Configuring Layer 2 Bridging Match Conditions for MX Series Ethernet Services Routers
Table 1 describes the firewall filter match conditions supported for Layer 2 bridging traffic on MX Series routers.
To configure firewall filter match conditions for Layer 2 bridging traffic:
- Include the match-conditions statement at the [edit firewall family bridge filter filter-name term term-name from] hierarchy level.
Table 1: Layer 2 Bridging Firewall Filter Match Conditions (MX Series Ethernet Services Routers Only)
| Match Condition | Description |
|---|---|
destination-mac-address address | Destination media access control (MAC) address of a Layer 2 packet in a bridging environment. |
destination-port number | TCP or UDP destination port field. You cannot specify both the port and destination-port match conditions in the same term. |
dscp number | Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant 6 bits of this byte form the DSCP. For more information, see the Junos Class of Service Configuration Guide. You can specify the DSCP in hexadecimal, binary, or decimal form. |
ether-type value | Ethernet type field of a Layer 2 packet in a bridging environment. |
ether-type-except value | Do not match on the Ethernet type field of a Layer 2 packet. |
forwarding class class | Forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control. |
forwarding-class-except class | Ethernet type field of a Layer 2 packet environment. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control. |
icmp-code number | ICMP code field. The value or keyword provides more specific information than icmp-type. Because the value’s meaning depends on the associated icmp-type, you must specify icmp-type along with icmp-code. |
icmp-type number | ICMP packet type field. Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. |
interface-group group-number | Interface group on which the packet was received. An interface group is a set of one or more logical interfaces. For group-number, specify a value from 0 through 255. |
interface-group-except number | Do not match on the interface group on which the packet was received. |
interface-set interface-set-name | (MX Series routers and routers with Enhanced IQ2 [IQ2E] PICs only) Interface set on which the packet was received. An interface set is a set of logical interfaces used to configure hierarchical class-of-service schedulers. For information about configuring an interface set, see the Junos Class of Service Configuration Guide and the Junos Network Interfaces Configuration Guide. |
ip-address address | 32-bit address that supports the standard syntax for IPv4 addresses. |
ip-destination-address address | 32-bit address that is the final destination node address for the packet. |
ip-precedence ip-precedence-field | IP precedence field. In place of the numeric field value, you can specify one of the following text synonyms (the field values are also listed): critical-ecp (0xa0), flash (0x60), flash-override (0x80), immediate (0x40), internet-control (0xc0), net-control (0xe0), priority (0x20), or routine (0x00). |
ip-precedence-except | Do not match on the IP precedence field. |
ip-protocol number | IP protocol field. |
ip-source-address address | IP address of the source node sending the packet. |
isid number | (Supported with Provider Backbone Bridging (PBB)) Match internet service identifier. |
isid-dei number | (Supported with PBB) Match internet service identifier drop eligibility indicator (DEI) bit. |
isid-dei-except number | (Supported with PBB) Do not match internet service identifier DEI bit. |
isid-priority-code-point number | (Supported with PBB) Match internet service identifier priority code point. |
isid-priority-code-point-except number | (Supported with PBB) Do not match internet service identifier priority code point. |
learn-vlan-1p-priority value | (Supported with bridging, VPLS, and Layer 2 circuit cross-connect [CCC] traffic only) IEEE 802.1p learned VLAN priority field. Specify a single value or multiple values from 0 through 7. |
learn-vlan-1p-priority-except value | (Supported with bridging, VPLS, and Layer 2 circuit cross-connect [CCC] traffic only) Do not match on the IEEE 802.1p learned VLAN priority field. Specify a single value or multiple values from 0 through 7. |
learn-vlan-dei number | (Supported with bridging) Match user virtual LAN (VLAN) identifier DEI bit. |
learn-vlan-dei-except number | (Supported with bridging) Do not match user VLAN identifier DEI bit. |
learn-vlan-id number | VLAN identifier used for MAC learning. |
learn-vlan-id-except number | Do not match on the VLAN identifier used for MAC learning. |
loss-priority level | Packet loss priority (PLP) level. Specify a single level or multiple levels: low, medium-low, medium-high, or high. For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see the Junos Class of Service Configuration Guide. |
loss-priority-except level | Do not match on the packet loss priority level. Specify a single level or multiple levels: low, medium-low, medium-high, or high. For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see the Junos Class of Service Configuration Guide. |
port number | TCP or UDP source or destination port. You cannot specify both the port match condition and either the destination-port or source-port match conditions in the same term. |
source-mac-address address | Source MAC address of a Layer 2 packet. |
source-port number | TCP or UDP source port field. You cannot specify the port and source-port match conditions in the same term. |
tcp-flags flags | One or more of the following TCP flags:
You can string together multiple flags using logical operators. Configuring the tcp-flags match condition requires that you configure the next-header-tcp match condition. |
traffic-type type | Traffic type. Specify broadcast, multicast, unknown-unicast, or known-unicast. |
traffic-type-except type | Do not match on the traffic type. |
user-vlan-1p-priority value | (Supported with bridging, VPLS, and Layer 2 CCC traffic only) IEEE 802.1p user priority field. Specify a single value or multiple values from 0 through 7. |
user-vlan-1p-priority-except value | (Supported with bridging, VPLS, and Layer 2 CCC traffic only) Do not match on the IEEE 802.1p user priority field. Specify a single value or multiple values from 0 through 7. |
user-vlan-id number | First VLAN identifier that is part of the payload. |
user-vlan-id-except number | Do not match on the first VLAN identifier that is part of the payload. |
vlan-ether-type value | VLAN Ethernet type field of a Layer 2 bridging or VPLS packet. |
vlan-ether-type-except value | Do not match on the VLAN Ethernet type field of a Layer 2 bridging or VPLS packet. |
