Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Firewall Filter Match Conditions for Protocol-Independent Traffic

 

You can configure a firewall filter with match conditions for protocol-independent traffic (family any).

To apply a protocol-independent firewall filter to a logical interface, configure the filter statement under the logical unit.

Note

On MX Series routers, attach a protocol-independent firewall filter to a logical interface by configuring the filter statement directly under the logical unit:

  • [edit interfaces name unit number filter]

  • [edit logical-systems name interfaces name unit number filter]

On all other supported devices, attach a protocol-independent firewall filter to a logical interface by configuring the filter statement under the protocol family (family any):

  • [edit interfaces name unit number family any filter]

  • [edit logical-systems name interfaces name unit number family any filter]

Table 1 describes the match-conditions you can configure at the [edit firewall family any filter filter-name term term-name from] hierarchy level.

Table 1: Firewall Filter Match Conditions for Protocol-Independent Traffic

Match Condition

Description

forwarding-class class

Match the forwarding class of the packet.

Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.

For information about forwarding classes and router-internal output queues, see Understanding How Forwarding Classes Assign Classes to Output Queues.

Note: On T4000 Type 5 FPCs, a filter attached at the Layer 2 application point (that is, at the logical interface level) is unable to match with the forwarding class of a packet that is set by a Layer 3 classifier such as DSCP, DSCP V6, inet-precedence, and mpls-exp.

forwarding-class-except class

Do not match on the forwarding class. For details, see the forwarding-class match condition.

interface interface-name

Match the interface on which the packet was received.

Note: If you configure this match condition with an interface that does not exist, the term does not match any packet.

interface-set interface-set-name

Match the interface on which the packet was received to the specified interface set.

To define an interface set, include the interface-set statement at the [edit firewall] hierarchy level. For more information, see Filtering Packets Received on an Interface Set Overview.

loss-priority level

Match the packet loss priority (PLP) level.

Specify a single level or multiple levels: low, medium-low, medium-high, or high.

Supported on M120 and M320 routers; M7i and M10i routers with the Enhanced CFEB (CFEB-E); and MX Series routers.

For IP traffic on M320, MX Series, and T Series routers with Enhanced II Flexible PIC Concentrators (FPCs), you must include the tri-color statement at the [edit class-of-service] hierarchy level to commit a PLP configuration with any of the four levels specified. If the tri-color statement is not enabled, you can only configure the high and low levels. This applies to all protocol families.

Note: This match condition is not supported on PTX series packet transport routers.

For information about the tri-color statement, see Configuring and Applying Tricolor Marking Policers. For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see Understanding How Forwarding Classes Assign Classes to Output Queues.

loss-priority-except level

Do not match the PLP level. For details, see the loss-priority match condition.

Note: This match condition is not supported on PTX series packet transport routers.

packet-length bytes

Match the length of the received packet, in bytes. The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead. You can also specify a range of values to be matched.

packet-length-except bytes

Do not match on the received packet length, in bytes. For details, see the packet-length match type.