TechLibrary

Table of Contents

Guide That Contains This Content

[+] Expand All

[-] Collapse All

Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches

When you define a firewall filter for an EX Series switch, you define filtering criteria (terms, with match conditions) for the packets and an action (and, optionally, an action modifier) for the switch to take if the packets match the filtering criteria. You can define a firewall filter to monitor IPv4, IPv6, or non-IP traffic.

This topic describes in detail the various match conditions, actions, and action modifiers that you can define in a firewall filter. For information about support for match conditions on various EX Series switches, see Platform Support for Firewall Filter Match Conditions, Actions, and Action Modifiers on EX Series Switches.

This topic describes:

Firewall Filter Elements

A firewall filter configuration contains a term, a match condition, an action, and, optionally, an action modifier. Table 1 describes each element in a firewall filter configuration.

Table 1: Elements of a Firewall Filter Configuration

Element Name	Description
Term	Defines the filtering criteria for the packets. Each term in the firewall filter consists of match conditions and an action. You can define a single term or multiple terms in the firewall filter. If you define multiple terms, each term must have a unique name.
Match condition	Consists of a string (called a match statement) that defines the match condition. Match conditions are the values or fields that a packet must contain. You can define a single match condition or multiple match conditions for a term. You can also opt not to define a match condition. If no match conditions are specified for a term, all packets are matched by default.
Action	Specifies the action that the switch takes if a packet matches all the criteria specified in the match conditions.
Action modifier	Specifies one or more actions that the switch takes if a packet matches the match conditions for the specific term.

Match Conditions Supported on Switches

Based on the type of traffic that you want to monitor, you can configure a firewall filter to monitor IPv4, IPv6, or non-IP traffic. When you configure a firewall filter to monitor a particular type of traffic, ensure that you specify match conditions that are supported for that type of traffic. For information about match conditions supported for a specific type of traffic and switches on which they are supported, see Platform Support for Firewall Filter Match Conditions, Actions, and Action Modifiers on EX Series Switches.

Table 2 describes all the match conditions that are supported for firewall filters on EX Series Switches.

