Firewall Filter Match Conditions and Actions (QFX and EX Series Switches)
Firewall Filter Match Conditions and Actions (EX4400, EX4100, EX4100-F, EX4600, EX4650, QFX5100, QFX5110, QFX5120, QFX5200, QFX5210, QFX5700)
Each term in a firewall filter consists of match conditions and an action. Match conditions are the fields and values that a packet must contain to be considered a match. You can define single or multiple match conditions in match statements. You can also include no match statement, in which case the term matches all packets.
When a packet matches a filter, a switch takes the action specified in the term. In addition, you can specify action modifiers to count, mirror, rate-limit, and classify packets. If no match conditions are specified for the term, the switch accepts the packet by default.
Table 2 describes the match conditions you can specify when configuring a firewall filter. Some of the numeric range and bit-field match conditions allow you to specify a text synonym. To see a list of all the synonyms for a match condition, type
?at the appropriate place in a statement.Table 3 shows the actions that you can specify in a term.
Table 4 shows the action modifiers you can use to count, mirror, rate-limit, and classify packets.
For match conditions on specific switches, these limitations apply:
|
(QFX5100, QFX5110, QFX5200) When using filter-based forwarding on IPv6 interfaces,
only these match conditions are supported in the (ingress direction):
|
|
(QFX5110) When you enable the |
|
(QFX5100, QFX5110, QFX5120, QFX5130-32CD, QFX5220, QFX5700) In an EVPN-VXLAN
environment, only these match conditions are supported:
|
|
(QFX5100, QFX5110, QFX5200, QFX5120) You cannot apply a firewall filter in the egress direction on a EVPN-VXLAN IRB interface. |
|
(QFX5700) You cannot apply a firewall filter in the egress direction on a loopback interface. |
|
(QFX5100, QFX5110) If you are using firewall filters to implement MAC filtering in an EVPN-VXLAN environment, see MAC Filtering, Storm Control, and Port Mirroring Support in an EVPN-VXLAN Environment for the supported match conditions. |
|
(QFX5100, QFX5110) For each firewall filter that you apply to a VXLAN, you can
specify |
|
(EX4100, EX4400, EX4600, EX4650, QFX5100, QFX5110, QFX5120, QFX5200, QFX5210) Use
only available interfaces when using the |
|
On switches that do not support Layer 2 features, use only those match conditions that are valid for IPv4 and IPv6 interfaces. |
|
(QFX5120, EX4650) Starting with Junos Release 21.4R1, the following match
conditions are supported in an EVPN-VXLAN environment on QFX5120, and EX4650:
|
|
Starting in Junos OS Release 21.4R1, the source-port-range-optimize and the
destination-port-range-optimize conditions are supported under |
|
Starting with Junos Release 22.4R1, the following match conditions are supported
for GBP tagging in an EVPN-VXLAN environment on supported EX4100, EX4400, EX4650,
and QFX5120 Series switches: |
|
Starting with Junos Release 23.2R1, new IPV4 and IPv6 L4 matches are supported for policy enforcement on the EX4100 series, EX4400 series, EX4650 series, QFX5120-32C and QFX5120-48Y switches. |
|
Starting in Junos OS Release 23.4R1 and later, the |
Match Condition |
Description |
Direction and Interface |
|---|---|---|
|
ARP request packet or ARP reply packet. |
Egress and ingress interfaces. |
|
IP destination address field, which is the address of the final destination node. |
Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. Egress IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. |
|
Destination media access control (MAC) address of the packet. |
Ingress ports, VLANs and IPv4 (inet) interfaces. Egress ports and VLANs. |
|
TCP or UDP destination port field. Typically, you specify this match
in conjunction with the
|
Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. Egress IPv4 (inet) interfaces. |
|
Match a range of TCP or UDP port ranges while using the available memory more efficiently. Using this condition allows you to configure more firewall filters than if you configure individual destination ports. (Not supported with filter-based forwarding.) |
Ingress ports, VLANs, IPv4 (inet) interfaces. |
|
IP destination prefix list field. You can define a list of IP address prefixes
under a prefix-list alias for frequent use. Define this list at the |
Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. Egress IPv4 (inet) interfaces and IPv6 (inet6) interfaces. |
|
Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most-significant 6 bits of this byte form the DSCP. You can specify DSCP in hexadecimal, binary, or decimal form. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):
