Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Overview of Firewall Filters (OCX Series)

Firewall filters provide rules that define whether to accept or discard packets that are transiting an interface. If a packet is accepted, you can configure additional actions to perform on the packet, such as class-of-service (CoS) marking (grouping similar types of traffic together and treating each type of traffic as a class with its own level of service priority) and traffic policing (controlling the maximum rate of traffic sent or received). You configure firewall filters to determine whether to accept or discard a packet before it enters or exits a Layer 3 (routed) interface.

An ingress firewall filter is applied to packets that are entering an interface, and an egress firewall filter is applied to packets that are exiting an interface .

Note:

Firewall filters are sometimes called access control lists (ACLs).

Where You Can Apply Filters

You can apply a router firewall filter in both ingress and egress directions on IPv4 or IPv6 Layer 3 (routed) interfaces and a loopback interface, which filters traffic sent to the switch itself or generated by the switch.

You apply a filter to a loopback interface in the input direction to protect the switch from unwanted traffic. You also might want to apply a filter to a loopback interface in the output direction so that you can set the forwarding class and DSCP bit value for packets that originate on the switch itself. This feature gives you very fine control over the classification of CPU generated packets. For example, you might want to assign different DSCP values and forwarding classes to traffic generated by different routing protocols so the traffic for those protocols can be treated in a differentiated manner by other devices.

Note:

On QFX5220 switches, you can only apply a filter to a loopback interface in the ingress direction.

Note:

If you apply ingress and egress filters to the same interface, the ingress filter is processed first.

To apply a firewall filter:

  1. Configure the firewall filter.

  2. Apply the firewall filter to a Layer 3 interface and specify the direction. If you specify the input direction, traffic is filtered on ingress. If you specify the output direction, traffic is filtered on egress.

Note:

You can apply only one firewall filter to a Layer 3 interface for a given direction. For example, for a given family inet interface, you can apply one filter for input and one for output.

OCX switches support the maximum numbers of firewall filter terms per type of attachment point shown in Table 1.

Table 1: Supported Firewall Filter Numbers
Filter Type Maximum Number of Filters

Ingress

1536

Egress

1024

Firewall Filter Components

In a firewall filter, you first define the family address type (inet for IPv4 or inet6 for IPv6) and then define one or more terms that specify the filtering criteria and the action to take if a match occurs.

Each term consists of the following components:

  • Match conditions—Specify values that a packet must contain to be considered a match.

  • Action—Specifies what to do if a packet matches the match conditions. A filter can accept, discard, or reject a matching packet and then perform additional actions, such as counting, classifying, and policing. If no action is specified for a term, the default is to accept the matching packet.

Firewall Filter Processing

If there are multiple terms in a filter, the order of the terms is important. If a packet matches the first term, the switch executes the action defined by that term, and no other terms are evaluated. If the switch does not find a match between the packet and the first term, it compares the packet to the next term. If no match occurs between the packet and the second term, the system continues to compare the packet to each successive term in the filter until a match is found. If the packet does not match any terms in the filter, the switch discards the packet by default.

Related Documentation