ON THIS PAGE
Example: Configuring Interface-Specific Firewall Filter Counters
This example shows how to configure and apply an interface-specific standard stateless firewall filter.
Requirements
Interface-specific stateless firewall filters are supported on T Series, M120, M320, and MX Series routers only.
No special configuration beyond device initialization is required before configuring this example.
Overview
In this example, you create an interface-specific stateless firewall filter that counts and accepts packets with source or destination addresses in a specified prefix and the IP protocol type field set to a specific value.
Topology
You configure the interface-specific stateless firewall filter filter_s_tcp to count and accept packets with IP source or
destination addresses in the 10.0.0.0/12 prefix and the
IP protocol type field set to tcp (or the numeric
value 6).
The name of the firewall filter counter is count_s_tcp.
You apply the firewall filter to multiple logical interfaces:
at-1/1/1.0inputso-2/2/2.2output
Applying the filter to these two interfaces results in two instances
of the filter: filter_s_tcp-at-1/1/1.0-i and filter_s_tcp-so-2/2/2.2-o, respectively.
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.
To configure this example, perform the following tasks:
- CLI Quick Configuration
- Configure the Interface-Specific Firewall Filter
- Apply the Interface-Specific Firewall Filter to Multiple Interfaces
- Confirm Your Candidate Configuration
- Clear the Counters and Commit Your Candidate Configuration
CLI Quick Configuration
To quickly configure this example, copy the following
commands into a text file, remove any line breaks, and then paste
the commands into the CLI at the [edit] hierarchy level.
set firewall family inet filter filter_s_tcp interface-specific set firewall family inet filter filter_s_tcp term 1 from address 10.0.0.0/12 set firewall family inet filter filter_s_tcp term 1 from protocol tcp set firewall family inet filter filter_s_tcp term 1 then count count_s_tcp set firewall family inet filter filter_s_tcp term 1 then accept set interfaces at-1/1/1 unit 0 family inet filter input filter_s_tcp set interfaces so-2/2/2 unit 2 family inet filter filter_s_tcp
Configure the Interface-Specific Firewall Filter
Step-by-Step Procedure
To configure the interface-specific firewall filter:
Create the IPv4 firewall filter
filter_s_tcp.[edit] user@host# edit firewall family inet filter filter_s_tcp
Enable interface-specific instances of the filter.
[edit firewall family inet filter filter_s_tcp] user@host# set interface-specific
Configure the match conditions for the term.
[edit firewall family inet filter filter_s_tcp] user@host# set term 1 from address 10.0.0.0/12 user@host# set term 1 from protocol tcp
Configure the actions for the term.
[edit firewall family inet filter filter_s_tcp] user@host# set term 1 then count count_s_tcp user@host# set term 1 then accept
Apply the Interface-Specific Firewall Filter to Multiple Interfaces
Step-by-Step Procedure
To apply the filter filter_s_tcp to logical
interfaces at-1/1/1.0 and so-2/2/2.2:
Apply the interface-specific filter to packets received on logical interface
at-1/1/1.0.[edit] user@host# set interfaces at-1/1/1 unit 0 family inet filter input filter_s_tcp
Apply the interface-specific filter to packets transmitted from logical interface
so-2/2/2.2.[edit] user@host# set interfaces so-2/2/2 unit 2 family inet filter filter_s_tcp
Confirm Your Candidate Configuration
Step-by-Step Procedure
To confirm your candidate configuration:
Confirm the configuration of the stateless firewall filter by entering the
show firewallconfiguration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.[edit] user@host# show firewall family inet { filter filter_s_tcp { interface-specific; term 1 { from { address { 10.0.0.0/12; } protocol tcp; } then { count count_s_tcp; accept; } } } }Confirm the configuration of the interfaces by entering the
show interfacesconfiguration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.[edit] user@host# show interfaces at-1/1/1 { unit 0 family inet { filter { input filter_s_tcp; } } ] } so-2/2/2 { unit 2 family inet { filter { output filter_s_tcp; } } } }
Clear the Counters and Commit Your Candidate Configuration
Step-by-Step Procedure
To clear the counters and commit your candidate configuration:
From operational command mode, use the
clear firewall allcommand to clear the statistics for all firewall filters.To clear only the counters used in this example, include the interface-specific filter instance names:
[edit] user@host> clear firewall filter filter_s_tcp-at-1/1/1.0-i user@host> clear firewall filter filter_s_tcp-so-2/2/2.2-o
Commit your candidate configuration.
[edit] user@host# commit
Verification
Confirm that the configuration is working properly.
- Verifying That the Filter Is Applied to Each of the Multiple Interfaces
- Verifying That the Counters Are Collected Separately by Interface
Verifying That the Filter Is Applied to Each of the Multiple Interfaces
Purpose
Verify that the filter is applied to each of the multiple interfaces.
Action
Run the show interfaces command with the detail or extensive output level.
Verify that the filter is applied to the input for
at-1/1/1.0:user@host> show interfaces at-1/1/1 detail Physical interface: at-1/1/1, Enabled, Physical link is Up Interface index: 300, SNMP ifIndex: 194, Generation: 183 ... Logical interface at-1/1/1.0 (Index 64) (SNMP ifIndex 204) (Generation 5) Flags: Point-To-Point SNMP-Traps 0x4000 Encapsulation: ATM-SNAP ... Protocol inet, MTU: 4470, Generation: 13, Route table: 0 Flags: Sendbcast-pkt-to-re Input Filters: filter_s_tcp-at-1/1/1.0-i,,,,,Verify that the filter is applied to the output for
so-2/2/2.2:user@host> show interfaces so-2/2/2 detail Physical interface: so-2/2/2, Enabled, Physical link is Up Interface index: 129, SNMP ifIndex: 502, Generation: 132 ... Logical interface so-2/2/2.2 (Index 70) (SNMP ifIndex 536) (Generation 135) Flags: Point-To-Point SNMP-Traps 0x4000 Encapsulation: PPP ... Protocol inet, MTU: 4470, Generation: 146, Route table: 0 Flags: Sendbcast-pkt-to-re Output Filters: filter_s_tcp-so-2/2/2.2-o,,,,,
Verifying That the Counters Are Collected Separately by Interface
Purpose
Make sure that the count_s_tcp counters
are collected separately for the two logical interfaces.
Action
Run the show firewall command.
user@host> show firewall filter filter_s_tcp Filter: filter_s_tcp Counters: Name Bytes Packets count_s_tcp-at-1/1/1.0-i 420 5 count_s_tcp-so-2/2/2.2-o 8888 101