Firewall Filter Configuration Statements Supported by Junos OS for EX Series Switches

family family-name {
}

The family-name option specifies the version or type of addressing protocol:

• any—Filter packets based on protocol-independent match conditions.

• ethernet-switching—Filter Layer 2 (Ethernet) packets and Layer 3 (IP) packets

• inet—Filter IPv4 packets

• inet6—Filter IPv6 packets

filter filter-name {
}

The filter-name option identifies the filter. The name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. To include spaces in the name, enclose the name in quotation marks (" " ).

interface-specific

The interface-specific statement configures unique names for individual firewall counters specific to each interface.

term term-name {
}

The term-name option identifies the term. The name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. To include spaces in the name, enclose the entire name in quotation marks (" " ). Each term name must be unique within a filter.

from {
                                         match-conditions;                                     
}

The from statement is optional. If you omit it, all packets are considered to match.

then {
                                         action;
                                         action-modifiers;
}

For information about the action and action-modifiers options, see Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches.

policer policer-name {
}

The policer-name option identifies the policer. The name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. To include spaces in the name, enclose the name in quotation marks (" " ).

filter-specific

The filter-specific statement configures policers and counters for a specific filter name.

if-exceeding {
    bandwidth-limit bps                                     
    burst-size-limit bytes                                     
}

The bandwidth-limit bps option specifies the traffic rate in bits per second (bps).

You can specify bps as a decimal value or as a decimal number followed by one of the following abbreviations:

• k (thousand)

• m (million)

• g (billion, which is also called a thousand million)

Range: 1000 (1k) through 102,300,000,000 (102.3g) bps

The burst-size-limit bytes option specifies the maximum allowed burst size to control the amount of traffic bursting. To determine the value for the burst-size limit, you can multiply the bandwidth of the interface on which the filter is applied by the amount of time (in seconds) to allow a burst of traffic at that bandwidth to occur:

burst size = bandwidth * allowable time for burst traffic

You can specify a decimal value or a decimal number followed by k (thousand) or m (million).

Range: 1 through 2,147,450,880 bytes

then {
                                         policer-action                                     
}

Use the policer-action option to specify discard to discard traffic that exceeds the rate limits.

• interface-set interface-set-name {
  }
  

• load-balance-group group-name {
  }
  

• three-color-policer name {
  }
  

• logical-interface-policer;
  

• single-rate {
  }
  

• two-rate {
  }
  

[edit firewall]

• prefix-action name {
  }
  

• prefix-policer {
  }
  

• service-filter filter-name {
  }
  

• simple-filter simple-filter-name {
  }
  

[edit firewall family family-name]

• accounting-profile name;
  

[edit firewall family family-name filter filter-name]

• logical-bandwidth-policer;
  

• logical-interface-policer;
  

[edit firewall policer policer-name]

bandwidth-percent number;

[edit firewall policer policer-name if-exceeding]