Support for Match Conditions and Actions for Loopback Firewall Filters on Switches
On EX Series Ethernet switches, a loopback interface is a gateway for all the control traffic that enters the Routing Engine of the switch. If you want to monitor this control traffic, you must configure a firewall filter on the loopback interface (lo0). Loopback firewall filters are applied only to packets that are sent to the Routing Engine CPU for further processing. Therefore, you can apply a firewall filter only in the ingress direction on the loopback interface.
Each term in a firewall filter consists of match conditions and an action. Match conditions are the values or fields that a packet must contain. You can define multiple, single, or no match conditions. If no match conditions are specified for the term, all packets are matched by default. The string that defines a match condition is called a match statement. The action is the action that the switch takes if a packet matches the match conditions for the specific term. Action modifiers are optional and specify one or more actions that the switch takes if a packet matches the match conditions for the specific term.
The following tables list match conditions, actions, and action modifiers that are supported for a firewall filter configured on a loopback interface on a switch:
For information on match conditions, actions, and action modifiers supported for a firewall filter configured on a network interface, see Platform Support for Firewall Filter Match Conditions, Actions, and Action Modifiers on EX Series Switches.
Match Condition |
EX2200 |
EX3200, EX4200 |
EX3300 |
EX4500 |
EX6200 |
EX8200 |
|---|---|---|---|---|---|---|
Match conditions for IPv4 traffic: |
||||||
destination-address |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
destination-port |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
destination-prefix-list |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
dscp |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
icmp-code |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
icmp-type |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
interface |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
is-fragment |
✓ |
✓ |
✓ |
✓ |
– |
– |
packet-length |
– |
– |
– |
– |
– |
✓ |
precedence |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
protocol |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
source-address |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
source-port |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
source-prefix-list |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Match conditions for IPv6 traffic: |
||||||
ip6-destination-address |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
destination-port |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
destination-prefix-list |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
icmp-code |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
icmp-type |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
interface |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
next-header |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
packet-length |
– |
– |
– |
– |
– |
✓ |
source-address |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
source-port |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
source-prefix-list |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
tcp-established |
✓ |
✓ |
✓ |
✓ |
✓ |
– |
tcp-flags |
✓ |
✓ |
✓ |
✓ |
✓ |
– |
tcp-initial |
✓ |
✓ |
✓ |
✓ |
✓ |
– |
traffic-class |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Action |
EX2200 |
EX3200,EX4200 |
EX3300 |
EX4500 |
EX6200 |
EX8200 |
|---|---|---|---|---|---|---|
Actions for IPv4 traffic: |
||||||
accept |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
discard |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Actions for IPv6 traffic: |
||||||
accept |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
discard |
✓ |
✓ |
✓ |
✓ |
✓ |
✓ |
Action |
EX2200 |
EX3200,EX4200 |
EX3300 |
EX4500 |
EX6200 |
EX8200 |
|---|---|---|---|---|---|---|
Action modifiers for IPv4 traffic: |
||||||
count |
– |
✓ |
– |
✓ |
✓ |
– |
forwarding-class |
✓ |
✓ |
✓ |
✓ |
– |
✓ |
loss-priority |
✓ |
✓ |
✓ |
✓ |
– |
✓ |
Action modifiers for IPv6 traffic: |
||||||
count |
– |
✓ |
– |
✓ |
– |
– |
forwarding-class |
✓ |
✓ |
✓ |
✓ |
– |
✓ |
loss-priority |
✓ |
✓ |
✓ |
✓ |
– |
✓ |
On EX8200 switches, if an implicit or explicit discard action is configured
on a loopback interface for IPv4 traffic, next hop resolve packets are accepted and allowed
to pass through the switch. However, for IPv6 traffic, you must explicitly configure a rule
to allow the neighbor discovery IPv6 resolve packets to pass through the switch.