Related Documentation
- Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches
- Support for Match Conditions and Actions for Loopback Firewall Filters on Switches
- Understanding Firewall Filter Match Conditions
- Firewall Filter Configuration Statements Supported by Junos OS for EX Series Switches
- Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX Series Switches
- Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device on EX Series Switches
Platform Support for Firewall Filter Match Conditions, Actions, and Action Modifiers on EX Series Switches
After you define a firewall filter on an EX Series switch, you must associate the filter to a bind point so that the filter can filter the packets that enter or exit the bind point. Port firewall filters, VLAN firewall filters, and Layer 3 (or router) firewall filters are the different types of firewall filters you can apply on a switch, depending on the bind points the filters are associated with. While a port firewall filter applies to Layer 2 interfaces, a VLAN firewall filter applies to packets that enter or leave a VLAN and also to packets that are bridged within a VLAN. A Layer 3 firewall filter applies to Layer 3 (routed) interfaces and routed VLAN interfaces (RVIs).
 | Note: If you want to control the traffic that enters the Routing Engine of the switch, you must configure a firewall filter on the loopback interface (lo0) of the switch. For information about match conditions, actions, and action modifiers supported on the loopback interface of a switch, see Support for Match Conditions and Actions for Loopback Firewall Filters on Switches. |
This topic describes the supported switches and bind points for match conditions, actions, and action modifiers for firewall filters supported on EX Series switches. For descriptions of the match conditions, actions, and action modifiers, see Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches.
This topic describes:
- Firewall Filter Types and Their Bind Points
- Support for IPv4 and IPv6 Firewall Filters on Switches
- Platform Support for Match Conditions for IPv4 Traffic
- Platform Support for Match Conditions for IPv6 Traffic
- Platform Support for Match Conditions for Non-IP Traffic
- Platform Support for Actions for IPv4 Traffic
- Platform Support for Actions for IPv6 Traffic
- Platform Support for Action Modifiers for IPv4 Traffic
- Platform Support for Action Modifiers for IPv6 Traffic
Firewall Filter Types and Their Bind Points
You can apply a firewall filter at specific bind points to filter IPv4, IPv6, or non-IP traffic. See the remaining sections in this topic for information about support on individual switches for different traffic types.
Table 1 lists the firewall filter types and their associated bind points that are supported on the switches.
Table 1: Bind Points Associated with Firewall Filter Types
Bind Points | Firewall Filter Type |
|---|---|
Ports (Layer 2 interfaces) | Port firewall filter |
VLANs | VLAN firewall filter |
Layer 3 interfaces (Layer 3 (routed) interfaces or routed VLAN interfaces (RVIs)) | Router firewall filter |
Support for IPv4 and IPv6 Firewall Filters on Switches
You can apply a port, VLAN, or router firewall filter to filter IPv4 traffic on all EX Series switches. You can apply port, VLAN, and router firewall filers for IPv6 traffic on EX3200, EX4200, and EX8200 switches and only router firewall filters for IPv6 traffic on EX2200, EX3300, and EX4500 switches.
Table 2 briefly summarizes the support for IPv4 and IPv6 firewall filters on different switches. The support for port, VLAN, and router firewall filters on different switches is further discussed in the subsequent sections in this topic.
Table 2: Support for IPv4 and IPv6 Firewall Filters on Switches
Switch | Support for IPv4 Firewall Filter | Support for IPv6 Firewall Filter |
|---|---|---|
EX2200 | Yes | Yes |
EX3200 and EX4200 | Yes | Yes |
EX3300 | Yes | Yes |
EX4500 | Yes | Yes |
EX6200 | Yes | No |
EX8200 | Yes | Yes |
Platform Support for Match Conditions for IPv4 Traffic
You can define port, VLAN, and router firewall filters for ingress and egress IPv4 traffic on all EX Series switches. Table 3 summarizes the support for match conditions on different bind points for ingress and egress IPv4 traffic on different switches.
