Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Support for Match Conditions and Actions for Loopback Firewall Filters on Switches

On EX Series Ethernet switches, a loopback interface is a gateway for all the control traffic that enters the Routing Engine of the switch. If you want to monitor this control traffic, you must configure a firewall filter on the loopback interface (lo0). Loopback firewall filters are applied only to packets that are sent to the Routing Engine CPU for further processing. Therefore, you can apply a firewall filter only in the ingress direction on the loopback interface.

Each term in a firewall filter consists of match conditions and an action. Match conditions are the values or fields that a packet must contain. You can define multiple, single, or no match conditions. If no match conditions are specified for the term, all packets are matched by default. The string that defines a match condition is called a match statement. The action is the action that the switch takes if a packet matches the match conditions for the specific term. Action modifiers are optional and specify one or more actions that the switch takes if a packet matches the match conditions for the specific term.

The following tables list match conditions, actions, and action modifiers that are supported for a firewall filter configured on a loopback interface on a switch:

For information on match conditions, actions, and action modifiers supported for a firewall filter configured on a network interface, see Platform Support for Firewall Filter Match Conditions, Actions, and Action Modifiers on EX Series Switches.

Table 1: Match Conditions for Firewall Filters on Loopback Interfaces for IPv4 and IPv6 Traffic—Support per Switch

Match Condition

EX2200

EX3200,

EX4200

EX3300

EX4500

EX6200

EX8200

Match conditions for IPv4 traffic:

destination-address

destination-port

destination-prefix-list

dscp

icmp-code

icmp-type

interface

is-fragment

packet-length

precedence

protocol

source-address

source-port

source-prefix-list

Match conditions for IPv6 traffic:

ip6-destination-address

destination-port

destination-prefix-list

icmp-code

icmp-type

interface

next-header

packet-length

source-address

source-port

source-prefix-list

tcp-established

tcp-flags

tcp-initial

traffic-class

Table 2: Actions for Firewall Filters on Loopback Interfaces for IPv4 and IPv6 Traffic—Support per Switch

Action

EX2200

EX3200,

EX4200

EX3300

EX4500

EX6200

EX8200

Actions for IPv4 traffic:

accept

discard

Actions for IPv6 traffic:

accept

discard

Table 3: Action Modifiers for Firewall Filters on Loopback Interfaces for IPv4 and IPv6 Traffic—Support per Switch

Action

EX2200

EX3200,

EX4200

EX3300

EX4500

EX6200

EX8200

Action modifiers for IPv4 traffic:

count

forwarding-class

loss-priority

Action modifiers for IPv6 traffic:

count

forwarding-class

loss-priority

Note:

On EX8200 switches, if an implicit or explicit discard action is configured on a loopback interface for IPv4 traffic, next hop resolve packets are accepted and allowed to pass through the switch. However, for IPv6 traffic, you must explicitly configure a rule to allow the neighbor discovery IPv6 resolve packets to pass through the switch.