Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Routing Policy and Firewall Filters

  • Automatic dropping for nonlocal packets (ACX7024X, ACX7100-32C, ACX7100-48L, ACX7332, ACX7348, ACX7509, ACX7024, , PTX10001-36MR, PTX10002-36QDD, PTX10003, PTX10004, PTX10008, PTX10016, PTX12008, QFX5130-32CD, QFX5130E-32CD, QFX5130-48C, QFX5130-48CM, QFX5220, QFX5230-64CD, QFX5240-64OD, QFX5240-64QD, QFX5700, and QFX5700E)—The device drops all packets that are not local to the Routing Engine, unless they are flagged as exception packets. This feature is automatically enabled on all supported platforms. The dropped packet count is available under the “non-local drops” counter in the show system statistics command.

    [See show system statistics.]

  • View a CLI and non-CLI firewall filter's configured and compiled information (PTX10001-36MR, PTX10002-36QDD, PTX10003, PTX10004, PTX10008, and PTX10016)—When firewall filters are configured, an optimization operation is performed on the configuration. The optimization process may merge or eliminate the terms of filters. This action can lead to differences between the configured filters and the filters programmed in the hardware. Two new show commands have been introduced to display a CLI or a non-CLI firewall filter's configured information or this same firewall filter’s information after its compilation/optimization.

    [See show-firewall-configuration]

  • Match source or destination ports in named list (PTX10001-36MR, PTX10002-36QDD, PTX10003, PTX10004, PTX10008, and PTX10016)—You create a port-list to conveniently group multiple ports (source or destination ports) so that they can be referenced easily in firewall configurations as port-list, source-port-list and/or destination-port-list match conditions.

    [See port-list.]

  • Use policies to validate flow specification filters (PTX Series)—Use policies to validate the flow specification filters at the edge routers signalling flow routes over external BGP (EBGP) session to the peers. By configuring the policies, you can prevent the flow routes from accidentally or maliciously blocking protocol sessions. You can also prevent the admission of malformed, unsupported, or undesired flow routes coming from the source.

    Configure policies by specifying the match conditions and flow route actions at the [edit policy-options flowspec-attribute] hierarchy level.

    [See Configuring Policies for Flow Route Validation].

  • Policy to enable per-route-accounting on selective flow routes (PTX Series)—You can selectively enable individual counters for flow specification routes. Use the new policy action flow route accounting in the following statement format.

    set policy-options policy-statement < term > then flow-route-accounting

    [See flowspec-attribute].

  • New CLI option for flow family matching policy configuration (PTX Series)—The following new CLI options are available for configuring policies to match against specific family routes. Use these options at the [edit policy-options policy-statement from family] hierarchy level:

    inet-flow—IPv4 flow family

    inet6-flow—IPv6 flow family

    inet-vpn-flow—IPv4 VPN flow family

    inet6-vpn-flow—IPv6 VPN flow family

    [See flowspec-attribute].