Table 3: Firewall Filter Match Conditions Supported for IPv4 Traffic on Switches
Match Condition | Switch | Supported Bind Points | |
|---|---|---|---|
Ingress | Egress | ||
destination-address ip-address | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
destination-mac-address mac-address | EX2200 | Ports and VLANs | Ports and VLANs |
EX3200 and EX4200 | Ports and VLANs | Ports and VLANs | |
EX3300 | Ports and VLANs | Ports and VLANs | |
EX4500 | Ports and VLANs | Ports and VLANs | |
EX6200 | Ports and VLANs | Ports and VLANs | |
EX8200 | Ports and VLANs | Ports and VLANs | |
destination-port number | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
destination-prefix-list prefix-list | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
dot1q-tag number | EX2200 | Ports and VLANs | Ports and VLANs |
EX3200 and EX4200 | Ports and VLANs | Ports and VLANs | |
EX3300 | Ports and VLANs | Ports and VLANs | |
EX4500 | Ports and VLANs | Ports and VLANs | |
EX6200 | Ports and VLANs | Ports and VLANs | |
EX8200 | Ports and VLANs | Not supported | |
dot1q-user-priority number | EX2200 | Ports and VLANs | Ports and VLANs |
EX3200 and EX4200 | Ports and VLANs | Ports and VLANs | |
EX3300 | Ports and VLANs | Ports and VLANs | |
EX4500 | Ports and VLANs | Ports and VLANs | |
EX6200 | Ports and VLANs | Ports and VLANs | |
EX8200 | Ports and VLANs | Ports and VLANs | |
dscp number | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
ether-type value | EX2200 | Ports and VLANs | Ports and VLANs |
EX3200 and EX4200 | Ports and VLANs | Ports and VLANs | |
EX3300 | Ports and VLANs | Ports and VLANs | |
EX4500 | Ports and VLANs | Ports and VLANs | |
EX6200 | Ports and VLANs | Ports and VLANs | |
EX8200 | Ports and VLANs | Not supported | |
fragment-flags fragment-flags | EX2200 | Ports, VLANs, and Layer 3 interfaces | Not supported |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
icmp-code number | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
icmp-type number | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
interface interface-name | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
ip-options | EX2200 | Layer 3 interfaces | Not supported |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports and VLANs | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports and VLANs | |
EX4500 | Layer 3 interfaces | Not supported | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Layer 3 interfaces | Not supported | |
ip-version version match_condition(s) | EX2200 | Ports and VLANs | Ports and VLANs |
EX3200 and EX4200 | Ports and VLANs | Ports and VLANs | |
EX3300 | Ports and VLANs | Ports and VLANs | |
EX4500 | Ports and VLANs | Ports and VLANs | |
EX6200 | Ports and VLANs | Ports and VLANs | |
EX8200 | Ports and VLANs | Ports and VLANs | |
is-fragment | EX2200 | Ports, VLANs, and Layer 3 interfaces | Not supported |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
precedence precedence | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
protocol list of protocols | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
source-address | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
source-mac-address mac-address | EX2200 | Ports and VLANs | Ports and VLANs |
EX3200 and EX4200 | Ports and VLANs | Ports and VLANs | |
EX3300 | Ports and VLANs | Ports and VLANs | |
EX4500 | Ports and VLANs | Ports and VLANs | |
EX6200 | Ports and VLANs | Ports and VLANs | |
EX8200 | Ports and VLANs | Ports and VLANs | |
source-port number | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
source-prefix-list prefix-list | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
tcp-established | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
tcp-flags (flags tcp-initial) | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
tcp-initial | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
ttl value | EX2200 | Layer 3 interfaces | Not supported |
EX3200 and EX4200 | Layer 3 interfaces | Not supported | |
EX3300 | Layer 3 interfaces | Not supported | |
EX4500 | Layer 3 interfaces | Not supported | |
EX6200 | Layer 3 interfaces | Not supported | |
EX8200 | Layer 3 interfaces | Not supported | |
vlan (vlan-name | vlan-id) | EX2200 | Ports and VLANs | Ports and VLANs |
EX3200 and EX4200 | Ports and VLANs | Ports and VLANs | |
EX3300 | Ports and VLANs | Ports and VLANs | |
EX4500 | Ports and VLANs | Ports | |
EX6200 | Ports and VLANs | Ports and VLANs | |
EX8200 | Ports and VLANs | Ports and VLANs | |
Platform Support for Match Conditions for IPv6 Traffic
You can define port, VLAN, and router firewall filters for ingress and egress IPv6 traffic on EX3200, EX4200, and EX8200 switches, and router firewall filters for ingress and egress IPv6 traffic on EX2200, EX3300, and EX4500 switches. Table 4 summarizes support for match conditions on different bind points for ingress and egress IPv6 traffic on different switches.
