      ]
      }
      ge-2/2/2 {
      unit 2
      family inet {
      filter {
      output filter_s_tcp;
      }
      }
      }
      }

    Clear the Counters and Commit Your Candidate Configuration

    Step-by-Step Procedure

    To clear the counters and commit your candidate configuration:

    1. From operational command mode, use the clear firewall all command to clear the statistics for all firewall filters.

      To clear only the counters used in this example, include the interface-specific filter instance names:

      [edit]
      user@host> clear firewall filter filter_s_tcp-at-1/1/1.0-i
      user@host> clear firewall filter filter_s_tcp-ge-2/2/2.2-o
    2. Commit your candidate configuration.

      [edit]
      user@host# commit

    Verification

    Confirm that the configuration is working properly.

    Verifying That the Filter Is Applied to Each of the Multiple Interfaces

    Purpose

    Verify that the filter is applied to each of the multiple interfaces.

    Action

    Run the show interfaces command with the detail or extensive output level.

    1. Verify that the filter is applied to the input for at-1/1/1.0:
      user@host> show interfaces at-1/1/1 detail
      Physical interface: at-1/1/1, Enabled, Physical link is Up
        Interface index: 300, SNMP ifIndex: 194, Generation: 183
      
      ...
        Logical interface at-1/1/1.0 (Index 64) (SNMP ifIndex 204) (Generation 5)
          Flags: Point-To-Point SNMP-Traps 0x4000 Encapsulation: ATM-SNAP
      ...
          Protocol inet, MTU: 4470, Generation: 13, Route table: 0
            Flags: Sendbcast-pkt-to-re
            Input Filters: filter_s_tcp-at-1/1/1.0-i,,,,,
      
    2. Verify that the filter is applied to the output for ge-2/2/2.2:
      user@host> show interfaces ge-2/2/2 detail
      Physical interface: ge-2/2/2, Enabled, Physical link is Up
        Interface index: 129, SNMP ifIndex: 502, Generation: 132
      
      ...
        Logical interface ge-2/2/2.2 (Index 70) (SNMP ifIndex 536) (Generation 135)
          Flags: Point-To-Point SNMP-Traps 0x4000 Encapsulation: PPP
      
      ...
          Protocol inet, MTU: 4470, Generation: 146, Route table: 0
            Flags: Sendbcast-pkt-to-re
            Output Filters: filter_s_tcp-ge-2/2/2.2-o,,,,,
      

    Verifying That the Counters Are Collected Separately by Interface

    Purpose

    Make sure that the count_s_tcp counters are collected separately for the two logical interfaces.

    Action

    Run the show firewall command.

    user@host> show firewall filter filter_s_tcp
    Filter: filter_s_tcp                                           
    Counters:
    Name                            Bytes             Packets
    count_s_tcp-at-1/1/1.0-i          420                   5
    count_s_tcp-ge-2/2/2.2-o         8888                 101
    

    Modified: 2018-06-05