[an error occurred while processing this directive] [an error occurred while processing this directive]

Firewall Filter Configuration Statements Supported by JUNOS Software for EX Series Switches

You configure firewall filters to filter packets based on their components and to perform an action on packets that match the filter.

Table 1 lists the options that are supported for the firewall statement in JUNOS Software for EX Series switches.

Table 1: Supported Options for Firewall Filter Statements

Statement and Option

Description
family family-name {
}

The family-name option specifies the version or type of addressing protocol:

  • bridge or ethernet-switching—Filter Layer 2 (Ethernet) packets and Layer 3 (IP) packets
  • inet—Filter IPv4 packets
filter filter-name {
}

The filter-name option identifies the filter. The name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. To include spaces in the name, enclose the name in quotation marks (" " ).

interface-specific

The interface-specific statement configures unique names for individual firewall counters specific to each interface.

term term-name {
}

The term-name option identifies the term. The name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. To include spaces in the name, enclose the entire name in quotation marks (" " ). Each term name must be unique within a filter.

from {
match-conditions;
}

The from statement is optional. If you omit it, all packets are considered to match.

then {
action;
action-modifiers;
}

For information about the action and action-modifiers options, see Firewall Filter Match Conditions and Actions for EX Series Switches.

policer policer-name {
}

The policer-name option identifies the policer. The name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. To include spaces in the name, enclose the name in quotation marks (" " ).

filter-specific

The filter-specific statement configures policers and counters for a specific filter name.

if-exceeding {
bandwidth-limit bps
burst-size-limit bytes
}

The bandwidth-limit bps option specifies the traffic rate in bits per second (bps).

You can specify bps as a decimal value or as a decimal number followed by one of the following abbreviations:

  • k (thousand)
  • m (million)
  • g (billion, which is also called a thousand million)

Range: 1000 (1k) through 102,300,000,000 (102.3g) bps

The burst-size-limit bytes option specifies the maximum allowed burst size to control the amount of traffic bursting. To determine the value for the burst-size limit, you can multiply the bandwidth of the interface on which the filter is applied by the amount of time (in seconds) to allow a burst of traffic at that bandwidth to occur:

burst size = bandwidth * allowable time for burst traffic

You can specify a decimal value or a decimal number followed by k (thousand) or m (million).

Range: 1 through 2,147,450,880 bytes

then {
policer-action
}

Use the policer-action option to specify discard to discard traffic that exceeds the rate limits.

JUNOS Software for EX Series switches does not support some of the firewall filter statements that are supported by other JUNOS Software packages. Table 2 shows the firewall filter statements that are not supported by JUNOS Software for EX Series switches.

Table 2: Firewall Filter Statements That Are Not Supported by JUNOS Software for EX Series Switches

Statements not supported

Statement hierarchy level
  • interface-set interface-set-name {
    }
  • load-balance-group group-name {
    }
  • three-color-policer name {
    }
  • logical-interface-policer;
  • single-rate {
    }
  • two-rate {
    }
[edit firewall]
  • prefix-action name {
    }
  • prefix-policer {
    }
  • service-filter filter-name {
    }
  • simple-filter simple-filter-name {
    }
[edit firewall family family-name]
  • accounting-profile name;
[edit firewall family family-name filter filter-name]
  • logical-bandwidth-policer;
  • logical-interface-policer;
[edit firewall policer policer-name]
bandwidth-percent number;
[edit firewall policer policer-name if-exceeding]

Published: 2009-07-28

[an error occurred while processing this directive]