Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Routing Policies and Packet Filtering Configuration

 
Note

This section applies only to the J-Web Application package.

Configuring Routing Policies (J-Web Procedure)

Note

This topic applies only to the J-Web Application package.

All routing protocols use the Junos OS routing table to store the routes that they learn and to determine which routes are advertised in the protocol packets. Routing policy allows you to control which routes the routing protocols store in and retrieve from the routing table on the routing device.

To configure routing policies for an EX Series switch using the J-Web interface:

  1. Select Configure > Routing > Policies.Note

    After you make changes to the configuration on this page, you must commit the changes for them to take effect. To commit all changes to the active configuration, select Commit Options > Commit. See Using the Commit Options to Commit Configuration Changes for details about all commit options.

  2. Click one of the following options:
    • Global Options—Configures global options for policies. Enter information into the configuration page as described in Table 45.

    • Add—Configures a new policy. Select New and specify a policy name. To add terms, enter information into the configuration page as described in Table 46. Select Clone to create a copy of an existing policy.

    • Edit—Edits an existing policy. To modify an existing term, enter information into the configuration page as described in Table 46.

    • Term Up—Moves a term up in the list.

    • Term Down—Moves a term down in the list.

    • Delete—Deletes the selected policy.

    • Test Policy—Tests the policy. Use this option to check whether the policy produces the results that you expect.

Table 45: Policies Global Configuration Parameters

FieldFunctionYour Action

Prefix List

Specifies a list of IPv4 address prefixes for use in a routing policy statement.

To add a prefix list:

  1. Click Add.
  2. Enter a name for the prefix list.
  3. To add an IP address, click Add.
  4. Enter the IP address and the subnet mask and click OK.
  5. Click OK.

To edit a prefix list, click Edit. Edit the settings and click OK.

To delete a prefix list, select it and click Delete.

BGP Community

Specifies a BGP community.

To add a BGP community:

  1. Click Add.
  2. Enter a name for the community.
  3. To add a community, click Add.
  4. Enter the community ID and click OK.
  5. Click OK.

To edit a BGP community, click Edit. Edit the settings and click OK.

To delete a BGP community, select it and click Delete.

AS Path

Specifies an AS path. This is applicable to BGP only.

To add an AS path:

  1. Click Add.
  2. Enter the AS path name.
  3. Enter the regular expression and click OK.
  4. Click OK.

To edit an AS path, click Edit. Edit the settings and click OK.

To delete an AS path, select it and click Delete.

Table 46: Terms Configuration Parameters

FieldFunctionYour Action

Term Name

Specifies a term name.

Type or select and edit the name.

Source tab

Family

Specifies an address family protocol.

Select a value from the list.

Routing Instance

Specifies a routing instance.

Select a value from the list.

RIB

Specifies the name of a routing table.

Select a value from the list

Preference

Specifies the individual preference value for the route.

Type or select and edit the value.

Metric

Specifies a metric value. You can specify up to four metric values.

Type or select and edit the value.

Interface

Specifies a name or IP address of one or more routing device interfaces. Do not use this qualifier with protocols that are not interface-specific, such as internal BGP (IBGP).

To add an interface, select Add > Interface. Select the interface from the list. For an EX8200 Virtual Chassis configuration, select the member, FPC, and the interface from the list.

To add an address, select Add > Address. Select the address from the list.

To remove an interface, select it and click Remove.

Prefix List

Specifies a named list of IP addresses. You can specify an exact match with incoming routes.

Click Add. Select the prefix list from the list and click OK.

To remove a prefix list, select it and click Remove.

Protocol

Specifies the name of the protocol from which the route was learned or to which the route is being advertised.

Click Add and select the protocol from the list.

To remove a protocol, select it and click Remove.

Policy

Specifies the name of a policy to evaluate as a subroutine.

Click Add. Select the policy from the list.

To remove a policy, select it and click Remove.

More

Specifies advanced configuration options for policies.

Click More for advanced configuration.

OSPF Area ID

Specifies the area identifier.

Type the IP address.

BGP Origin

Specifies the origin of the AS path information.

Select a value from the list.

Local Preference

Specifies the BGP local preference.

Type a value.

Route

Specifies the type of route.

Select External.

Select the OSPF type from the list.

AS Path

Specifies the name of an AS path regular expression.

Click Add. Select the AS path from the list.

Community

Specifies the name of one or more communities.

Click Add. Select the community from the list.

Destination tab

Family

Specifies an address family protocol.

Select a value from the list.

Routing Instance

Specifies a routing instance.

Select a value from the list.

RIB

Specifies the name of a routing table.

Select a value from the list.

Preference

Specifies the individual preference value for the route.

Type a value.

Metric

Specifies a metric value.

Type a value.

Interface

Specifies a name or IP address of one or more routing device interfaces. Do not use this qualifier with protocols that are not interface-specific, such as internal BGP (IBGP).

To add an interface, select Add > Interface. Select the interface from the list. For an EX8200 Virtual Chassis configuration, select the member, FPC, and the interface from the list.

To add an address, select Add > Address. Select the address from the list.

