Dynamic Firewall Filters Overview

[Contents] [Prev] [Next] [Index] [Report an Error]

Firewall filters provide rules that define whether to permit or deny packets that are transiting an interface on a router. You configure firewall filters to determine whether to permit or deny traffic before it enters or exits an interface to which the firewall filter is applied. An input (or ingress) firewall filter is one that is applied to packets that are entering a network. An output (or egress) firewall filter is one that is applied to packets that are exiting a network. You can configure firewall filters to subject packets to filtering or class-of-service (CoS) marking (grouping similar types of traffic together and treating each type of traffic as a class with its own level of service priority).

What makes firewall filters “dynamic” is the ability of the router to apply them to interfaces dynamically. This dynamic application is performed by associating input or output dynamic filters to a dynamic profile. When triggered, a dynamic profile can apply a named filter or a filter specified in RADIUS to an interface.

This overview covers:

Firewall Filter Types

The following firewall filter types are supported:

Port (Layer 2) firewall filter—Port firewall filters apply to Layer 2 switch ports. You can apply port firewall filters only in the ingress direction on a physical port.
VLAN firewall filter—VLAN firewall filters provide access control for packets that enter a VLAN, are bridged within a VLAN, and leave a VLAN. You can apply VLAN firewall filters in both ingress and egress directions on a VLAN. VLAN firewall filters are applied to all packets that are forwarded to or forwarded from the VLAN.
Router (Layer 3) firewall filter—You can apply a router firewall filter in both ingress and egress directions on Layer 3 (routed) interfaces.

Note: Firewall filters are not supported on aggregated Ethernet interfaces.

To apply a firewall filter, you must:

Configure the firewall filter.
Apply the firewall filter.

Firewall Filter Components

When creating a firewall filter, you first define the family address type (inet) and then you define one or more terms that specify the filtering criteria and the action to take if a match occurs.

Each term consists of the following components:

Match conditions—Specifies values or fields that the packet must contain. You can define various match conditions, including the IP source address field, IP destination address field, Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source port field, IP protocol field, Internet Control Message Protocol (ICMP) packet type, TCP flags, and interfaces.
Actions—Specifies what to do if a match condition occurs. Possible actions are to accept or discard a packet. In addition, packets can be counted to collect statistical information. If no action is specified for a term, the default action is to accept the packet.

Firewall Filter Processing

The order of the terms within a firewall filter is important. Packets are tested against each term in the order in which the terms are listed in the firewall filter configuration. When a firewall filter contains multiple terms, the router takes a top-down approach and compares a packet against the first term in the firewall filter. If the packet matches the first term, the router executes the action defined by that term to either permit or deny the packet, and no other terms are evaluated. If the router does not find a match between the packet and first term, it then compares the packet to the next term in the firewall filter by using the same match process. If no match occurs between the packet and the second term, the router continues to compare the packet to each successive term defined in the firewall filter until a match is found. If a packet does not match any terms in a firewall filter, the default action is to discard the packet.