Firewall Filters for EX Series Switches Overview
Firewall filters provide rules that define whether to permit, deny, or forward packets that are transiting an interface on a Juniper Networks EX Series Ethernet Switch from a source address to a destination address. You configure firewall filters to determine whether to permit, deny, or forward traffic before it enters or exits a port, VLAN, or Layer 3 (routed) interface to which the firewall filter is applied. An ingress firewall filter is a filter that is applied to packets that are entering a network. An egress firewall filter is a filter that is applied to packets that are exiting a network. You can configure firewall filters to subject packets to filtering, class-of-service (CoS) marking (grouping similar types of traffic together, and treating each type of traffic as a class with its own level of service priority), and traffic policing (controlling the maximum rate of traffic sent or received on an interface).
This topic describes:
Firewall Filter Types
The following firewall filter types are supported for EX Series switches:
- Port (Layer 2) firewall filter—Port firewall filters apply to Layer 2 switch ports. You can apply port firewall filters in both ingress and egress directions on a physical port.
- VLAN firewall filter—VLAN firewall filters provide access control for packets that enter a VLAN, are bridged within a VLAN, or leave a VLAN. You can apply VLAN firewall filters in both ingress and egress directions on a VLAN. VLAN firewall filters are applied to all packets that are forwarded to or forwarded from the VLAN.
- Router (Layer 3) firewall filter—You can apply a
router firewall filter in both ingress and egress directions on Layer
3 (routed) interfaces and routed VLAN interfaces (RVIs). You can apply
a router firewall filter in the ingress direction on the loopback
interface (lo0) also.
Note: You can apply a firewall filter to aggregated Ethernet interfaces and loopback interfaces also. Firewall filters configured on loopback interfaces are applied only to packets that are sent to the Routing Engine CPU for further processing. Firewall filters are not applied to packets transiting the management interface (me0).
On Juniper Networks EX3200, EX4200, and EX8200 Ethernet switches, you can apply a router firewall filter to both IPv4 and IPv6 traffic. You can apply firewall filter match conditions to IPv6 traffic on Layer 3 interfaces, aggregated Ethernet interfaces, and loopback interfaces. To configure port firewall filters and VLAN firewall filters for IPv6 traffic, you must include the match condition ether-type ipv6 and apply the filter on Layer 2 interfaces or VLANs. When you include the match condition ether-type ipv6 in a term, you must ensure that other match conditions specified in the term are valid for IPv6 traffic. If the port firewall filter or VLAN firewall filter term contains the match condition ether-type ipv6, with no other IPv6 match condition specified, all IPv6 traffic is matched.
| Note: A term without the match condition ether-type ipv6 applies only to IPv4 traffic, and a term with that match condition applies only to IPv6 traffic. Hence, to configure port and VLAN firewall filters for both IPv4 and IPv6 traffic, you should configure two different terms, once each for IPv4 and IPv6 traffic. |
To apply a firewall filter, you must:
- Configure the firewall filter.
- Apply the firewall filter to a port, VLAN, or Layer 3 interface.
Firewall Filter Components
In a firewall filter, you first define the family address type (ethernet-switching, inet, or inet6), and then you define one or more terms that specify the filtering criteria and the action to take if a match occurs.
The maximum number of terms allowed per firewall filter for EX series switches is:
- 1428 for EX2200 switches
- 2048 for EX3200 and EX4200 switches—as allocated by the dynamic allocation of ternary content addressable memory (TCAM) for port, VLAN, and router firewall filters.
- Determined by the dynamic allocation of TCAM for port, VLAN, and router firewall filters on EX8200 switches.
| Note: The on-demand dynamic allocation of the shared space TCAM in EX8200 switches is achieved by assigning free space blocks to firewall filters. Firewall filters are categorized into two different pools. Port and VLAN filters are pooled together (the memory threshold for this pool is 22K) while router firewall filters are pooled separately (the threshold for this pool is 32K). The assignment happens based on the filter pool type. Free space blocks can be shared only among the firewall filters belonging to the same filter pool type. An error message is generated when you try to configure a firewall filter beyond the TCAM threshold. |
Each term consists of the following components:
- Match conditions—Specify the values or fields that the packet must contain. You can define various match conditions, including the IP source address field, IP destination address field, Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source port field, IP protocol field, Internet Control Message Protocol (ICMP) packet type, TCP flags, and interfaces.
- Action—Specifies what to do if a packet matches the match conditions. Possible actions are to accept or discard the packet or to send the packet to a specific virtual routing interface. In addition, packets can be counted to collect statistical information. If no action is specified for a term, the default action is to accept the packet.
Firewall Filter Processing
The order of the terms within a firewall filter configuration is important. Packets are tested against each term in the order in which the terms are listed in the firewall filter configuration. When a firewall filter contains multiple terms, the switch takes a top-down approach and compares a packet against the first term in the firewall filter. If the packet matches the first term, the switch executes the action defined by that term to either permit or deny the packet, and no other terms are evaluated. If the switch does not find a match between the packet and first term, it compares the packet to the next term in the firewall filter by using the same match process. If no match occurs between the packet and the second term, the switch continues to compare the packet to each successive term defined in the firewall filter until a match is found. If a packet does not match any terms in a firewall filter, the default action is to discard the packet.
Related Topics
- Understanding Planning of Firewall Filters
- Understanding Firewall Filter Processing Points for Bridged and Routed Packets on EX Series Switches
- Understanding How Firewall Filters Are Evaluated
- Understanding Firewall Filter Match Conditions
- Understanding the Use of Policers in Firewall Filters
- Understanding Filter-Based Forwarding for EX Series Switches
- Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX Series Switches
- Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device on EX Series Switches
