Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring Firewall Filters

    You can configure firewall filters in a switch to control traffic that enters switch ports or enters and exits VLANs and Layer 3 (routed) interfaces. To use a firewall filter, you must configure the filter and then apply it to a port, VLAN, or Layer 3 interface.

    Configuring a Firewall Filter

    To configure a firewall filter:

    1. Configure the family address type, filter name, term name, and at least one match condition—for example, match on packets that contain a specific source address:
      [edit]
      user@switch# set firewall family ethernet-switching filter ingress-port-filter term term-one from source-address 192.0.2.14

      For a firewall filter that is applied to a port or VLAN, specify the family address type ethernet-switching. For a firewall filter that is applied to a Layer 3 (routed) interface, specify the family address type inet.

      The filter and term names can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. Each filter name must be unique. A filter can contain one or more terms, and each term name must be unique within a filter.

    2. Configure additional match conditions. For example, match on packets that contain a specific source port:
      [edit firewall family ethernet-switching filter ingress-port-filter term term-one from]
      user@switch# set source-port 80

      You can specify one or more match conditions in a single from statement. For a match to occur, the packet must match all the conditions in the term. The from statement is optional, but if included in a term, it cannot be empty. If you omit the from statement, all packets are considered to match.

    3. If you want to apply a firewall filter to multiple interfaces and be able to see counters specific to each interface, configure the interface-specific option:
      [edit firewall family ethernet-switching filter ingress-port-filter]
      user@switch# set interface-specific
    4. In each firewall filter term, specify the actions to take if the packet matches all the conditions in that term. You can specify an action and action modifiers:
      • To specify a filter action, for example, to discard packets that match the conditions of the filter term:
        [edit firewall family ethernet-switching filter ingress-port-filter term term-one then]
        user@switch# set discard

        You can specify no more than one action (accept, discard, reject, routing-instance, or vlan) per term.

      • To specify action modifiers, for example, to count and classify packets to a forwarding class:
        [edit firewall family ethernet-switching filter ingress-port-filter term term-one then]
        user@switch# set count counter-one
        user@switch# set forwarding-class expedited-forwarding
        user@switch# set loss-priority high

        You can specify any of the following action modifiers in a then statement:

        • analyzer analyzer-name—Mirror port traffic to a specified analyzer, which you must configure at the [ethernet-switching-options] level.
        • count counter-name—Count the number of packets that pass this filter term.

          Note: We recommend that you configure a counter for each term in a firewall filter, so that you can monitor the number of packets that match the conditions specified in each filter term.

          Note: On the QFX Series, filters automatically count packets that have been dropped on ingress because of cyclic redundancy check (CRC) errors.

        • forwarding-class class—Assign packets to a forwarding class.
        • log—Log the packet header information in the Routing Engine.
        • loss-priority priority—Set the priority of dropping a packet.
        • policer policer-name—Apply rate-limiting to the traffic.
        • syslog—Log an alert for this packet.

      If you omit the then statement or do not specify an action, packets that match all the conditions in the from statement are accepted. However, you should always explicitly configure an action in the then statement. You can include no more than one action statement, but you can use any combination of action modifiers. For an action or action modifier to take effect, all conditions in the from statement must match.

      Note: Implicit discard is also applicable to a firewall filter applied to the loopback interface, lo0.

    Applying a Firewall Filter to a Port

    To apply a firewall filter to an ingress port:

    1. Provide a meaningful description of the firewall filter in the configuration of the port to which the filter will be applied:
      [edit]
      user@switch# set interfaces ge-0/0/6 description "filter to limit tcp traffic at trunk port for employee-vlan"
    2. Apply the filter to the interface, specifying the unit number, family address type, the direction of the filter (for packets entering the port), and the filter name:
      [edit]
      user@switch# set ge-0/0/6 unit 0 family ethernet-switching filter input ingress-port-filter

      For firewall filters that are applied to ports, the family address type must be ethernet-switching.

      Note: You can apply only one filter to a port for a given direction (ingress or egress).

    Applying a Firewall Filter to a VLAN

    To apply a firewall filter to a VLAN:

    1. Provide a meaningful description of the firewall filter in the configuration of the VLAN to which the filter will be applied:
      [edit]
      user@switch# set vlans employee-vlan vlan-id 20 description "filter to block rogue devices on employee-vlan"

    2. Apply firewall filters to filter packets that are entering or exiting the VLAN:

      • To apply a filter to match packets that are entering the VLAN:
        [edit]
        user@switch# set vlans employee-vlan vlan-id 20 filter input ingress-vlan-rogue-block
      • To apply a firewall filter to match packets that are exiting the VLAN:
        [edit]
        user@switch# set vlans employee-vlan vlan-id 20 filter output egress-vlan-filter

      Note: You can apply only one filter to a VLAN for a given direction (ingress or egress).

    Applying a Firewall Filter to a Layer 3 (Routed) Interface

    To apply a firewall filter to a Layer 3 routed interface:

    1. Provide a meaningful description of the firewall filter in the configuration of the interface to which the filter will be applied:
      [edit]
      user@switch# set interfaces ge-0/1/6 description "filter to count and monitor traffic on layer 3 interface"
    2. You can apply firewall filters to filter packets that enter or exit a Layer 3 routed interface:
      • To apply a firewall filter to filter packets that enter a Layer 3 interface:
        [edit]
        user@switch# set interfaces ge-0/1/6 unit 0 family inet filter input ingress-router-filter
      • To apply a firewall filter to filter packets that exit a Layer 3 interface:
        [edit]
        user@switch# set interfaces ge-0/1/6 unit 0 family inet filter output egress-router-filter

        For firewall filters applied to Layer 3 routed interfaces, the family address type must be inet.

      Note: You can apply only one filter to an interface for a given direction (ingress or egress).

     

    Related Documentation

     

    Published: 2013-01-17

    Previous Page Next Page