ON THIS PAGE
Example: Filtering Packets Received on an Interface Set
This example shows how to configure a standard stateless firewall filter to match packets tagged for a particular interface set.
Requirements
No special configuration beyond device initialization is required before configuring this example.
Overview
In this example, you apply a stateless firewall filter to the input of the router or switch loopback interface. The firewall filter includes a term that matches packets tagged for a particular interface set.
Topology
You create the firewall filter L2_filter
to
apply rate limits to the protocol-independent traffic received on
the following interfaces:
fe-0/0/0.0
fe-1/0/0.0
fe-1/1/0.0
The interface type in this topic is just an example. The fe-
interface type is not supported by EX Series switches.
First, for protocol-independent traffic received on fe-0/0/0.0
, the firewall filter term t1
applies policer p1
.
For protocol-independent traffic received on any other Fast Ethernet
interfaces, firewall filter term t2
applies policer p2
. To define an interface set that consists of all Fast Ethernet
interfaces, you include the interface-set interface-set-name interface-name
statement at the [edit firewall]
hierarchy level. To define a packet-matching
criteria based on the interface on which a packet arrives to
a specified interface set, you configure a term that uses the interface-set
firewall filter match condition.
Finally, for any other protocol-independent traffic, firewall
filter term t3
applies policer p3
.
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.
To configure this example, perform the following tasks:
- CLI Quick Configuration
- Configuring the Interfaces for Which the Stateless Firewall Filter Terms Take Rate-Limiting Actions
- Configuring the Stateless Firewall Filter That Rate-Limits Protocol-Independent Traffic Based on the Interfaces on Which Packets Arrive
- Applying the Stateless Firewall Filter to the Routing Engine Input Interface
CLI Quick Configuration
To quickly configure this example, copy the following
configuration commands into a text file, remove any line breaks, and
then paste the commands into the CLI at the [edit]
hierarchy
level.
set interfaces fe-0/0/0 unit 0 family inet address 10.1.1.1/30 set interfaces fe-1/0/0 unit 0 family inet address 10.2.2.1/30 set interfaces fe-1/1/0 unit 0 family inet address 10.4.4.1/30 set firewall policer p1 if-exceeding bandwidth-limit 5m set firewall policer p1 if-exceeding burst-size-limit 10m set firewall policer p1 then discard set firewall policer p2 if-exceeding bandwidth-limit 40m set firewall policer p2 if-exceeding burst-size-limit 100m set firewall policer p2 then discard set firewall policer p3 if-exceeding bandwidth-limit 600m set firewall policer p3 if-exceeding burst-size-limit 1g set firewall policer p3 then discard set firewall interface-set ifset fe-* set firewall family any filter L2_filter term t1 from interface fe-0/0/0.0 set firewall family any filter L2_filter term t1 then count c1 set firewall family any filter L2_filter term t1 then policer p1 set firewall family any filter L2_filter term t2 from interface-set ifset set firewall family any filter L2_filter term t2 then count c2 set firewall family any filter L2_filter term t2 then policer p2 set firewall family any filter L2_filter term t3 then count c3 set firewall family any filter L2_filter term t3 then policer p3 set interfaces lo0 unit 0 family inet address 172.16.1.157/30 set interfaces lo0 unit 0 family inet address 172.16.1.157/30 set interfaces lo0 unit 0 filter input L2_filter
Configuring the Interfaces for Which the Stateless Firewall Filter Terms Take Rate-Limiting Actions
Step-by-Step Procedure
To configure the interfaces for which the stateless firewall filter terms take rate-limiting actions:
Configure the logical interface whose input traffic will be matched by the first term of the firewall filter.
[edit] user@host# set interfaces fe-0/0/0 unit 0 family inet address 10.1.1.1/30
Configure the logical interfaces whose input traffic will be matched by the second term of the firewall filter.
[edit ] user@host# set interfaces fe-1/0/0 unit 0 family inet address 10.2.2.1/30 user@host# set interfaces fe-1/1/0 unit 0 family inet address 10.4.4.1/30
If you are done configuring the device, commit the configuration.
[edit] user@host# commit
Results
Confirm the configuration of the router (or switch) transit
interfaces by entering the show interfaces
configuration
mode command. If the command output does not display the intended
configuration, repeat the instructions in this procedure to correct
the configuration.
