Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Overview of Firewall Filters

    Firewall filters provide rules that define whether to accept or discard packets that are transiting an interface on a QFX Series product. If a packet is accepted, you can configure additional actions to perform on the packet, such as class-of-service (CoS) marking (grouping similar types of traffic together and treating each type of traffic as a class with its own level of service priority) and traffic policing (controlling the maximum rate of traffic sent or received). You configure firewall filters to determine whether to accept or discard a packet before it enters or exits any of these:

    • Port
    • VLAN
    • Layer 3 (routed) interface
    • Routed VLAN interface (RVI)

    An ingress firewall filter is applied to packets that are entering an interface or VLAN, and an egress firewall filter is applied to packets that are exiting an interface or VLAN.

    Note: Firewall filters are sometimes called access control lists (ACLs).

    Firewall Filter Types

    The following firewall filter types are supported on the QFX Series:

    • Port (Layer 2) firewall filter—Port firewall filters apply to Layer 2 traffic transiting system ports.
    • VLAN firewall filter—VLAN firewall filters provide access control for packets that enter a VLAN, are bridged within a VLAN, or leave a VLAN.
    • Router (Layer 3) firewall filter—You can apply a router firewall filter on Layer 3 (routed) interfaces and routed VLAN interfaces (RVI). You can also apply a router firewall filter in the ingress direction (only) on a loopback interface, which filters traffic sent to the switch itself.

      Note: You can apply a firewall filter to a management interface (for example, me0) on a QFX3500 device. You cannot apply a firewall filter to a management interface on a QFX3000-G or QFX3000-M system.

    To apply a firewall filter:

    1. Configure the firewall filter.
    2. Apply the firewall filter to a port, VLAN, or router interface.

    Note: You can apply only one firewall filter to a port, VLAN, or interface for a given direction. For example, for interface ge-0/0/6.0, you can apply one filter for the ingress direction and one for the egress direction.

    Firewall Filter Components

    In a firewall filter, you first define the family address type (ethernet-switching or inet) and then define one or more terms that specify the filtering criteria and the action to take if a match occurs.

    Each term consists of the following components:

    • Match conditions—Specify values that a packet must contain to be considered a match. You can specify values for most fields in the IP, TCP, UDP, or ICMP headers. You can also match on interface names.
    • Action—Specifies what to do if a packet matches the match conditions. A filter can accept, discard, or reject a matching packet and then perform additional actions, such as counting, classifying, and policing. If no action is specified for a term, the default is to accept the matching packet.

    Firewall Filter Processing

    If there are multiple terms in a filter, the order of the terms is important. If a packet matches the first term, the switch executes the action defined by that term, and no other terms are evaluated. If the switch does not find a match between the packet and the first term, it compares the packet to the next term. If no match occurs between the packet and the second term, the system continues to compare the packet to each successive term in the filter until a match is found. If the packet does not match any terms in the filter, the switch discards the packet by default.

     

    Related Documentation

     

    Published: 2012-09-07

    Previous Page Next Page