Configuring Filters for inet Family Type (NSM Procedure)

You can configure filters, prefix-actions, service filters, and simple filters for Inet using the following options. See the following topics:

Configuring Firewall Filter for inet Family Type (NSM Procedure)

You can configure a firewall filter for inet family type.

To configure the firewall filter in NSM:

In the NSM navigation tree, select Device Manager > Devices.
Click the Device Tree tab, and then double-click the device to select it.
Click the Configuration tab. In the configuration tree, expand Firewall > Family > Inet.
Select Filter.
Add or modify settings as specified in Table 217.
Click one:
- OK—Saves the changes.
- Cancel—Cancels the modifications.

Table 217: Firewall Filter Configuration Details

Task	Your Action
Configure a firewall filter to filter IPv4 packets.	Expand Inet. Click Filter next to Inet. Click Add new entry next to Filter. Expand Filter. In the name box, enter the name that identifies the filter. In the Comment box, enter the comment. Select the Interface Specific check box to configure interface-specific names for firewall counters.
Configure accounting for firewall filters.	Click Accounting Profile next to filter. Click Add new entry next to Accounting Profile. In the New accounting-profile window, enter the name to be assigned to the accounting profile.
Define firewall filter term.	Click Term next to Accounting Profile. Click Add new entry next to Term. Expand Term. In the Name box, enter the name that identifies the term. In the Comment box, enter the comment for the term. From the Filter list, select the name that identifies the filter. Expand From. In the Comment box, enter the comment. Select the Is Fragment check box if the packet is a trailing fragment. Select the First Fragment check box if it matches the first fragment of a fragmented packet. In the Fragment Flags box, enter the IP fragmentation flags. Select the Tcp Initial check box if it matches the first TCP packet of a connection. Select the Tcp established check box if it matches the TCP packets other than the first packet of a connection. In the Tcp Flags box, enter the TCP flags. From the listed protocol-independent match conditions, select the filters defined for the Inet family type. The protocol-independent match conditions are Address, Ah Spi, Destination Address, Destination Class, Destination port, Destination prefix List, Dscp, Esp Spi, Forwarding Class, Fragment offset, Icmp Code, Icmp Type, Interface, Interface Group, Interface Set, IP Options, Loss Priority, Packet Length, Port, Precedence, prefix List, Protocol, Source Address, Source Port, Source Prefix List and Ttl. Expand Then. In the Comment box, enter the comment for then. In the Count box, enter the number of packets. Select the Log check box to store the header information of a packet on the Routing Engine. Select Syslog to log an alert for the packet. Select the Sample check box to sample the packet traffic. Select the Port Mirror check box to port-mirror the packets. From the Loss Priority list, set the packet loss priority (PLP) to low, medium-low, medium-high, or high. In the Forwarding Class box, enter the packet forwarding class name. From the Prefix Action list, select the prefix specific action. Click Accept next to Then. Select Accept to accept a packet. Select Discard to discard a packet silently, without sending an ICMP message. Select Next to evaluate the next term in the firewall filter. Select Routing instance to specify a routing table to which packets are forwarded. Select IPsec Sa to specify an IP Security (IPsec) security association (SA) for the packet. Select Reject to discard a packet, and send an ICMP destination unreachable message. Click Policer next to Then. Select one of the following: Select Policer to configure a new policer for each filter and select the policer name. Select three-color-policer to configure a tricolor marking policer, Expand Three Color Policer. Click Single Rate next to Three Color Policer. Select one of the following: single-rate—If the named tricolor policer is a single-rate policer. two-rate—If the named tricolor policer is a two-rate policer.

Configuring Prefix-specific Actions (NSM Procedure)

Prefix-specific actions allow you to configure policers and counters for specific addresses or ranges of addresses. This allows you to essentially create policers and counters on a per-prefix level.

To configure the prefix-specific actions in NSM:

In the NSM navigation tree, select Device Manager > Devices.
Click the Device Tree tab, and then double-click the device to select it.
Click the Configuration tab. In the configuration tree, expand Firewall > Family > Inet.
Click Prefix Action.
Add or modify settings as specified in Table 218.
Click one:
- OK—Saves the changes.
- Cancel—Cancels the modifications.

Table 218: Prefix Actions Details

Task	Your Action
Configure prefix-specific actions.	Click Prefix Action next to Inet. In the Name box, enter the action name. From the Policer list, select the actions to be taken. Select the Count check box to include count as the action modifier. Select the Filter Specific check box to configure a policer to act as a filter-specific policer. From the Subnet Prefix Length list, select the subnet prefix length. Range: 0 to 32 Click Source Prefix Length next to prefix-action. Select source-prefix-length to configure the source address range specified for a prefix-specific policer or counter and select the source prefix length. Select destination-prefix-length to configure the destination address range specified for a prefix-specific policer or counter and select the destination prefix length.

Task

Your Action

Configure prefix-specific actions.

Click Prefix Action next to Inet.
In the Name box, enter the action name.
From the Policer list, select the actions to be taken.
Select the Count check box to include count as the action modifier.
Select the Filter Specific check box to configure a policer to act as a filter-specific policer.
From the Subnet Prefix Length list, select the subnet prefix length.
Range: 0 to 32
Click Source Prefix Length next to prefix-action.
Select source-prefix-length to configure the source address range specified for a prefix-specific policer or counter and select the source prefix length.
Select destination-prefix-length to configure the destination address range specified for a prefix-specific policer or counter and select the destination prefix length.