|
Ingress ports, VLANs, and IPv4 (inet) interfaces. Egress IPv4 (inet) interfaces. |
|
Ethernet type field of a packet. The EtherType value specifies what protocol is being transported in the Ethernet frame. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):
|
Ingress ports and VLANs. Egress ports and VLANs. |
|
Include this option to increase the number of egress VLAN firewall filter terms from 1024 to 2048. |
Egress VLAN IPv4 (inet) interfaces and IPv6 (inet6) interfaces. |
|
Match on MPLS EXP bits. |
Ingress MPLS interfaces. Egress MPLS interfaces. |
|
IP fragmentation flags. In place of the numeric value, you can specify one of the following text synonyms (the hexadecimal values are also listed):
|
Ingress ports and VLANs. |
|
|
Match the destination tag, for use with micro-segmentation on a VXLAN, as described here: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN. |
Not applicable |
|
|
Match the source tag, for use with micro-segmentation on a VXLAN, as described here: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN. |
Not applicable |
|
ICMP code field. Because the meaning of the value depends upon the associated
|
Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. Egress IPv4 (inet) interfaces. |
|
Match the specified hop limit or set of hop limits. Specify a single value or a range of values from 0 through 255. |
Ingress and egress IPv6 (inet6) interfaces. Note:
Not supported in the egress direction on the QFX3500, QFX3600, QFX5100, QFX5120, QFX5110, QFX5200, and QFX5210 switches. |
|
|
Match the IPv4 or IPv6 source or destination address, for use with micro-segmentation on a VXLAN, as described here: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN |
Ingress and egress (system wide). |
ip-version ipv4 destination-port
DST_PORT
|
Match the TCP/UDP destination port, for use with GBP policy filter L4 matches, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN |
Ingress only. |
ip-version ipv4 source-port
SRC_PORT
|
Match the TCP/UDP source port, for use with for use with GBP policy filter L4 matches, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN |
Ingress only. |
ip-version ipv4 ip-protocol
PROTOCOL
|
Match the IP protocol type, for use with GBP policy filter L4 matches, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN |
Ingress only. |
ip-version ipv4 is-fragment |
Match if the packet is a fragment, for use with GBP policy filter L4 matches, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN |
Ingress only. |
ip-version ipv4 fragment-flag
FLAGS
|
Match the fragment flags (in symbolic or hex formats), for use with GBP policy filter L4 matches, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN |
Ingress only. |
ip-version ipv4 ttlValue
|
IP Time-to-live (TTL) field in decimal. The value can be 1-255. For use with GBP policy filter L4 matches, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN |
Ingress only. |
ip-version ipv4 tcp-flagsFLAGS
|
Match one or more TCP flags (in symbolic or hex formats), for use with GBP policy L4 matches, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN |
Ingress only. |
ip-version ipv4 tcp-initial |
Match the first TCP packet of a connection. For use with GBP policy L4 matches, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN |
Ingress only. |
ip-version ipv4 tcp-established |
Match the packets of an established TCP connection, for use with GBP policy L4 matches, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN |
Ingress only. |
ip-version ipv6 source-port
SRC_PORT
|
Match the TCP/UDP source port, for use with GBP policy L4 matches, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN |
Ingress only. |
ip-version ipv6 destination-port
DST_PORT
|
Match the TCP/UDP destination port, for use with for use with GBP policy filter L4 matches, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN |
Ingress only. |
ip-version ipv6 next-header
PROTOCOL
|
Match the next header protocol type, for use with GBP policy L4 matches, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN |
Ingress only. |
ip-version ipv6 tcp-flagsFLAGS
|
Match the TCP flags, for use with GBP policy L4 matches, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN |
Ingress only. |
ip-version ipv6 tcp-initial |
Match the initial packets of an established TCP connection, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN |
Ingress only. |
ip-version ipv6 tcp-established |
Match the packets of an established TCP connection, as described in: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN |
Ingress only. |
|