[edit] user@host# show interfaces fe-0/0/0 { unit 0 { family inet { address 10.1.1.1/30; } } } fe-1/0/0 { unit 0 { family inet { address 10.2.2.1/30; } } } fe-1/1/0 { unit 0 { family inet { address 10.4.4.1/30; } } }
Configuring the Stateless Firewall Filter That Rate-Limits Protocol-Independent Traffic Based on the Interfaces on Which Packets Arrive
Step-by-Step Procedure
To configure the standard stateless firewall L2_filter
that uses policers (p1
, p2
, and p3
) to rate-limit protocol-independent traffic based on the interfaces
on which the packets arrive:
Configure the firewall statements.
[edit] user@host# edit firewall
Configure the policer
p1
to discard traffic that exceeds a traffic rate of5m
bps or a burst size of10m
bytes.[edit firewall] user@host# set policer p1 if-exceeding bandwidth-limit 5m user@host# set policer p1 if-exceeding burst-size-limit 10m user@host# set policer p1 then discard
Configure the policer
p2
to discard traffic that exceeds a traffic rate of40m
bps or a burst size of100m
bytes .[edit firewall] user@host# set policer p2 if-exceeding bandwidth-limit 40m user@host# set policer p2 if-exceeding burst-size-limit 100m user@host# set policer p2 then discard
Configure the policer
p3
to discard traffic that exceeds a traffic rate of600m
bps or a burst size of1g
bytes.[edit firewall] user@host# set policer p3 if-exceeding bandwidth-limit 600m user@host# set policer p3 if-exceeding burst-size-limit 1g user@host# set policer p3 then discard
Define the interface set
ifset
to be the group of all Fast Ethernet interfaces on the router.[edit firewall] user@host# set interface-set ifset fe-*
Create the stateless firewall filter
L2_filter
.[edit firewall] user@host# edit family any filter L2_filter
Configure filter term
t1
to match IPv4, IPv6, or MPLS packets received on interfacefe-0/0/0.0
and use policerp1
to rate-limit that traffic.[edit firewall family any filter L2_filter] user@host# set term t1 from interface fe-0/0/0.0 user@host# set term t1 then count c1 user@host# set term t1 then policer p1
Configure filter term
t2
to match packets received on interface-setifset
and use policerp2
to rate-limit that traffic.[edit firewall family any filter L2_filter] user@host# set term t2 from interface-set ifset user@host# set term t2 then count c2 user@host# set term t2 then policer p2
Configure filter term
t3
to use policerp3
to rate-limit all other traffic.[edit firewall family any filter L2_filter] user@host# set term t3 then count c3 user@host# set term t3 then policer p3
If you are done configuring the device, commit the configuration.
[edit] user@host# commit
Results
Confirm the configuration of the stateless firewall filter
and the policers referenced as firewall filter actions by entering
the show firewall
configuration mode command. If the command
output does not display the intended configuration, repeat the instructions
in this procedure to correct the configuration.
[edit] user@host# show firewall family any { filter L2_filter { term t1 { from { interface fe-0/0/0.0; } then { policer p1; count c1; } } term t2 { from { interface-set ifset; } then { policer p2; count c2; } } term t3 { then { policer p3; count c3; } } } } policer p1 { if-exceeding { bandwidth-limit 5m; burst-size-limit 10m; } then discard; } policer p2 { if-exceeding { bandwidth-limit 40m; burst-size-limit 100m; } then discard; } policer p3 { if-exceeding { bandwidth-limit 600m; burst-size-limit 1g; } then discard; } interface-set ifset { fe-*; }
Applying the Stateless Firewall Filter to the Routing Engine Input Interface
Step-by-Step Procedure
To apply the stateless firewall filter to the Routing Engine input interface:
Apply the stateless firewall filter to the Routing Engine interface in the input direction.
[edit] user@host# set interfaces lo0 unit 0 family inet address 172.16.1.157/30 user@host# set interfaces lo0 unit 0 filter input L2_filter
If you are done configuring the device, commit the configuration.
[edit] user@host# commit
Results
Confirm the application of the firewall filter to the
Routing Engine input interface by entering the show interfaces
command again. If the command output does not display the intended
configuration, repeat the instructions in this procedure to correct
the configuration.
user@host# show interfaces fe-0/0/0 { ... } fe-1/0/0 { ... } fe-1/1/0 { ... } lo0 { unit 0 { filter { input L2_filter; } family inet { address 172.16.1.157/30; } } }
Verification
To confirm that the configuration is working
properly, use the show firewall filter L2_filter
operational mode command to monitor traffic
statistics about the firewall filter and three counters.