Configuring Service Filters (NSM Procedure)

A service filter identifies packets on which one or more services are to be applied, and which PIC performs the service.

To configure the service filters for inet in NSM:

In the NSM navigation tree, select Device Manager > Devices.
Click the Device Tree tab, and then double-click the device to select it.
Click the Configuration tab. In the configuration tree, expand Firewall > Family > Inet.
Click Prefix Action.
Add or modify settings as specified in Table 219.
Click one:
- OK—Saves the changes.
- Cancel—Cancels the modifications.

Table 219: Service Filter Configuration Details

Task	Your Action
Configure service filter.	Click Service Filter next to Inet. Click Add new entry next to Service Filter. Expand service-filter. In the Name box, enter the name that identifies the service filter.
Define firewall filter term.	Click Term next to service-filter. Click Add new entry next to Term. Expand Term. In the Name box, enter the name that identifies the term. In the Comment box, enter the comment for the term. Expand From. In the Comment box, enter the comment. Check the Is Fragment check box if the packet is a trailing fragment. Check the First Fragment check box if it matches the first fragment of a fragmented packet. In the Fragment Flags box, enter the IP fragmentation flags. From the listed protocol-independent match conditions, select the filters defined for the Inet family type. The protocol-independent match conditions are Address, Ah Spi, Destination Address, Destination port, Destination prefix List, Esp Spi, Fragment offset, Interface Group, , IP Options, Loss Priority, Port, Prefix List, Protocol, Source Address, Source Port, and Source Prefix List. Click Then next to From. In the Comment box, enter the comment for then. In the Count box, enter the number of packets. Select the Log check box to store the header information of a packet on the Routing Engine. Select the Sample check box to sample the packet traffic. Select the Port Mirror check box to port-mirror the packets. Select Service to direct packets for stateful-firewall service. Select Skip to let packets bypass stateful-firewall service.

Task

Your Action

Configure service filter.

Click Service Filter next to Inet.
Click Add new entry next to Service Filter.
Expand service-filter.
In the Name box, enter the name that identifies the service filter.

Define firewall filter term.

Click Term next to service-filter.
Click Add new entry next to Term.
Expand Term.
In the Name box, enter the name that identifies the term.
In the Comment box, enter the comment for the term.
Expand From.
In the Comment box, enter the comment.
Check the Is Fragment check box if the packet is a trailing fragment.
Check the First Fragment check box if it matches the first fragment of a fragmented packet.
In the Fragment Flags box, enter the IP fragmentation flags.
From the listed protocol-independent match conditions, select the filters defined for the Inet family type.
The protocol-independent match conditions are Address, Ah Spi, Destination Address, Destination port, Destination prefix List, Esp Spi, Fragment offset, Interface Group, , IP Options, Loss Priority, Port, Prefix List, Protocol, Source Address, Source Port, and Source Prefix List.
Click Then next to From.
In the Comment box, enter the comment for then.
In the Count box, enter the number of packets.
Select the Log check box to store the header information of a packet on the Routing Engine.
Select the Sample check box to sample the packet traffic.
Select the Port Mirror check box to port-mirror the packets.
Select Service to direct packets for stateful-firewall service.
Select Skip to let packets bypass stateful-firewall service.

Configuring Simple Filters (NSM Procedure)

Simple filters are used to support Ethernet IQ2 PICs. A simple filter is a subset of a firewall filter with the following limitations:

The next-term action is not supported.
The except and protocol-except match conditions are not supported.
Noncontiguous masks are not supported.
Only one source-address and one destination-address prefix are allowed for each filter term.

To configure the simple filters for inet in NSM:

In the NSM navigation tree, select Device Manager > Devices.
Click the Device Tree tab, and then double-click the device to select it.
Click the Configuration tab. In the configuration tree, expand Firewall > Family > Inet.
Select Simple Filters.
Add or modify settings as specified in Table 220.
Click one:
- OK—Saves the changes.
- Cancel—Cancels the modifications.

Table 220: Simple Filter Details

Task	Your Action
Configure simple filter.	Click Simple Filter next to Inet. Click Add new entry next to Simple Filter. In the Name box, enter the name that identifies the simple filter.
Define a term.	Click Term next to simple-filter. Click Add new entry next to Term. Expand Term. In the Name box, enter the name that identifies the term. In the Comment box, enter the comment. Expand From. From the listed protocol-independent match conditions, select the filters defined for the Inet family type. The protocol-independent match conditions are Destination Address, Destination port, Forwarding Class, Protocol, Source Address, and Source Port. Click Then next to From. In the Comment box, enter the comment. From the Loss Priority list, select the packet loss priority (PLP) level to set it as low, medium-low, medium-high, or high. In the Forwarding Class box, enter the packet forwarding class name.

Task

Your Action

Configure simple filter.

Click Simple Filter next to Inet.
Click Add new entry next to Simple Filter.
In the Name box, enter the name that identifies the simple filter.

Define a term.

Click Term next to simple-filter.
Click Add new entry next to Term.
Expand Term.
In the Name box, enter the name that identifies the term.
In the Comment box, enter the comment.
Expand From.
From the listed protocol-independent match conditions, select the filters defined for the Inet family type.
The protocol-independent match conditions are Destination Address, Destination port, Forwarding Class, Protocol, Source Address, and Source Port.
Click Then next to From.
In the Comment box, enter the comment.
From the Loss Priority list, select the packet loss priority (PLP) level to set it as low, medium-low, medium-high, or high.
In the Forwarding Class box, enter the packet forwarding class name.