Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches

When you define a firewall filter for an EX Series switch, you define filtering criteria (terms, with match conditions) for the packets and an action (and, optionally, an action modifier) for the switch to take if the packets match the filtering criteria. You can define a firewall filter to monitor IPv4, IPv6, or non-IP traffic.

This topic describes in detail the various match conditions, actions, and action modifiers that you can define in a firewall filter. For information about support for match conditions on various EX Series switches, see Platform Support for Firewall Filter Match Conditions, Actions, and Action Modifiers on EX Series Switches.

Firewall Filter Elements

A firewall filter configuration contains a term, a match condition, an action, and, optionally, an action modifier. Table 1 describes each element in a firewall filter configuration.

Table 1: Elements of a Firewall Filter Configuration

Element Name

Description

Term

Defines the filtering criteria for the packets. Each term in the firewall filter consists of match conditions and an action. You can define a single term or multiple terms in the firewall filter. If you define multiple terms, each term must have a unique name.

Match condition

Consists of a string (called a match statement) that defines the match condition. Match conditions are the values or fields that a packet must contain. You can define a single match condition or multiple match conditions for a term. You can also opt not to define a match condition. If no match conditions are specified for a term, all packets are matched by default.

Action

Specifies the action that the switch takes if a packet matches all the criteria specified in the match conditions.

Action modifier

Specifies one or more actions that the switch takes if a packet matches the match conditions for the specific term.

Match Conditions Supported on Switches

Based on the type of traffic that you want to monitor, you can configure a firewall filter to monitor IPv4, IPv6, or non-IP traffic. When you configure a firewall filter to monitor a particular type of traffic, ensure that you specify match conditions that are supported for that type of traffic. For information about match conditions supported for a specific type of traffic and switches on which they are supported, see Platform Support for Firewall Filter Match Conditions, Actions, and Action Modifiers on EX Series Switches.

Table 2 describes all the match conditions that are supported for firewall filters on EX Series Switches.

Table 2: Firewall Filter Match Conditions Supported on EX Series Switches

Match Condition

Description

destination-address ip-address

IP destination address field, which is the address of the final destination node.

ip-destination-address ip-address

IP destination address field, which is the address of the final destination node.

ip6-destination-address ip-address

IP destination address field, which is the address of the final destination node.

destination-mac-address mac-address

Destination media access control (MAC) address of the packet.

You can define a destination MAC address with a prefix, such as destination-mac-address 00:01:02:03:04:05/24. If no prefix is specified, the default value 48 is used.

destination-port number

TCP or UDP destination port field. Typically, you specify this match condition in conjunction with the protocol or ip-protocol match condition to determine which protocol is used on the port. For number, you can specify one of the following text synonyms (the port numbers are also listed):

afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813),radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), xdmcp (177), zephyr-clt (2103), zephyr-hm (2104)

destination-prefix-list prefix-list

IP destination prefix list field.

You can define a list of IP address prefixes under a prefix-list alias for frequent use. You define this match condition at the [edit policy-options] hierarchy level.

dot1q-tag number

The tag field in the Ethernet header. The tag values range from 1 through 4095. The dot1q-tag match condition and the vlan match condition are mutually exclusive.

user-vlan-id number

The tag field in the Ethernet header. The tag values range from 1 through 4095. The user-vlan-id match condition and the learn-vlan-id match condition are mutually exclusive.

dot1q-user-priority number

User-priority field of the tagged Ethernet packet. User-priority values can range from 0 through 7.

For number, you can specify one of the following text synonyms (the field values are also listed):

  • background (1)—Background

  • best-effort (0)—Best effort

  • controlled-load (4)—Controlled load

  • excellent-load (3)—Excellent load

  • network-control (7)—Network control reserved traffic

  • standard (2)—Standard or spare

  • video (5)—Video

  • voice (6)—Voice

user-vlan-1p-priority number

User-priority field of the tagged Ethernet packet. User-priority values can range from 0 through 7.

For number, you can specify one of the following text synonyms (the field values are also listed):

  • background (1)—Background

  • best-effort (0)—Best effort

  • controlled-load (4)—Controlled load

  • excellent-load (3)—Excellent load

  • network-control (7)—Network control reserved traffic

  • standard (2)—Standard or spare

  • video (5)—Video

  • voice (6)—Voice

dscp number

Specifies the Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant six bits of this byte form the DSCP.

You can specify DSCP in hexadecimal, binary, or decimal form.

For number, you can specify one of the following text synonyms (the field values are also listed):

  • ef (46)—as defined in RFC 2598, An Expedited Forwarding PHB.