Table 4: Firewall Filter Match Conditions Supported for IPv6 Traffic on Switches
Match Condition | Switch | Supported Bind Points | |
|---|---|---|---|
Ingress | Egress | ||
destination-address ip-address | EX2200 | Layer 3 interfaces | Layer 3 interfaces |
EX3200 and EX4200 | Layer 3 interfaces | Layer 3 (routed) interfaces only | |
EX3300 | Layer 3 interfaces | Layer 3 interfaces | |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Layer 3 interfaces | |
destination-mac-address mac-address | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Ports and VLANs | Ports and VLANs | |
EX3300 | Not supported | Not supported | |
EX4500 | Not supported | Not supported | |
EX8200 | Ports and VLANs | Ports and VLANs | |
destination-port number | EX2200 | Layer 3 interfaces | Layer 3 interfaces |
EX3200 and EX4200 | Layer 3 interfaces | Layer 3 interfaces | |
EX3300 | Layer 3 interfaces | Layer 3 interfaces | |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
destination-prefix-list prefix-list | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Layer 3 interfaces | Layer 3 (routed) interfaces only | |
EX3300 | Not supported | Not supported | |
EX4500 | Not supported | Not supported | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
dot1q-tag number | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Ports and VLANs | Ports and VLANs | |
EX3300 | Not supported | Not supported | |
EX4500 | Not supported | Not supported | |
EX8200 | Ports and VLANs | Not supported | |
dot1q-user-priority number | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Ports and VLANs | Ports and VLANs | |
EX3300 | Not supported | Not supported | |
EX4500 | Not supported | Not supported | |
EX8200 | Ports and VLANs | Ports and VLANs | |
ether-type (ipv6)value | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Ports and VLANs | Ports and VLANs | |
EX3300 | Not supported | Not supported | |
EX4500 | Not supported | Not supported | |
EX8200 | Ports and VLANs | Ports and VLANs. | |
icmp-code number | EX2200 | Layer 3 interfaces | Layer 3 interfaces |
EX3200 and EX4200 | Layer 3 interfaces | Layer 3 interfaces | |
EX3300 | Layer 3 interfaces | Layer 3 interfaces | |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
icmp-type number | EX2200 | Layer 3 interfaces | Layer 3 interfaces |
EX3200 and EX4200 | Layer 3 interfaces | Layer 3 interfaces | |
EX3300 | Layer 3 interfaces | Layer 3 interfaces | |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
interface interface-name | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Not supported | Layer 3 interfaces | |
EX4500 | Not supported | Not supported | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
ip-version version match_condition(s) | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Not supported | Not supported | |
EX3300 | Not supported | Not supported | |
EX4500 | Not supported | Not supported | |
EX8200 | Ports and VLANs | Ports and VLANs | |
next-header bytes | EX2200 | Layer 3 interfaces | Layer 3 interfaces |
EX3200 and EX4200 | Layer 3 interfaces | Layer 3 interfaces | |
EX3300 | Layer 3 interfaces | Layer 3 interfaces | |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
packet-length bytes | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Not supported | Not supported | |
EX3300 | Not supported | Not supported | |
EX4500 | Not supported | Not supported | |
EX8200 | Layer 3 interfaces | Not supported | |
source-address | EX2200 | Layer 3 interfaces | Layer 3 interfaces |
EX3200 and EX4200 | Layer 3 interfaces | Layer 3 interfaces | |
EX3300 | Layer 3 interfaces | Layer 3 interfaces | |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
source-mac-address mac-address | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Ports and VLANs | Ports and VLANs | |
EX3300 | Not supported | Not supported | |
EX4500 | Not supported | Not supported | |
EX8200 | Ports and VLANs | Ports and VLANs | |
source-port number | EX2200 | Layer 3 interfaces | Layer 3 interfaces |
EX3200 and EX4200 | Layer 3 interfaces | Layer 3 interfaces | |
EX3300 | Layer 3 interfaces | Layer 3 interfaces | |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
source-prefix-list prefix-list | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Layer 3 interfaces | Layer 3 interfaces | |
EX3300 | Not supported | Not supported | |
EX4500 | Not supported | Not supported | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
tcp-established | EX2200 | Layer 3 interfaces | Not supported |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Layer 3 interfaces | Not supported | |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
tcp-flags (flags tcp-initial) | EX2200 | Layer 3 interfaces | Not supported |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Layer 3 interfaces | Not supported | |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
tcp-initial | EX2200 | Layer 3 interfaces | Not supported |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Layer 3 interfaces | Not supported | |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
traffic-class number | EX2200 | Not supported | Layer 3 interfaces |
EX3200 and EX4200 | Layer 3 interfaces | Layer 3 interfaces | |
EX3300 | Not supported | Layer 3 interfaces | |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
vlan (vlan-id | vlan-name) | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Ports and VLANs | Ports and VLANs | |
EX3300 | Not supported | Not supported | |
EX4500 | Not supported | Not supported | |
EX8200 | Ports and VLANs | Not supported | |
Platform Support for Match Conditions for Non-IP Traffic
You can define port, VLAN, and router firewall filters for ingress and egress non-IP traffic on all EX Series switches. Table 5 summarizes support for match conditions on different bind points for ingress and egress non-IP traffic on different switches.
