Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Configuring Firewall Filters (CLI Procedure)

 

You configure firewall filters on EX Series switches to control traffic that enters ports on the switch or enters and exits VLANs on the network and Layer 3 (routed) interfaces. To configure a firewall filter you must configure the filter and then apply it to a port, VLAN, or Layer 3 interface.

Configuring a Firewall Filter

Before you can apply a firewall filter to a port, VLAN, or Layer 3 interface, you must configure a firewall filter with the required details, such as type of family for the firewall filter, firewall filter name, and match conditions. A match condition in the firewall filter configuration can contain multiple terms that define the criteria for the match condition. For each term, you must specify an action to be performed if a packet matches the conditions in the term. For information on different match conditions and actions, see Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches.

To configure a firewall filter:

  1. Configure the family address type for the firewall filter:

    • For a firewall filter that is applied to a port or VLAN, specify the family address type ethernet-switching to filter Layer 2 (Ethernet) packets and Layer 3 (IP) packets, for example:

      [edit firewall]

      user@switch# set family ethernet-switching
    • For a firewall filter that is applied to a Layer 3 (routed) interface:

      • To filter IPv4 packets, specify the family address type inet, for example:

        [edit firewall]

        user@switch# set family inet
      • To filter IPv6 packets, specify the family address type inet6, for example:

        [edit firewall]

        user@switch# set family inet6
      Note

      You can configure firewall filters for both IPv4 and IPv6 traffic on the same Layer 3 interface.

  2. Specify the filter name:
    [edit firewall family ethernet-switching]

    user@switch# set filter ingress-port-filter

    The filter name can contain letters, numbers, and hyphens (-) and can have a maximum of 64 characters. Each filter name must be unique.

  3. If you want to apply a firewall filter to multiple interfaces and name individual firewall counters specific to each interface, configure the interface-specific option:
    [edit firewall family ethernet-switching filter ingress-port-filter]

    user@switch# set interface-specific
  4. Specify a term name:
    [edit firewall family ethernet-switching filter ingress-port-filter]

    user@switch# set term term-one

    The term name can contain letters, numbers, and hyphens (-) and can have a maximum of 64 characters.

    A firewall filter can contain one or more terms. Each term name must be unique within a filter.

    The maximum number of terms allowed per firewall filter for EX Series switches is:

    • 512 for EX2200 switches

    • 1,436 for EX3300 switches

      Note

      On EX3300 switches, if you add and delete filters with a large number of terms (on the order of 1000 or more) in the same commit operation, not all the filters are installed. You must add filters in one commit operation, and delete filters in a separate commit operation.

    • 7,168 for EX3200 and EX4200 switches

    • On EX4300 switches, following are the number of terms supported for ingress and egress traffic, for firewall filers configured on a port, VLAN and Layer 3 interface:

      • For ingress traffic:

        • 3,500 terms for firewall filters configured on a port

        • 3,500 terms for firewall filters configured on a VLAN

        • 7,000 terms for firewall filters configured on Layer 3 interfaces for IPv4 traffic

        • 3,500 terms for firewall filers configured on Layer 3 interfaces for IPv6 traffic

      • For egress traffic:

        • 512 terms for firewall filters configured on a port

        • 256 terms for firewall filters configured on a VLAN

        • 512 terms for firewall filters configured on Layer 3 interfaces for IPv4 traffic

        • 512 terms for firewall filers configured on Layer 3 interfaces for IPv6 traffic

      Note

      You can configure these maximum number of terms only when you configure one type of firewall filter (Port, VLAN, or Router (Layer 3) firewall filter) on the switch, and when storm control is not enabled on all interfaces in the switch.

    • 1,200 for EX4500 and EX4550 switches

    • 1,400 for EX6200 switches

    • 32,768 for EX8200 switches

    If you attempt to configure a firewall filter that exceeds these limits, the switch returns an error message when you commit the configuration.

  5. In each firewall filter term, specify the match conditions to use to match components of a packet.

    To specify match conditions to match on packets that contain a specific source address and source port—for example:

    [edit firewall family ethernet-switching filter ingress-port-filter term term-one]

    user@switch# set from source-address 192.0.2.0

    user@switch# set from source-port 80

    You can specify one or more match conditions in a single from statement. For a match to occur, the packet must match all the conditions in the term.

    The from statement is optional, but if included in a term, the from statement cannot be empty. If you omit the from statement, all packets are considered to match.

  6. In each firewall filter term, specify the action to take if the packet matches all the conditions in that term.

    You can specify an action and/or action modifiers:

    • To specify a filter action, for example, to discard packets that match the conditions of the filter term:

      [edit firewall family ethernet-switching filter ingress-port-filter term term-one]

      user@switch# set then discard

      You can specify no more than one action per filter term.