  • af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22),

    af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38)

    These four classes, with three drop precedences in each class, are defined for 12 code points in RFC 2597, Assured Forwarding PHB Group.

ether-type value

Ethernet type field of a packet. The value specifies what protocol is being transported in the Ethernet frame. For value, you can specify one of the following text synonyms:

  • aarp—EtherType value AARP (0x80F3)

  • appletalk—EtherType value AppleTalk (0x809B)

  • arp—EtherType value ARP (0x0806)

  • ipv4—EtherType value IPv4 (0x0800)

  • ipv6—EtherType value IPv6 (0x08DD)

  • mpls multicast—EtherType value MPLS multicast (0x8848)

  • mpls unicast—EtherType value MPLS unicast (0x8847)

  • oam—EtherType value OAM (0x88A8)

  • ppp—EtherType value PPP (0x880B)

  • pppoe-discovery—EtherType value PPPoE Discovery Stage (0x8863)

  • pppoe-session—EtherType value PPPoE Session Stage (0x8864)

  • sna—EtherType value SNA (0x80D5)

Note:

The following match conditions are not supported when ether-type is set to ipv6:

  • dscp

  • fragment-flags

  • is-fragment

  • precedence or ip-precedence

  • protocol or ip-protocol

fragment-flags fragment-flags

IP fragmentation flags, specified in symbolic or hexadecimal formats. You can specify one of the following options:

  • dont-fragment (0x4000)

  • more-fragments (0x2000)

  • reserved (0x8000)

gbp-dst-tag Match the destination tag, for use with micro-segmentation on a VXLAN, as described here: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN
gbp-src-tag Match the source tag, for use with micro-segmentation on a VXLAN, as described here: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN

icmp-code number

ICMP code field. This value or option provides more specific information than icmp-type. Because the value’s meaning depends upon the associated icmp-type, you must specify icmp-type along with icmp-code. For number, you can specify one of the following text synonyms (the field values are also listed). The options are grouped by the ICMP type with which they are associated:

  • parameter-problemip-header-bad (0), required-option-missing (1)

  • redirectredirect-for-host (1), redirect-for-network (0), redirect-for-tos-and-host (3), redirect-for-tos-and-net (2)

  • time-exceededttl-eq-zero- during-reassembly (1), ttl-eq-zero-during-transit (0)

  • unreachablecommunication-prohibited-by-filtering (13), destination-host-prohibited (10), destination-host-unknown (7), destination-network-prohibited (9), destination-network-unknown (6), fragmentation-needed (4), host-precedence-violation (14), host-unreachable (1), host-unreachable-for-TOS (12), network-unreachable (0), network-unreachable-for-TOS (11), port-unreachable (3), precedence-cutoff-in-effect (15), protocol-unreachable (2), source-host-isolated (8), source-route-failed (5)

icmp-type number

ICMP packet type field. Typically, you specify this match condition in conjunction with the protocol or ip-protocol match condition to determine which protocol is being used on the port. For number, you can specify one of the following text synonyms (the field values are also listed):

echo-reply (0), echo-request (8), info-reply (16), info-request (15),mask-request (17), mask-reply (18), parameter-problem (12), redirect (5), router-advertisement (9), router-solicit (10), source-quench (4), time-exceeded (11), timestamp (13), timestamp-reply (14), unreachable (3)

interface interface-name

Interface on which the packet is received. You can specify the wildcard character (*) as part of an interface name.

Note:

The interface match condition is not supported for egress traffic on an EX8200 Virtual Chassis.

ip-options

Presence of the options field in the IP header.

ip-version version match_condition(s)

Version of the IP protocol for port and VLAN firewall filters. The value for version can be ipv4 or ipv6.

For match_condition(s), you can specify one or more of the following match conditions:

  • destination-address, ip-destination-address, or ip6-destination-address

  • destination-port

  • destination-prefix-list

  • dscp

  • fragment-flags

  • icmp-code

  • icmp-type

  • is-fragment

  • precedence or ip-precedence

  • protocol or ip-protocol

  • source-address or ip-source-address

  • source-port

  • source-prefix-list

  • tcp-established

  • tcp-flags

  • tcp-initial

is-fragment

If the packet is a trailing fragment, this match condition does not match the first fragment of a fragmented packet. Use two terms to match both first and trailing fragments.