ICMP message type field. Typically, you specify this match in conjunction with
the IPv4: IPv6: See also |
Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. Egress IPv4 (inet) interfaces. |
|
Interface on which the packet is received, including the logical unit. You can
include the wildcard character ( Note:
An interface from which a packet is sent cannot be used as a match condition. Match a list of interfaces under the same term in a filter. For use with micro-segmentation on a VXLAN, as described here: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN. |
Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. Egress IPv4 (inet) interfaces and IPv6 (inet6) interfaces. |
|
IPv4 address that is the final destination node address for the packet. |
Ingress ports and VLANs. |
|
IPv6 address that is the final destination node address for the packet. |
Ingress ports and VLANs. (You cannot simultaneously apply a filter with this match criterion to a Layer 2 port and VLAN that includes that port.) |
|
Specify |
Ingress ports, VLANs, and IPv4 (inet) interfaces. Egress IPv4 (inet) interfaces. |
|
IP precedence field. In place of the numeric field value, you can specify one
of the following text synonyms (the field values are also listed): |
Ingress ports, VLANs, and IPv4 (inet) interfaces. Egress IPv4 (inet) interfaces. |
|
IP protocol field. |
Ingress ports, VLANs, and IPv4 (inet) interfaces. Egress IPv4 (inet) interfaces. |
|
IPv4 address of the source node sending the packet. |
Ingress ports and VLANs. |
|
IPv6 address of the source node sending the packet. |
Ingress ports and VLANs. (You cannot simultaneously apply a filter with this match criterion to a Layer 2 port and VLAN that includes that port.) |
|
IP version of the packet. Use this condition to match IPv4 or IPv6 header fields in traffic that arrives on a Layer 2 port or VLAN interface. |
Ingress ports and VLANs. |
|
Using this condition causes a match if the More Fragments flag is enabled in the IP header or if the fragment offset is not zero. |
Ingress ports, VLANs, and IPv4 (inet) interfaces. Egress IPv4 (inet) interfaces. |
|
Match on logical link control (LLC) layer packets for non-Subnet Access Protocol (SNAP) Ethernet Encapsulation type. |
Ingress ports and VLANs. Egress ports and VLANs. |
|
Match on MPLS label bits. |
Ingress MPLS interfaces. Egress MPLS interfaces. |
|
Matches the ID of a normal VLAN or the ID of the outer (service) VLAN (for Q-in-Q VLANs). The acceptable values are 1-4095. Note:
Not supported on QFX3600, QFX5100, QFX5110, QFX5120, QFX5200, QFX5210, QFX5220, EX4600, EX4650,
EX4400, EX4100 and EX4300-MP switches. Use the |
Ingress ports and VLANs. Egress ports and VLANs. |
|
|
Match the source media access control (MAC) address, for use with micro-segmentation on a VXLAN, as described here: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN. |
Ingress and egress (system wide) . |
|
IPv4 or IPv6 protocol value. In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):
|
Ingress ports, VLANs, and IPv6 (inet6) interfaces. Egress IPv6 (inet6) interfaces. |
|
Packet length in bytes. You must enter a value between 0 and 65535. |
Ingress ports, VLANs, IPv4 (inet), and IPv6 (inet6) interfaces. Egress IPv4 (inet) interfaces. |
|
IPv4 or IPv6 protocol value. In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):
Note:
Not supported on the QFX3500, QFX3600, QFX5100, QFX5110, QFX5200, QFX5210 switches. |
Ingress ports, VLANs, and IPv6 (inet6) interfaces. Egress IPv6 (inet6) interfaces. |
|
|
The port qualifier will install two entries in the packet forwarding engine. One with the source-port and second one with the destination-port. |
Ingress ports, VLANs, IPv4 (inet), and IPv6 (inet6) interfaces. Egress IPv4 (inet) interfaces. |
|
IP precedence bits in the type-of-service (ToS) byte in the IP header. (This byte can also used for the DiffServ DSCP.) In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):
|
Ingress ports, VLANs, and IPv4 (inet) interfaces. Egress IPv4 (inet) interfaces. |
|
IPv4 or IPv6 protocol value. In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):
|
Ingress ports, VLANs and IPv4 (inet) interfaces. Egress IPv4 (inet) interfaces. |
|
Match the radio-access technology (RAT) type specified in the 8-bit Tech-Type field of Proxy Mobile IPv4 (PMIPv4) access technology type extension. The technology type specifies the access technology through which the mobile device is connected to the access network. Specify a single value, a range of values, or a set of values. You can specify a technology type as a numeric value from 0 through 255 or as a system keyword.