    • To specify an action modifier, for example, to count and classify packets in a forwarding class:

      [edit firewall family ethernet-switching filter ingress-port-filter term term-one]

      user@switch# set then count counter-one

      user@switch# set then forwarding-class expedited-forwarding

      In a then statement, you can specify the following action modifiers:

      • analyzer analyzer-name—Mirror port traffic to a specified destination port or VLAN that is connected to a protocol analyzer application. An analyzer must be configured under the ethernet-switching family address type. See Configuring Port Mirroring to Analyze Traffic (CLI Procedure).

      • count counter-name—Count the number of packets that pass this filter term.

        Note

        We recommend that you configure a counter for each term in a firewall filter, so that you can monitor the number of packets that match the conditions specified in each filter term.

      • forwarding-class class—Classify packets in a forwarding class.

      • loss-priority priority—Set the priority for dropping a packet.

      • policer policer-name—Apply rate limiting to the traffic.

      • interface interface-name—Forward the traffic to the specified interface, bypassing the switching lookup.

      • log—Log the packet's header information in the Routing Engine.

    If you omit the then statement or do not specify an action, packets that match all the conditions in the from statement are accepted. However, you must always explicitly configure an action and/or action modifier in the then statement. You can include no more than one action, but you can use any combination of action modifiers. For an action or action modifier to take effect, all conditions in the from statement must match.

    Note

    Implicit discard is also applicable to a firewall filter applied to the loopback interface, lo0.

    On Juniper Networks EX8200 Ethernet Switches, if an implicit or explicit discard action is configured on a loopback interface for IPv4 traffic, next hop resolve packets are accepted and allowed to pass through the switch. However, for IPv6 traffic, you must explicitly configure a rule to allow the next hop IPv6 resolve packets to pass through the switch.

Configuring a Term Specifically for IPv4 or IPv6 Traffic

To configure a term in a firewall filter configuration specifically for IPv4 traffic:

  1. Verify that neither ether-type ipv6 nor ip-version ipv6 is specified in the term in the configuration. By default, a configuration that does not contain either ether-type ipv6 or ip-version ipv6 in a term applies to IPv4 traffic.
  2. (Optional) Perform one of these tasks:
    • Define ether-type ipv4 in a term in the configuration.

    • Define ip-version ipv4 in a term in the configuration.

    • Define both ether-type ipv4 and ip-version ipv4 in a term in the configuration.

    • Verify that neither ether-type ipv6 nor ip-version ipv6 is specified in a term in the configuration—by default, a configuration that does not contain either ether-type ipv6 or ip-version ipv6 in a term applies to IPv4 traffic if it does not contain ether-type ipv6 or ip-version ipv6.

  3. Ensure that other match conditions in the term are valid for IPv4 traffic.

To configure a term in a firewall filter configuration specifically for IPv6 traffic:

  1. Perform one of these tasks:
    • Define ether-type ipv6 in a term in the configuration.

    • Define ip-version ipv6 in a term in the configuration.

    • Define both ether-type ipv6 and ip-version ipv4 in a term in the configuration.

      Note

      By default, a configuration that does not contain either ether-type ipv6 or ip-version ipv6 in a term applies to IPv4 traffic.

  2. Ensure that other match conditions in the term are valid for IPv6 traffic.
Note

If the term contains either of the match conditions ether-type ipv6 or ip-version ipv6, with no other IPv6 match condition specified, all IPv6 traffic is matched.

Note

To configure a firewall filter for both IPv4 and IPv6 traffic, you must include two separate terms, one for IPv4 traffic and the other for IPv6 traffic.

Applying a Firewall Filter to a Port on a Switch

You can apply a firewall filter to a port on a switch to filter ingress or egress traffic on the switch. When you configure the firewall filter, you can specify any match condition, action, and action modifiers specified in Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches. The action specified in the match condition indicates the action for the matched packets in the ingress or egress traffic.

To apply a firewall filter to a port to filter ingress or egress traffic:

Note

For applying a firewall filter to a management interface, see Applying a Firewall Filter to a Management Interface on a Switch

  1. Specify the interface name and provide a meaningful description of the firewall filter and the interface to which the filter is applied:
    [edit interfaces]

    user@switch# set ge-0/0/1 description "filter to limit tcp traffic filter at trunk port for employee-vlan and voice-vlan applied on the interface"
    Note

    Providing the description is optional.

  2. Specify the unit number and family address type for the interface:
    [edit interfaces]

    user@switch# set ge-0/0/1 unit 0 family ethernet-switching

    For firewall filters that are applied to ports, the family address type must be ethernet-switching.

  3. To apply a firewall filter to filter packets that are entering a port:
    [edit interfaces]

    user@switch# set ge-0/0/1 unit 0 family ethernet-switching filter input ingress-port-filter

    To apply a firewall filter to filter packets that are exiting a port:

    [edit interfaces]

    user@switch# set ge-0/0/1 unit 0 family ethernet-switching filter output egress-port-filter
    Note

    You can apply no more than one firewall filter per port, per direction.