To delete an interface, select it and click Remove.

Protocol

Specifies the name of the protocol from which the route was learned or to which the route is being advertised.

Click Add and select the protocol from the list.

To delete a protocol, select it and click Remove.

Action tab

Action

Specifies the action to take if the conditions match.

Select a value from the list.

Default Action

Specifies that any action that is intrinsic to the protocol is overridden. This action is also nonterminating, so that various policy terms can be evaluated before the policy is terminated.

Select a value from the list.

Next

Specifies the default control action if a match occurs, and there are no further terms in the current routing policy.

Select a value from the list.

Priority

Specifies a priority for prefixes included in an OSPF import policy. Prefixes learned through OSPF are installed in the routing table based on the priority assigned to the prefixes.

Select a value from the list.

BGP Origin

Specifies the BGP origin attribute.

Select a value from the list.

AS Path Prepend

Affixes an AS number at the beginning of the AS path. The AS numbers are added after the local AS number has been added to the path. This action adds an AS number to AS sequences only, not to AS sets. If the existing AS path begins with a confederation sequence or set, the affixed AS number is placed within a confederation sequence. Otherwise, the affixed AS number is placed with a nonconfederation sequence.

Enter a value.

AS Path Expand

Extracts the last AS number in the existing AS path and affixes that AS number to the beginning of the AS path n times, where n is a number from 1 through 32. The AS number is added before the local AS number has been added to the path. This action adds AS numbers to AS sequences only, not to AS sets. If the existing AS path begins with a confederation sequence or set, the affixed AS numbers are placed within a confederation sequence. Otherwise, the affixed AS numbers are placed within a nonconfederation sequence. This option is typically used in non-IBGP export policies.

Select the type and type a value.

Load Balance Per Packet

Specifies that all next-hop addresses in the forwarding table must be installed and have the forwarding table perform per-packet load balancing. This policy action allows you to optimize VPLS traffic flows across multiple paths.

Select the check box to enable the option.

Tag

Specifies the tag value. The tag action sets the 32-bit tag field in OSPF external link-state advertisement (LSA) packets.

Select the action and type a value.

Metric

Changes the metric (MED) value by the specified negative or positive offset. This action is useful only in an external BGP (EBGP) export policy.

Select the action and type a value.

Route

Specifies whether the route is external.

Select the External check box to enable the option, and select the OSPF type.

Preference

Specifies the preference value.

Select the preference action and type a value.

Local Preference

Specifies the BGP local preference attribute.

Select the action and type a value.

Class of Service

Specifies and applies the class-of-service parameters to routes installed into the routing table.

  • Source class

    The value entered here maintains the packet counts for a route passing through your network, based on the source address.

  • Destination class

    The value entered here maintains packet counts for a route passing through your network, based on the destination address in the packet.

  • Forwarding class

Type the source class.

Type the destination class.

Type the forwarding class.

Configuring Firewall Filters (J-Web Procedure)

Note

This topic applies only to the J-Web Application package.

You configure firewall filters on EX Series switches to control traffic that enters ports on the switch or enters and exits VLANs on the network and Layer 3 (routed) interfaces. To configure a firewall filter, you must configure the filter and then apply it to a port, VLAN, or Layer 3 interface.

To configure firewall filter settings by using the J-Web interface:

  1. Select Configure > Security > Filters.

    The Firewall Filter Configuration page displays a list of all configured ports or VLANs or router filters and the ports or VLANs associated with a particular filter.

    Note

    After you make changes to the configuration on this page, you must commit the changes for them to take effect. To commit all changes to the active configuration, select Commit Options > Commit. See Using the Commit Options to Commit Configuration Changes for details about all commit options.

  2. Click one of the following options:
    • Add—Select this option to create a new filter. Enter information as specified in Table 47.

    • Edit—Select this option to edit an existing filter. Enter information as specified in Table 47.

    • Delete—Select this option to delete a filter.

    • Term Up—Select this option to move a term up in the filter term list.

    • Term Down—Select this option to move a term down in the filter term list.

Table 47: Create a New Filter

Field

Function

Your Action

Filter tab

Filter type

Specifies the filter type: port or VLAN firewall filter or router firewall filter.

Select the filter type.

Filter name

Specifies the name for the filter.

Enter a name.

Select terms to be part of the filter

Specifies the terms to be associated with the filter. Add new terms or edit existing terms.

Click Add to add new terms. Enter information as specified in Table 48 and Table 49.

Association tab

Port Associations

Specifies the ports with which the filter is associated.

Note: For a port or VLAN filter type, only Ingress direction is supported for port association.

  1. Click Add.
  2. Select the direction: Ingress or Egress.
  3. Select the ports. For an EX8200 Virtual Chassis configuration, select the member, FPC, and the available ports from the list.
  4. Click OK.

VLAN Associations

Specifies the VLANs with which the filter is associated.

Note: Because router firewall filters can be associated with ports only, this section is not displayed for a router firewall filter.