|
Egress and ingress IPv4 (inet) interfaces. |
|
Sample the packet traffic. Apply this option only if you have enabled traffic sampling. |
Egress and ingress IPv4 (inet) interfaces. |
|
IP source address field, which is the address of the node that sent the packet. |
Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. Egress IPv4 (inet) interfaces. |
|
Source media access control (MAC) address of the packet. |
Ingress ports and VLANs. Egress ports and VLANs. |
|
TCP or UDP source port. Typically, you specify this match in conjunction with
the |
Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. Egress IPv4 (inet) interfaces. |
|
Match a range of TCP or UDP port ranges while using the available memory more efficiently. Using this condition allows you to configure more firewall filters than if you configure individual source ports. (Not supported with filter-based forwarding.) |
Ingress ports, VLANs, IPv4 (inet) interfaces. |
|
IP source prefix list. You can define a list of IP address prefixes under a prefix-list
alias for frequent use. Define this list at the |
Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. Egress IPv4 (inet) interfaces. |
|
Matches packets of an established TCP three-way handshake connection (SYN, SYN-ACK,
ACK). The only packet not matched is the first packet of the handshake since only the SYN
bit is set. For this packet, you must specify When you specify |
Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. Egress IPv4 (inet) interfaces. |
|
One or more TCP flags:
|
Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. Egress IPv4 (inet) interfaces. |
|
Match the first TCP packet of a connection. A match occurs when the TCP flag When you specify |
Ingress ports, VLANs, IPv4 (inet) interfaces, and IPv6 (inet6) interfaces. Egress IPv4 (inet) interfaces. |
|
8-bit field that specifies the class-of-service (CoS) priority of the packet. The traffic-class field is used to specify a DiffServ code point (DSCP) value. This field was previously used as the type-of-service (ToS) field in IPv4, and, the semantics of this field (for example, DSCP) are identical to those of IPv4. You can specify one of the following text synonyms (the field values are also listed):
|
Ingress ports, VLANs, and IPv6 (inet6) interfaces. Egress IPv6 (inet6) interfaces. |
|
IP Time-to-live (TTL) field in decimal. The value can be 1-255. |
Ingress IPv4 (inet) interfaces. Egress IPv4 (inet) interfaces. |
|
Matches the specified 802.1p VLAN priority in the range |
Ingress and egress ports and VLANs. |
|
Matches the ID of the inner (customer) VLAN for a Q-in-Q VLAN. The acceptable values are 1-4095. Note:
For QFX3600, QFX5100, QFX5110, QFX5120, QFX5200, QFX5210, EX4600, EX4650, EX4400, EX4100 and
EX4300-MP switches, use For QFX5220 Series switches, and MX and ACX Series routers, use
|
Ingress and egress ports and VLANs. |
|
|
Match the VLAN identifier, vlan-range (the first and last VLAN ID number for the group of VLANs), or vlan list (list of numbers) for use with micro-segmentation on a VXLAN, as described here: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN. Note:
Not supported on the EX4100 switches. |
Ingress and egress (system wide) |
Use then statements to define actions that should occur if a packet matches
all conditions in a from statement. Table 3shows the
actions that you can specify in a term. (If you do not include a then statement,
the system accepts packets that match the filter.)
Action |
Description |
|---|---|
|
Accept a packet. This is the default action for packets that match a term. |
|
Discard a packet silently without sending an Internet Control Message Protocol (ICMP) message. |
|
Discard a packet and send a “destination unreachable” ICMPv4 message
(type 3). To log rejected packets, configure the You can specify one of the following message types: If you specify If you do not specify a message type, the ICMP notification “destination unreachable” is sent with the default message “communication administratively filtered.” Note:
The |
|
Forward matched packets to a virtual routing instance. |
|
Forward matched packets to a specific VLAN. Note:
The Note:
This action is not supported on OCX series switches. |
You can also specify the action modifiers listed in Table 4 to count, mirror, rate-limit, and classify packets.