Table 5: Firewall Filter Match Condition Supported for Non-IP Traffic on Switches
Match Condition | Switch | Supported Bind Points | |
|---|---|---|---|
Ingress | Egress | ||
l2-encap-type llc-non-snap | EX2200 | Ports and VLANs | Ports and VLANs |
EX3200 and EX4200 | Ports and VLANs | Ports and VLANs | |
EX3300 | Ports and VLANs | Ports and VLANs | |
EX4500 | Ports and VLANs | Ports and VLANs | |
EX6200 | Ports and VLANs | Ports and VLANs | |
EX8200 | Ports and VLANs | Ports and VLANs | |
Platform Support for Actions for IPv4 Traffic
Table 6 summarizes the support for actions on different bind points for ingress and egress IPv4 traffic on different switches.
Table 6: Firewall Filter Actions Supported for IPv4 Traffic on Switches
Action | Switch | Supported Bind Points | |
|---|---|---|---|
Ingress | Egress | ||
accept | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
discard | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
reject message-type | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Layer 3 interfaces | Not supported | |
EX3300 | Layer 3 interfaces | Not supported | |
EX4500 | Not supported | Not supported | |
EX6200 | Layer 3 interfaces | Not supported | |
EX8200 | Layer 3 interfaces | Not supported | |
routing-instance routing-instance-name | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Layer 3 interfaces | Not supported | |
EX3300 | Not supported | Not supported | |
EX4500 | Not supported | Not supported | |
EX6200 | Layer 3 interfaces | Not supported | |
EX8200 | Layer 3 interfaces | Not supported | |
vlan vlan-name | EX2200 | Ports and VLANs | Not supported |
EX3200 and EX4200 | Ports and VLANs | Not supported | |
EX3300 | Ports and VLANs | Ports and VLANs | |
EX4500 | Ports and VLANs | Ports | |
EX6200 | Ports and VLANs | Ports and VLANs | |
EX8200 | Ports and VLANs Note: Supported only when used in conjunction with the interface action modifier. On EX8200 Virtual Chassis, the vlan action is supported only for VLANs. | Not supported | |
Platform Support for Actions for IPv6 Traffic
Table 7 summarizes the support for actions on different bind points for ingress and egress IPv6 traffic.
Table 7: Firewall Filter Actions Supported for IPv6 Traffic on Switches
Action | Switch | Supported Bind Points | |
|---|---|---|---|
Ingress | Egress | ||
accept | EX2200 | Layer 3 interfaces | Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Layer 3 interfaces | Layer 3 interfaces | |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
discard | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Layer 3 interfaces | Layer 3 interfaces | |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
reject message-type | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Layer 3 interfaces | Not supported | |
EX3300 | Not supported | Not supported | |
EX4500 | Not supported | Not supported | |
EX8200 | Layer 3 interfaces | Not supported | |
routing-instance routing-instance-name | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Layer 3 interfaces | Not supported | |
EX3300 | Layer 3 interfaces | Not supported | |
EX4500 | Not supported | Not supported | |
EX8200 | Layer 3 interfaces | Not supported | |
vlan vlan-name | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Ports and VLANs | Not supported | |
EX3300 | Not supported | Not supported | |
EX4500 | Not supported | Not supported | |
EX8200 | Ports and VLANs Note: Supported only when used in conjunction with the interface action modifier. On EX8200 Virtual Chassis, the vlan action is supported only for VLANs. | Not supported | |
Platform Support for Action Modifiers for IPv4 Traffic
Table 8 summarizes support for action modifiers on different bind points for ingress and egress IPv4 traffic on different switches.
