[an error occurred while processing this directive] [an error occurred while processing this directive]

Firewall Filter Configuration Statements Supported by JUNOS Software for EX-series Switches

You configure firewall filters to filter packets based on their components and to perform an action on packets that match the filter.

Table 1 lists the options that are supported for the firewall statement in JUNOS Software for EX-series switches.

Table 1: Supported Options for Firewall Filter Statements

Statement and Option

Description
family family-name {
}

The family-name option specifies the version or type of addressing protocol:

  • bridge or ethernet–switching—Filter Layer 2 (Ethernet) packets and Layer 3 (IP) packets
  • inet— Filter IPv4 packets
filter filter-name {
}

The filter-name option identifies the filter. The name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. To include spaces in the name, enclose the name in quotation marks (" " ).
term term-name {
}

The term-name option identifies the term. The name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. To include spaces in the name, enclose the entire name in quotation marks (" " ). Each term name must be unique within a filter.

from {
match-conditions;
}

The from statement is optional. If you omit it, all packets are considered to match.
then {
action;
action-modifiers;
}

For information about the action and action-modifiers options, see Firewall Filter Match Conditions and Actions for EX-series Switches.
policer policer-name {
}

The policer-name option identifies the policer. The name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. To include spaces in the name, enclose the name in quotation marks (" " ).
if-exceeding {
bandwidth-limit bps
burst-size-limit bytes
}

The bandwidth-limit bps option specifies the traffic rate in bits per second (bps).

You can specify bps as a decimal value or as a decimal number followed by one of the following abbreviations:

  • k (thousand)
  • m (million)
  • g (billion, which is also called a thousand million)

Range: 1000 (1k) through 102,300,000,000 (102.3g) bps

The burst-size-limit bytes option specifies the maximum allowed burst size to control the amount of traffic bursting. To determine the value for the burst-size limit, you can multiply the bandwidth of the interface on which the filter is applied by the amount of time to allow a burst of traffic at that bandwidth to occur:

burst size = bandwidth * allowable time for burst traffic

You can specify a decimal value or a decimal number followed by k (thousand) or m (million).

Range: 1 through 2,147,450,880 bytes
then {
policer-action
}

Use the policer-action option to specify discard to discard traffic that exceeds the rate limits.

JUNOS software for EX-series switches does not support some of the firewall filter statements that are supported by other JUNOS software packages. Table 2 shows the firewall filter statements that are not supported by JUNOS Software for EX-series switches.

Table 2: Firewall Filter Statements That Are Not Supported byJUNOS Software for EX-series switches

Statements not supported

Statement hierarchy level
  • interface-set interface-set-name {
    }
  • load-balance-group group-name {
    }
  • three-color-policer name {
    }
  • logical-interface-policer;
  • single-rate {
    }
  • two-rate {
    }
[edit firewall]
  • prefix-action name {
    }
  • prefix-policer {
    }
  • service-filter filter-name {
    }
  • simple-filter simple-filter-name {
    }
[edit firewall family family-name]
  • accounting-profile name;
  • interface-specific;
[edit firewall family family-name filter filter-name]
  • filter-specific;
  • logical-bandwidth-policer;
  • logical-interface-policer;
[edit firewall policer policer-name]
bandwidth-percent number;
[edit firewall policer policer-name if-exceeding]
[an error occurred while processing this directive]