Action Modifier |
Description |
|---|---|
|
(Non-ELS platforms) Mirror traffic (copy packets) to an analyzer configured at
the You can specify port mirroring for ingress port, VLAN, and IPv4 (inet) firewall filters only. |
|
Count the number of packets that match the term. |
|
De-encapsulate GRE packets or forward de-encapsulated GRE packets to the specified routing instance |
|
Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most-significant 6 bits of this byte form the DSCP. You can specify DSCP in hexadecimal, binary, or decimal form. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):
|
|
Classify the packet in one of the following default forwarding classes, or in a user-defined forwarding class:
Note:
To configure a forwarding class, you must also configure loss priority. |
|
(QFX5120 and EX4650 only) |
Set the group based policy source tag (0..65535) for use with micro-segmentation on VXLAN, as described here: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN. |
|
(EX4100, EX4400, EX4650 and QFX5120) |
Set the group based policy source tag (1..65535) for use with micro-segmentation on VXLAN, as described here: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN. Note: Applies to Junos OS releases 22.4R1 and later.
|
|
Switch the traffic to the specified interface without performing a lookup on it. This action is valid only when the filter is applied on ingress. |
|
Log the packet's header information in the Routing Engine. To view this information,
enter the Note:
The |
|
Set the packet loss priority (PLP). Note:
The Note:
The |
|
Send packets to a policer (for the purpose of applying rate limiting). You can specify a policer for ingress port, VLAN, IPv4 (inet), IPv6 (inet6), and MPLS filters. Note:
The |
|
(ELS platforms) Mirror traffic (copy packets) to an output interface configured
in a port-mirroring instance at the You can specify port mirroring for ingress port, VLAN, and IPv4 (inet) firewall filters only. |
|
(ELS platforms) Mirror traffic to a port-mirroring instance configured at the You can specify port mirroring for ingress port, VLAN, and IPv4 (inet) firewall filters only. Note:
This action modifier is not supported on OCX series switches. |
|
Log an alert for this packet. Note:
The |
|
Send packets to a three-color policer (for the purpose of applying rate limiting). You can specify a three-color policer for ingress and egress port, VLAN, IPv4 (inet), IPv6 (inet6), and MPLS filters. Note:
The |
See Also
Firewall Filter Match Conditions and Actions (QFX5220 and the QFX5130-32CD)
This topic describes the supported firewall filter match conditions, actions, and action modifiers for the QFX5220-CD, QFX5220-128C, and QFX5130-32CD switches.
Each term in a firewall filter consists of match conditions and an action. Match conditions are the fields and values that a packet must contain to be considered a match. You can define single or multiple match conditions in match statements. You can also include no match statement, in which case the term matches all packets.
When a packet matches a filter, a switch takes the action specified in the term. If you apply no match condition, the switch accepts the packet by default.
-
Table 5 shows the match conditions for IPv4 (
inet) and the IPv6 (inet6) interfaces. It also contains the match conditions for ports and VLANs (ethernet-switching). -
Table 6 shows the actions and the action modifiers that you can specify in a term.
For match conditions, some of the numeric range and the bit-field match conditions
allow you to specify a text synonym. To see a list of all the synonyms for a match
condition, type ? at the appropriate place in a statement.
|
Match Condition |
Description |
Direction and Interface |
|---|---|---|
|
|
ARP request packet or an ARP reply packet. |
Ingress and egress ports and VLANs |
|
|
IP destination address field, which is the address of the final destination node. |
Ingress and egress IPv4 and IPv6 interfaces Ingress ports and VLANs |
|
|
Destination MAC address of the packet. |
Ingress and egress ports and VLANs |
|
|
TCP or UDP destination port field. You must specify this match with
the For the following well-known ports and port numbers you can specify text synonyms.