Table 2: Firewall Filter Match Conditions Supported on EX Series Switches

Match Condition	Description
destination-address ip-address	IP destination address field, which is the address of the final destination node.
destination-mac-address mac-address	Destination media access control (MAC) address of the packet. You can define a destination MAC address with a prefix, such as destination-mac-address 00:01:02:03:04:05/24. If no prefix is specified, the default value 48 is used.
destination-port number	TCP or UDP destination port field. Typically, you specify this match condition in conjunction with the protocol match condition to determine which protocol is used on the port. For number, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813),radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), xdmcp (177), zephyr-clt (2103), zephyr-hm (2104)
destination-prefix-list prefix-list	IP destination prefix list field. You can define a list of IP address prefixes under a prefix-list alias for frequent use. You define this match condition at the [edit policy-options] hierarchy level.
dot1q-tag number	The tag field in the Ethernet header. The tag values range from 1 through 4095. The dot1q-tag match condition and the vlan match condition are mutually exclusive.
dot1q-user-priority number	User-priority field of the tagged Ethernet packet. User-priority values can range from 0 through 7. For number, you can specify one of the following text synonyms (the field values are also listed): background (1)—Background best-effort (0)—Best effort controlled-load (4)—Controlled load excellent-load (3)—Excellent load network-control (7)—Network control reserved traffic standard (2)—Standard or spare video (5)—Video voice (6)—Voice
dscp number	Specifies the Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant six bits of this byte form the DSCP. You can specify DSCP in hexadecimal, binary, or decimal form. For number, you can specify one of the following text synonyms (the field values are also listed): ef (46)—as defined in RFC 2598, An Expedited Forwarding PHB. af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38) These four classes, with three drop precedences in each class, are defined for 12 code points in RFC 2597, Assured Forwarding PHB Group.
ether-type value	Ethernet type field of a packet. The value specifies what protocol is being transported in the Ethernet frame. For value, you can specify one of the following text synonyms: aarp—EtherType value AARP (0x80F3) appletalk—EtherType value AppleTalk (0x809B) arp—EtherType value ARP (0x0806) ipv4—EtherType value IPv4 (0x0800) ipv6—EtherType value IPv6 (0x08DD) mpls multicast—EtherType value MPLS multicast (0x8848) mpls unicast—EtherType value MPLS unicast (0x8847) oam—EtherType value OAM (0x88A8) ppp—EtherType value PPP (0x880B) pppoe-discovery—EtherType value PPPoE Discovery Stage (0x8863) pppoe-session—EtherType value PPPoE Session Stage (0x8864) sna—EtherType value SNA (0x80D5) Note: The following match conditions are not supported when ether-type is set to ipv6: dscp fragment-flags is-fragment precedence protocol
fragment-flags fragment-flags	IP fragmentation flags, specified in symbolic or hexadecimal formats. You can specify one of the following options: dont-fragment (0x4000) more-fragments (0x2000) reserved (0x8000)
icmp-code number	ICMP code field. This value or option provides more specific information than icmp-type. Because the value’s meaning depends upon the associated icmp-type, you must specify icmp-type along with icmp-code. For number, you can specify one of the following text synonyms (the field values are also listed). The options are grouped by the ICMP type with which they are associated: parameter-problem—ip-header-bad (0), required-option-missing (1) redirect—redirect-for-host (1), redirect-for-network (0), redirect-for-tos-and-host (3), redirect-for-tos-and-net (2) time-exceeded—ttl-eq-zero- during-reassembly (1), ttl-eq-zero-during-transit (0) unreachable—communication-prohibited-by-filtering (13), destination-host-prohibited (10), destination-host-unknown (7), destination-network-prohibited (9), destination-network-unknown (6), fragmentation-needed (4), host-precedence-violation (14), host-unreachable (1), host-unreachable-for-TOS (12), network-unreachable (0), network-unreachable-for-TOS (11), port-unreachable (3), precedence-cutoff-in-effect (15), protocol-unreachable (2), source-host-isolated (8), source-route-failed (5)
icmp-type number	ICMP packet type field. Typically, you specify this match condition in conjunction with the protocol match condition to determine which protocol is being used on the port. For number, you can specify one of the following text synonyms (the field values are also listed): echo-reply (0), echo-request (8), info-reply (16), info-request (15), mask-request (17), mask-reply (18), parameter-problem (12), redirect (5), router-advertisement (9), router-solicit (10), source-quench (4), time-exceeded (11), timestamp (13), timestamp-reply (14), unreachable (3)
interface interface-name	Interface on which the packet is received. You can specify the wildcard character () as part of an interface name. Note:* The interface match condition is not supported for egress traffic on an EX8200 Virtual Chassis.
ip-options	Presence of the options field in the IP header.
ip-version version match_condition(s)	Version of the IP protocol for port and VLAN firewall filters. The value for version can be ipv4 or ipv6. For match_condition(s), you can specify one or more of the following match conditions: destination-address destination-port destination-prefix-list dscp fragment-flags icmp-code icmp-type is-fragment precedence protocol source-address source-port source-prefix-list tcp-established tcp-flags tcp-initial
is-fragment	If the packet is a trailing fragment, this match condition does not match the first fragment of a fragmented packet. Use two terms to match both first and trailing fragments.
l2-encap-type llc-non-snap	Match on logical link control (LLC) layer packets for non-Subnet Access Protocol (SNAP) Ethernet Encapsulation type.
next-header bytes	8-bit protocol field that identifies the type of header immediately following the IPv6 header. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ah (51), dstops (60), egp (8), esp (50), fragment (44), gre (47), hop-by-hop (0), icmp (1), icmp6 (1), igmp (2), ipip (4), ipv6 (41), no-next-header (59), ospf (89), pim (103), routing (43), rsvp (46), sctp (132), tcp (6), udp (17), vrrp (112)
packet-length bytes	Length of the received packet, in bytes. The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead.
precedence precedence	IP precedence. For precedence, you can specify one of the following text synonyms (the field values are also listed): critical-ecp (5), flash (3), flash-override (4), immediate (2), internet-control (6), net-control (7), priority (1), routine (0)
protocol list of protocol	IPv4 protocol value. For protocols, you can specify one of the following text synonyms: egp (8), esp (50), gre (47), icmp (1), igmp (2), ipip (4), ospf (89), pim (103), rsvp (46), tcp (6), udp (17)
source-address ip-address	IP source address field, which is the address of the source node sending the packet. For IPv6, the source-address field is 128 bits in length. The filter description syntax supports the text representations for IPv6 addresses that are described in RFC 2373, IP Version 6 Addressing Architecture.
source-mac-address mac-address	Source MAC address. You can define a source MAC address with a prefix, such as source-mac-address 00:01:02:03:04:05/24. If no prefix is specified, the default value 48 is used.
source-port number	TCP or UDP source-port field. Typically, you specify this match in conjunction with the protocol match condition to determine which protocol is being used on the port. For number, you can specify one of the text synonyms listed under destination-port.
source-prefix-list prefix-list	IP source prefix list field. You can define a list of IP address prefixes under a prefix-list alias for frequent use. You define this match condition at the [edit policy-options] hierarchy level.
tcp-established	TCP packets of an established TCP connection. This condition matches packets other than the first packet of a connection. tcp-established is a synonym for the bit names "(ack\|rst)". tcp-established does not implicitly check whether the protocol is TCP. To do so, specify the next-header tcp match condition.
tcp-flags (flags tcp-initial)	One or more TCP flags: bit-name—fin, syn, rst, push, ack, urgent logical operators—& (logical AND), \| (logical OR), ! (negation) numerical value—0x01 through 0x20 text synonym—tcp-initial To specify multiple flags, use logical operators.
tcp-initial	Matches the first TCP packet of a connection. tcp-initial is a synonym for the bit names "(syn&!ack)". tcp-initial does not implicitly check whether the protocol is TCP. To do so, specify the protocol tcp match condition.
traffic-class number	Specifies the DSCP code point for a packet.
ttl value	TTL type to match. The value ranges from 1 through 255.
vlan (vlan-name \| vlan-id)	The VLAN that is associated with the packet. For vlan-id, you can specify either the VLAN ID or a VLAN range. The vlan match condition and the dot1q-tag match condition are mutually exclusive.