Table 8: Firewall Filter Action Modifiers Supported for IPv4 Traffic on Switches
Action Modifier | Switch | Supported Bind Points | |
|---|---|---|---|
Ingress | Egress | ||
analyzer | EX2200 | Ports, VLANs, and Layer 3 interfaces | Not supported |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
dscp | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Not supported | Not supported | |
EX3300 | Not supported | Not supported | |
EX4500 | Not supported | Not supported | |
EX6200 | Not supported | Not supported | |
EX8200 | Layer 3 interfaces | Not supported | |
count | EX2200 | VLANs and Layer 3 interfaces (me0 interfaces only) | Layer 3 interfaces (me0 interfaces only) |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | VLANs and Layer 3 interfaces (me0 and vme0 interfaces only) | Layer 3 interfaces (me0 and vme0 interfaces only) | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
forwarding-class class | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces | |
interface interface-name | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Ports and VLANs | Not supported | |
EX3300 | Not supported | Not supported | |
EX4500 | Ports and VLANs | Not supported | |
EX6200 | Ports and VLANs | Not supported | |
EX8200 | Ports and VLANs Note: On EX8200 Virtual Chassis, the interface action modifier is supported only for VLANs. | Not supported | |
log | EX2200 | Ports, VLANs, and Layer 3 interfaces | Not supported |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
loss-priority (high | low) | EX2200 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces | |
policer policer-name | EX2200 | Ports, VLANs, and Layer 3 interfaces | Not supported |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
syslog | EX2200 | Ports, VLANs, and Layer 3 interfaces | Not supported |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX3300 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
three-color-policer | EX2200 | Ports, VLANs, and Layer 3 interfaces | Not supported |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX3300 | Not supported | Not supported | |
EX4500 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX6200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX8200 | Not supported | Not supported | |
Platform Support for Action Modifiers for IPv6 Traffic
Table 9 summarizes support for action modifiers on different bind points for ingress and egress IPv6 traffic.
Table 9: Firewall Filter Action Modifiers Supported for IPv6 Traffic on Switches
Action Modifier | Switch | Supported Bind Points | |
|---|---|---|---|
Ingress | Egress | ||
analyzer | EX2200 | Layer 3 interfaces | Not supported |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX3300 | Layer 3 interfaces | Not supported | |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
dscp | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Not supported | Not supported | |
EX3300 | Not supported | Not supported | |
EX4500 | Not supported | Not supported | |
EX8200 | Layer 3 interfaces | Not supported | |
count | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports, VLANs, and Layer 3 interfaces | |
EX3300 | Layer 3 interfaces (me0 and vme0 interfaces only) | Layer 3 interfaces (me0 and vme0 interfaces only) | |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
forwarding-class class | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces | |
EX3300 | Layer 3 interfaces | Layer 3 interfaces | |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces | |
interface interface-name | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Ports and VLANs | Not supported | |
EX3300 | Not supported | Not supported | |
EX4500 | Not supported | Not supported | |
EX8200 | Ports and VLANs Note: On EX8200 Virtual Chassis, the interface action modifier is supported only for VLANs. | Not supported | |
log | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX3300 | Layer 3 interfaces | Layer 3 interfaces | |
EX4500 | Not supported | Not supported | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
loss-priority (high | low) | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces | |
EX3300 | Layer 3 interfaces | Layer 3 interfaces | |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Ports and Layer 3 interfaces | |
policer policer-name | EX2200 | Layer 3 interfaces | Not supported |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX3300 | Layer 3 interfaces | Not supported | |
EX4500 | Layer 3 interfaces | Layer 3 interfaces | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
syslog | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
EX3300 | Not supported | Not supported | |
EX4500 | Not supported | Not supported | |
EX8200 | Ports, VLANs, and Layer 3 interfaces | Not supported | |
three-color-policer | EX2200 | Not supported | Not supported |
EX3200 and EX4200 | Not Supported | Not Supported | |
EX3300 | Not supported | Not supported | |
EX4500 | Not supported | Not supported | |
EX8200 | Not Supported | Not Supported | |
Related Documentation
- Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches
- Support for Match Conditions and Actions for Loopback Firewall Filters on Switches
- Understanding Firewall Filter Match Conditions
- Firewall Filter Configuration Statements Supported by Junos OS for EX Series Switches
- Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX Series Switches
- Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device on EX Series Switches
