[an error occurred while processing this directive][an error occurred while processing this directive]

Configuring Layer 2 Bridging Match Conditions for MX Series Ethernet Services Routers

Table 1 describes the firewall filter match conditions supported for Layer 2 bridging traffic on MX Series routers.

To configure firewall filter match conditions for Layer 2 bridging traffic:

  • Include the match-conditions statement at the [edit firewall family bridge filter filter-name term term-name from] hierarchy level.

Table 1: Layer 2 Bridging Firewall Filter Match Conditions (MX Series Ethernet Services Routers Only)

Match ConditionDescription

destination-mac-address address

Destination media access control (MAC) address of a Layer 2 packet in a bridging environment.

destination-port number

TCP or UDP destination port field. You cannot specify both the port and destination-port match conditions in the same term.

dscp number

Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant 6 bits of this byte form the DSCP. For more information, see the JUNOS Class of Service Configuration Guide.

You can specify the DSCP in hexadecimal, binary, or decimal form.

ether-type value

Ethernet type field of a Layer 2 packet in a bridging environment.

ether-type-except value

Do not match on the Ethernet type field of a Layer 2 packet.

forwarding class class

Forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.

forwarding-class-except class

Ethernet type field of a Layer 2 packet environment. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.

icmp-code number

ICMP code field. The value or keyword provides more specific information than icmp-type. Because the value’s meaning depends on the associated icmp-type, you must specify icmp-type along with icmp-code.

icmp-type number

ICMP packet type field. Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port.

interface-group group-number

Interface group on which the packet was received. An interface group is a set of one or more logical interfaces. For group-number, specify a value from 0 through 255.

interface-group-except number

Do not match on the interface group on which the packet was received.

interface-set interface-set-name

(MX Series routers and routers with Enhanced IQ2 [IQ2E] PICs only) Interface set on which the packet was received. An interface set is a set of logical interfaces used to configure hierarchical class-of-service schedulers. For information about configuring an interface set, see the JUNOS Class of Service Configuration Guide and the JUNOS Network Interfaces Configuration Guide.

ip-address address

32-bit address that supports the standard syntax for IPv4 addresses.

ip-destination-address address

32-bit address that is the final destination node address for the packet.

ip-precedence ip-precedence-field

IP precedence field. In place of the numeric field value, you can specify one of the following text synonyms (the field values are also listed): critical-ecp (0xa0), flash (0x60), flash-override (0x80), immediate (0x40), internet-control (0xc0), net-control (0xe0), priority (0x20), or routine (0x00).

ip-precedence-except

Do not match on the IP precedence field.

ip-protocol number

IP protocol field.

ip-source-address address

IP address of the source node sending the packet.

isid number

(Supported with Provider Backbone Bridging (PBB)) Match internet service identifier.

isid-dei number

(Supported with PBB) Match internet service identifier drop eligibility indicator (DEI) bit.

isid-dei-except number

(Supported with PBB) Do not match internet service identifier DEI bit.

isid-priority-code-point number

(Supported with PBB) Match internet service identifier priority code point.

isid-priority-code-point-except number

(Supported with PBB) Do not match internet service identifier priority code point.

learn-vlan-1p-priority value

(Supported with bridging, VPLS, and Layer 2 circuit cross-connect [CCC] traffic only) IEEE 802.1p learned VLAN priority field. Specify a single value or multiple values from 0 through 7.

learn-vlan-1p-priority-except value

(Supported with bridging, VPLS, and Layer 2 circuit cross-connect [CCC] traffic only) Do not match on the IEEE 802.1p learned VLAN priority field. Specify a single value or multiple values from 0 through 7.

learn-vlan-dei number

(Supported with bridging) Match user virtual LAN (VLAN) identifier DEI bit.

learn-vlan-dei-except number

(Supported with bridging) Do not match user VLAN identifier DEI bit.

learn-vlan-id number

VLAN identifier used for MAC learning.

learn-vlan-id-except number

Do not match on the VLAN identifier used for MAC learning.

loss-priority level

Packet loss priority (PLP) level. Specify a single level or multiple levels: low, medium-low, medium-high, or high.

For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see the JUNOS Class of Service Configuration Guide.

loss-priority-except level

Do not match on the packet loss priority level. Specify a single level or multiple levels: low, medium-low, medium-high, or high.

For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see the JUNOS Class of Service Configuration Guide.

port number

TCP or UDP source or destination port. You cannot specify both the port match condition and either the destination-port or source-port match conditions in the same term.

source-mac-address address

Source MAC address of a Layer 2 packet.

source-port number

TCP or UDP source port field. You cannot specify the port and source-port match conditions in the same term.

tcp-flags flags

One or more of the following TCP flags:

  • Bit-name: fin, syn, rst, push, ack, urgent
  • Numerical value: 0x01 through 0x20
  • Text synonym: tcp-established, tcp-initial

You can string together multiple flags using logical operators.

Configuring the tcp-flags match condition requires that you configure the next-header-tcp match condition.

traffic-type type

Traffic type. Specify broadcast, multicast, unknown-unicast, or known-unicast.

traffic-type-except type

Do not match on the traffic type.

user-vlan-1p-priority value

(Supported with bridging, VPLS, and Layer 2 CCC traffic only) IEEE 802.1p user priority field. Specify a single value or multiple values from 0 through 7.

user-vlan-1p-priority-except value

(Supported with bridging, VPLS, and Layer 2 CCC traffic only) Do not match on the IEEE 802.1p user priority field. Specify a single value or multiple values from 0 through 7.

user-vlan-id number

First VLAN identifier that is part of the payload.

user-vlan-id-except number

Do not match on the first VLAN identifier that is part of the payload.

vlan-ether-type value

VLAN Ethernet type field of a Layer 2 bridging or VPLS packet.

vlan-ether-type-except value

Do not match on the VLAN Ethernet type field of a Layer 2 bridging or VPLS packet.


Published: 2010-04-15

[an error occurred while processing this directive]