Actions for Firewall Filters

You can define an action for the switch to take if a packet matches the filtering criteria defined in a match condition. Table 3 describes the actions supported in a firewall filter configuration.

Table 3: Actions for Firewall Filters

Action	Description
accept	Accept a packet.
discard	Discard a packet silently without sending an Internet Control Message Protocol (ICMP) message.
reject message-type	Discard a packet, and send the ICMPv4 message (type 3) destination unreachable. You can log the rejected packets if you configure the syslog action modifier. You can specify one of the following message codes: administratively-prohibited (default), bad-host-tos, bad-network-tos, host-prohibited, host-unknown, host-unreachable, network-prohibited, network-unknown, network-unreachable, port-unreachable, precedence-cutoff, precedence-violation, protocol-unreachable, source-host-isolated, source-route-failed, tcp-reset. If you specify tcp-reset, a TCP reset is returned if the packet is a TCP packet. Otherwise nothing is returned. If you do not specify a message type, the ICMP notification destination unreachable is sent with the default message communication administratively filtered.
routing-instance routing-instance-name	Forward matched packets to a virtual routing instance. Note: EX4200 switches do not support firewall-filter-based redirection to the default routing instance.
vlan vlan-name	Forward matched packets to a specific VLAN. Ensure that you specify the VLAN name or VLAN ID and not a VLAN range, because the vlan action does not support the vlan-range option. Note: If you have defined a VLAN that is enabled for dot1q tunneling, then that particular VLAN is not supported as an action (using the vlan vlan-name action) for an ingress VLAN firewall filter.

Action Modifiers for Firewall Filters

In addition to the actions described in Table 3, you can define action modifiers in a firewall filter configuration for a switch if packets match the filtering criteria defined in the match condition. Table 4 describes the action modifiers supported in a firewall filter configuration.

Table 4: Action Modifiers for Firewall Filters

Action Modifier	Description
analyzer analyzer-name	Mirror port traffic to a specified destination port or VLAN that is connected to a protocol analyzer application. Mirroring copies all packets seen on one switch port to a network monitoring connection on another switch port. The analyzer name must be configured under [edit ethernet-switching-options analyzer]. Note: analyzer is not a supported action modifier for a management interface. Note: On EX4500 switches, you can configure only one analyzer and include it in a firewall filter. If you configure multiple analyzers, you cannot include any one of those analyzers in a firewall filter.
dscp number	Change the DSCP value for matched packets to the DSCP value specified with this action modifier. number specifies the Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant six bits of this byte form the DSCP. You can specify DSCP in hexadecimal, binary, or decimal form. For number, you can specify one of the following text synonyms (the field values are also listed): ef (46)—as defined in RFC 2598, An Expedited Forwarding PHB. af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22), af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38) These four classes, with three drop precedences in each class, are defined for 12 code points in RFC 2597, Assured Forwarding PHB Group.
count counter-name	Count the number of packets that pass this filter, term, or policer. A policer enables you to specify rate limits on traffic that enters an interface on a switch.
forwarding-class class	Classify the packet in one of the following forwarding classes: assured-forwarding best-effort expedited-forwarding network-control
interface interface-name	Forward the traffic to the specified interface bypassing the switching lookup.
log	Log the packet's header information in the Routing Engine. To view this information, issue the show firewall log command in the CLI. Note: If the log or the syslog action modifier is configured along with a vlan action or an interface action modifier, the events might not be logged. However, the redirect interface functionality works as expected.
loss-priority (high \| low)	Set the packet loss priority (PLP).
policer policer-name	Apply rate limits to the traffic. You can specify a policer in a firewall filter only for ingress traffic on a port, VLAN, and router. Note: A counter for a policer is not supported on EX8200 switches.
syslog	Log an alert for this packet. You can specify that the log be sent to a server for storage and analysis. Note: If the log or the syslog action modifier is configured along with a vlan action or an interface action modifier, the events might not be logged. However, the redirect interface functionality works as expected.
three-color-policer	Apply a three-color policer.