|
Ingress and egress IPv4 interfaces Ingress IPv6 interfaces. Ingress ports and VLANs |
|
|
Match a range of the TCP or UDP port ranges while using the available memory more efficiently. Using this condition allows you to configure more firewall filters than if you configure individual destination ports. (Not supported with filter-based forwarding.) |
Ingress IPv4 interfaces |
|
|
IP destination prefix list field. You can define a list of IP address
prefixes under a prefix-list alias for frequent use. Define this
list at the |
Ingress and egress IPv4 and IPv6 interfaces Ingress ports and VLANs. |
|
|
Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most-significant 6 bits of this byte form the DSCP. You can specify DSCP in hexadecimal, binary, or decimal form. In place of the numeric value, you can specify one of the following text synonyms and field listed.
|
Ingress and egress IPv4 interfaces Ingress ports and VLANs |
|
|
Ethernet type field of a packet. The EtherType value specifies what protocol is being transported in the Ethernet frame. In place of the numeric value, you can specify one of the following text synonyms. The field values are also listed.
|
Ingress and egress ports and VLANs |
| first-fragment |
Match if the packet is the first fragment of a fragmented packet. Avoiding matching the packet if it is a trailing fragment of a fragmented packet. The first fragment of a fragmented packet has a fragment offset value of 0. This match condition is an alias for the bit-field match condition fragment-offset 0 match condition. To match both first and trailing fragments, you can use two terms
that specify different match conditions: |
Ingress IPv4 interfaces |
|
|
ICMP code field. Because the meaning of the value depends upon the
associated
|
Ingress and egress IPv4 interfaces Ingress IPv6 interfaces Ingress ports and VLANs |
|
|
ICMP message type field. You must specify this match along with the
In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): IPv4:
IPv6:
See also |
Ingress and egress IPv4 interfaces Ingress IPv6 interfaces Ingress ports and VLANs |
|
|
Interface on which the packet is received, including the logical
unit. You can include the wildcard character ( Note:
An interface from which a packet is sent cannot be used as a match condition. |
Ingress ports and VLANs |
|
|
IPv4 address that is the final destination node address for the packet. |
Ingress ports and VLANs |
|
|
Specify |
Ingress IPv4 interfaces |
|
|
IP protocol field. |
Ingress ports and VLANs |
|
|
IP precedence field. In place of the numeric field value, you can
specify one of the following text synonyms (the field values are
also listed): |
Ingress ports and VLANs |
|
|
IPv4 address of the source node sending the packet. |
Ingress ports and VLANs |
|
|
IP version of the packet. Use this condition to match IPv4 or IPv6 header fields in traffic that arrives on a Layer 2 port or VLAN interface. |
Ingress ports and VLANs |
is-fragment |
Using this condition causes a match if the More Fragments flag is enabled in the IP header or if the fragment offset is not zero. |
Ingress and egress IPv4 interfaces (QFX5220) Ingress IPv4 interfaces (QFX5130) |
learn-vlan-id
number |
VLAN identifier for MAC learning. |
Ingress and egress ports and VLANs (QFX5220) Ingress ports and VLANS (QFX5130) |
learn-vlan-1p-priority
value |
Match on the IEEE 802.1p learned VLAN priority bits in the provider VLAN tag (the only tag in a single-tag frame with 802.1Q VLAN tags or the outer tag in a dual-tag frame with 802.1Q VLAN tags). Specify a single value or multiple values from 0 through 7. |
Ingress ports and VLANs |
|
|
IPv4 or IPv6 protocol value. In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):
|
Ingress and egress IPv6 interfaces |
|
|
Packet length in bytes. You must enter a value between 0 and 65535. |
Ingress IPv4 and IPv6 interfaces |
|
|
IP precedence bits in the type-of-service (ToS) byte in the IP header. (This byte can also used for the DiffServ DSCP.) In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):
|
Ingress and egress IPv4 interfaces |
|
|
IP protocol value. In place of the numeric value, you can specify one of the following text synonyms (the numeric values are also listed):
|
Ingress and egress IPv4 interfaces. Ingress IPv4 interfaces and VLANs |
|
|
IP source address field, which is the address of the node that sent the packet. |
Ingress and egress IPv4 interfaces Ingress IPv6 interfaces Ingress ports and VLANs |