Applying a Firewall Filter to a Management Interface on a Switch

You can configure and apply a firewall filter to a management interface to control traffic that is entering or exiting the interface on a switch. You can use utilities such as SSH or Telnet to connect to the management interface over the network and then use management protocols such as SNMP to gather statistical data from the switch. Similar to configuring a firewall filter on other types of interfaces, you can configure a firewall filter on a management interface using any match condition, action, and action modifier specified in Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches except for the following action modifiers:

  • loss-priority

  • forwarding-class

You can apply a firewall filter to the management Ethernet interface on any EX Series switch. You can also apply a firewall filter to the virtual management Ethernet (VME) interface on the EX4200 switch. For more information on the management Ethernet interface and the VME interface, see Interfaces Overview for Switches.

To apply a firewall filter on the management interface to filter ingress or egress traffic:

  1. Specify the interface name and provide a meaningful description of the firewall filter and the interface to which the filter is applied:
    [edit interfaces]

    user@switch# set me0 description "filter to limit tcp traffic filter at management interface"
    Note

    Providing the description is optional.

  2. Specify the unit number and family address type for the management interface:
    [edit interfaces]

    user@switch# set me0 unit 0 family inet
    Note

    For firewall filters that are applied to management interfaces, the family address type can be either inet or inet6.

  3. To apply a firewall filter to filter packets that are entering a management interface:
    [edit interfaces]

    user@switch# set me0 unit 0 family inet filter input ingress-port-filter

    To apply a firewall filter to filter packets that are exiting a management interface:

    [edit interfaces]

    user@switch# set me0 unit 0 family inet filter output egress-port-filter
    Note

    You can apply no more than one firewall filter per management interface, per direction.

Applying a Firewall Filter to a VLAN on a Network

You can apply a firewall filter to a VLAN on a network to filter ingress or egress traffic on the network. To apply a firewall filter to a VLAN, specify the VLAN name and ID, and then apply the firewall filter to the VLAN. When you configure the firewall filter, you can specify any match condition, action, and action modifiers specified in Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches. The action specified in the match condition indicates the action for the matched packets in the ingress or egress traffic.

To apply a firewall filter to a VLAN:

  1. Specify the VLAN name and VLAN ID and provide a meaningful description of the firewall filter and the VLAN to which the filter is applied:
    [edit vlans]

    user@switch# set employee-vlan vlan-id 20 vlan-description "filter to rate limit traffic applied on employee-vlan"
    Note

    Providing the description is optional.

  2. Apply firewall filters to filter packets that are entering or exiting the VLAN:

    • To apply a firewall filter to filter packets that are entering the VLAN:

      [edit vlans]

      user@switch# set employee-vlan vlan-id 20 filter input ingress-vlan-filter

      (On EX4300 switches) To apply a firewall filter to filter packets that are entering the VLAN:

      [edit vlans]

      user@switch# set employee-vlan vlan-id 20 forwarding-options input ingress-vlan-filter
    • To apply a firewall filter to filter packets that are exiting the VLAN:

      [edit vlans]

      user@switch# set employee-vlan vlan-id 20 filter output egress-vlan-filter

      (On EX4300 switches) To apply a firewall filter to filter packets that are exiting the VLAN:

      [edit vlans]

      user@switch# set employee-vlan vlan-id 20 forwarding-options output egress-vlan-filter
    Note

    You can apply no more than one firewall filter per VLAN, per direction.

Applying a Firewall Filter to a Layer 3 (Routed) Interface

You can apply a firewall filter to a Layer 3 (routed) interface to filter ingress or egress traffic on the switch. When you configure the firewall filter, you can specify any match condition, action, and action modifiers specified in Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches. The action specified in the match condition indicates the action for the matched packets in the ingress or egress traffic.

To apply a firewall filter to a Layer 3 interface on a switch:

  1. Specify the interface name and provide a meaningful description of the firewall filter and the interface to which the filter is applied:
    [edit interfaces]

    user@switch# set ge-0/1/0 description "filter to count and monitor employee-vlan traffic applied on layer 3 interface"
    Note

    Providing the description is optional.

  2. Specify the unit number, family address type, and address for the interface:
    [edit interfaces]

    user@switch# set ge-0/1/0 unit 0 family inet address 10.10.10.1/24

    For firewall filters applied to Layer 3 interfaces, the family address type must be inet (for IPv4 traffic) or inet6 (for IPv6 traffic).

  3. You can apply firewall filters to filter packets that are entering or exiting a Layer 3 (routed) interface:
    • To apply a firewall filter to filter packets that are entering a Layer 3 interface:

      [edit interfaces]

      user@switch# set ge-0/1/0 unit 0 family inet address 10.10.10.1/24 filter input ingress-router-filter
    • To apply a firewall filter to filter packets that are exiting a Layer 3 interface:

      [edit interfaces]

      user@switch# set ge-0/1/0 unit 0 family inet address 10.10.10.1/24 filter output egress-router-filter
    Note

    You can apply no more than one firewall filter per Layer 3 interface, per direction.