  1. Click Add.
  2. Select the direction: Ingress or Egress.
  3. Select the VLANs.
  4. Click OK.

Table 48: Create a New Term

Field

Function

Your Action

Term Name

Specifies the name of the term.

Enter a name.

Protocols

Specifies the protocols to be associated with the term.

  1. Click Add.
  2. Select the protocols.
  3. Click OK.

Source

Specifies the source IP address, MAC address, and available ports.

Note: MAC address is specified only for port or VLAN filters.

To specify the IP address, click Add > IP and enter the IP address.

To specify the MAC address, click Add > MAC and enter the MAC address.

To specify the ports (interfaces), click Add > Ports and enter the port number.

To delete the IP address, MAC address, or port details, select it and click Remove.

Destination

Specifies the destination IP address, MAC address, and available ports.

Note: MAC address is specified only for port or VLAN filters.

To specify the IP address, click Add > IP and enter the IP address.

To specify the MAC address, click Add > MAC and enter the MAC address.

To specify the ports (interfaces), click Add > Ports and enter the port number.

To delete the IP address, MAC address, or port details, select it and click Remove.

Action

Specifies the packet action for the term.

Select one of the following options:

  • Accept

  • Discard

More

Specifies advanced configuration options for the filter.

Select the match conditions as specified in Table 49.

Select the packet action for the term as specified in Table 49.

Table 49: Advanced Options for Terms

Table

Function

Your Action

ICMP Type

Specifies the ICMP packet type field. Typically, you specify this match condition in conjunction with the protocol match condition to determine which protocol is being used on the port.

Select the option from the list.

ICMP Code

Specifies more specific information than the ICMP type. Because the value’s meaning depends upon the associated ICMP type, you must specify icmp-type along with icmp-code. The keywords are grouped by the ICMP type with which they are associated.

Select a value from the list.

DSCP

Specifies the Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant six bits of this byte form the DSCP.

Select the DSCP number from the list.

Precedence

Specifies the IP precedence.

Note: The IP precedence and the DSCP number cannot be specified together for the same term.

Select the option from the list.

IP Options

Specifies the presence of the options field in the IP header.

Select the option from the list.

Interface

Specifies the interface on which the packet is received.

Select the interface from the list.

Ether type

Note: This option is not supported on EX4300 switches.

Specifies the Ethernet type field of a packet.

Note: This option is not applicable for a routing filter.

Select a value from the list.

Dot 1q user priority

Note: This option is not supported on EX4300 switches.

Specifies the user-priority field of the tagged Ethernet packet. User-priority values can be 0–7.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed) :

  • background (1)—Background

  • best-effort (0)—Best effort

  • controlled-load (4)—Controlled load

  • excellent-load (3)—Excellent load

  • network-control (7)—Network control reserved traffic

  • standard (2)—Standard or spare

  • video (5)—Video

  • voice (6)—Voice

Note: This option is not applicable for a routing filter.

Select a value from the list.

VLAN

Note: This option is not supported on EX4300 switches.

Specifies the VLAN to be associated with the packet.

Note: This option is not applicable for a routing filter.

Select the VLAN from the list.

TCP Flags

Specifies one or more TCP flags.

Note: TCP flags are supported on ingress ports, VLANs, and router interfaces.

Select the option TCP Initial or enter a combination of TCP flags.

Fragmentation Flags

Specifies the IP fragmentation flags.

Note: Fragmentation flags are supported on ingress ports, VLANs, and router interfaces.

Select either the option is-fragment or enter a combination of fragment action flags.

Dot1q tag

Note: This option is not supported on EX4300 switches.

Specifies the value for the tag field in the Ethernet header. The value can be from 1 through 4095.

Note: This option is not applicable for a routing filter.

Enter the value.

User Vlan Id

Note: This option is supported only on EX4300 switches.

Specifies the value of the VLAN ID. The value can be from 0 through 4095 or a range of values.

Enter a value.

User Vlan 1P Priority

Note: This option is supported only on EX4300 switches.

Specifies the priority value. The values can be from 0 through 7.

Enter a value.

Learn Vlan Id

Note: This option is supported only on EX4300 switches.

Specifies the value of the learnt VLAN ID. The value can be from 0 through 4095 or a range of values.

Enter a value.

Action

Counter name

Specifies the count of the number of packets that pass this filter, term, or policer.

Enter a value.

Forwarding class

Classifies the packet into one of the following forwarding classes:

  • assured-forwarding

  • best-effort

  • expedited-forwarding

  • network-control

  • None

Select the option from the list.

Loss priority

Specifies the packet loss priority.

Note: Forwarding class and loss priority must be specified together for the same term.

Enter the value.

Analyzer

Note: This option is not supported on EX4300 switches.

Specifies whether to perform port mirroring on packets. Port mirroring copies all packets entering one switch port to a network- monitoring connection on another switch port.

Select the analyzer (port mirroring configuration) from the list.

Port Mirror Instance

Note: This option is supported only on EX4300 switches.

Specifies whether to perform port mirroring on packets. Port mirroring copies all packets entering one switch port to a network- monitoring connection on another switch port.

Select the port mirroring instance from the list. Default is selected by default.