|
|
Source media access control (MAC) address of the packet. |
Ingress and egress IPv4 interfaces and VLANs |
|
|
TCP or UDP source port. You must specify this match in conjunction
with the In place of the numeric field, you can specify one of the text
synonyms listed under |
Ingress and egress IPv4 interfaces Ingress IPv6 interfaces Ingress ports and VLANs |
|
|
Match a range of TCP or UDP port ranges while using the available memory more efficiently. Using this condition allows you to configure more firewall filters than if you configure individual source ports. (Not supported with filter-based forwarding.) |
Ingress IPv4 interfaces |
|
|
IP source prefix list. You can define a list of IP address prefixes
under a prefix-list alias for frequent use. Define this list at the
|
Ingress and egress IPv4 interfaces Ingress IPv6 interfaces Ingress ports and VLANs |
tcp-established |
Match TCP packets of an established TCP session (packets other than
the first packet of a connection). This is an alias for
This match condition does not implicitly check that the protocol is
TCP. To check this, specify the |
Ingress and egress IPv4 interfaces (QFX5220) Ingress and egress IPv4 interfaces (QFX5130) Ingress IPv6 interfaces (QFX5130) |
|
|
TCP flags (only one value is supported):
|
Ingress and egress IPv4 interfaces Ingress IPv6 interfaces Ingress ports and VLANs |
tcp-initial |
Match the first TCP packet of a connection. A match occurs when the
TCP flag When you specify |
Ingress and egress IPv4 interfaces (QFX5220) Ingress and egress IPv4 interfaces, Ingress IPv6 interfaces (QFX5130) |
|
|
8-bit field that specifies the class-of-service (CoS) priority of the packet. The traffic-class field is used to specify a DiffServ code point (DSCP) value. This field was previously used as the type-of-service (ToS) field in IPv4, and, the semantics of this field (for example, DSCP) are identical to those of IPv4. You can specify one of the following text synonyms (the field values are also listed):
|
Ingress and egress IPv6 interfaces |
|
|
IP Time-to-live (TTL) field in decimal. The value can be 1-255. |
Ingress and egress IPv4 interfaces |
|
|
Matches the ID of the inner (customer) VLAN for a Q-in-Q VLAN. The acceptable values are 1-4095. |
Ingress ports and VLANs (QFX5130) |
|
|
Matches the specified 802.1p VLAN priority in the range
|
Ingress ports and VLANs (QFX5130) |
Use then statements to define actions that should occur if a packet
matches all conditions in a from statement. Table 6 shows
the actions that you can specify in a term. (If you do not include a
then statement, the system accepts packets that match the
filter.)
For egress IPv4 interfaces, IPv6 interfaces, and egress ports, you can only apply the accept, discard, and count actions. For egress VLANs, you can only apply the accept action.
|
Action |
Description |
|---|---|
|
|
Accept a packet. This is the default action for packets that match a term. |
|
|
Specify which groups not to inherit configuration data from. You can specify more than one group name. |
|
|
Count the number of packets that match the term. |
|
|
Discard a packet silently without sending an Internet Control Message Protocol (ICMP) message. |
|
|
Classify the packet in one of the following default forwarding classes, or in a user-defined forwarding class:
Note:
To configure a forwarding class, you must also configure loss priority. |
|
|
Log the packet's header information in the Routing Engine. To view
this information, enter the |
|
|
Set the packet loss priority (PLP). Note:
The Note:
The |
|
|
Send packets to a policer (for the purpose of applying rate limiting). Note:
The |
|
|
Mirror traffic (copy packets) to an output interface configured in a
port-mirroring instance at the |
|
|
Mirror traffic to a port-mirroring instance configured at the
You can specify port mirroring for ingress port, VLAN, and IPv4 (inet) firewall filters only. |
|
|
Discard a packet and send a “destination unreachable” ICMPv4 message
(type 3). To log rejected packets, configure the
You can specify one of the following message types:
If you do not specify a message type, the ICMP notification “destination unreachable” is sent with the default message “communication administratively filtered.” Note:
The |
|
|
Send packets to a three-color policer (for the purpose of applying rate limiting). Note:
The Note:
The |
|
|
Forward matched packets to a specific VLAN. Note:
The This action is not supported on QFX5130 switches. |