Note:

Due to a limitation on the EX2300, EX3400, and EX4300 switches, this match condition does not match the last fragment of a fragmented packet when applied to "family ethernet-switching.”

l2-encap-type llc-non-snap

Match on logical link control (LLC) layer packets for non-Subnet Access Protocol (SNAP) Ethernet Encapsulation type.

next-header bytes

8-bit protocol field that identifies the type of header immediately following the IPv6 header. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

ah (51), dstops (60), egp (8), esp (50), fragment (44), gre (47), hop-by-hop (0), icmp (1), icmp6 (1), igmp (2), ipip (4), ipv6 (41), no-next-header (59), ospf (89), pim (103), routing (43), rsvp (46), sctp (132), tcp (6), udp (17), vrrp (112)

packet-length bytes

Length of the received packet, in bytes.

The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead.

precedence precedence

IP precedence. For precedence, you can specify one of the following text synonyms (the field values are also listed):

critical-ecp (5), flash (3), flash-override (4), immediate (2), internet-control (6), net-control (7), priority (1), routine (0)

ip-precedence precedence

IP precedence. For precedence, you can specify one of the following text synonyms (the field values are also listed):

critical-ecp (5), flash (3), flash-override (4), immediate (2), internet-control (6), net-control (7), priority (1), routine (0)

protocol list of protocol

IPv4 protocol value. For protocols, you can specify one of the following text synonyms:

egp (8), esp (50), gre (47), icmp (1), igmp (2), ipip (4), ospf (89), pim (103), rsvp (46), tcp (6), udp (17)

ip-protocol list of protocol

IPv4 protocol value. For protocols, you can specify one of the following text synonyms:

egp (8), esp (50), gre (47), icmp (1), igmp (2), ipip (4), ospf (89), pim (103), rsvp (46), tcp (6), udp (17)

source-address ip-address

IP source address field, which is the address of the source node sending the packet. For IPv6, the source-address field is 128 bits in length. The filter description syntax supports the text representations for IPv6 addresses that are described in RFC 2373, IP Version 6 Addressing Architecture.

ip-source-address (ip-address | ip6-address)

IP source address field, which is the address of the source node sending the packet. You can specify either an IPv4 address (ip-address) or an IPv6 address (ip6-address). For IPv6, the ip-source-address field is 128 bits in length. The filter description syntax supports the text representations for IPv6 addresses that are described in RFC 2373, IP Version 6 Addressing Architecture.

source-mac-address mac-address

Source MAC address.

You can define a source MAC address with a prefix, such as source-mac-address 00:01:02:03:04:05/24. If no prefix is specified, the default value 48 is used.

source-port number

TCP or UDP source-port field. Typically, you specify this match in conjunction with the protocol or ip-protocol match condition to determine which protocol is being used on the port. For number, you can specify one of the text synonyms listed under destination-port.

source-prefix-list prefix-list

IP source prefix list field.

You can define a list of IP address prefixes under a prefix-list alias for frequent use. You define this match condition at the [edit policy-options] hierarchy level.

tcp-established

TCP packets of an established TCP connection. This condition matches packets other than the first packet of a connection. tcp-established is a synonym for the bit names "(ack | rst)".

tcp-established does not implicitly check whether the protocol is TCP. To do so, specify the next-header tcp match condition.

tcp-flags (flags tcp-initial)

One or more TCP flags:

  • bit-name—fin, syn, rst, push, ack, urgent

  • logical operators—& (logical AND), | (logical OR), ! (negation)

  • numerical value—0x01 through 0x20

  • text synonym—tcp-initial

To specify multiple flags, use logical operators.

tcp-initial

Matches the first TCP packet of a connection. tcp-initial is a synonym for the bit names "(syn&!ack)".

tcp-initial does not implicitly check whether the protocol is TCP. To do so, specify the protocol tcp or ip-protocol tcp match condition.

traffic-class number

Specifies the DSCP code point for a packet.

ttl value

TTL type to match. The value ranges from 1 through 255.

vlan (vlan-name | vlan-id)

The VLAN that is associated with the packet. For vlan-id, you can specify either the VLAN ID or a VLAN range. The vlan match condition and the dot1q-tag match condition are mutually exclusive.

learn-vlan-id (vlan-name | vlan-id)

The VLAN that is associated with the packet. For vlan-id, you can specify either the VLAN ID or a VLAN range. The vlan match condition and the user-vlan-id match condition are mutually exclusive.

Actions for Firewall Filters

You can define an action for the switch to take if a packet matches the filtering criteria defined in a match condition. Table 3 describes the actions supported in a firewall filter configuration.

Table 3: Actions for Firewall Filters

Action

Description

accept

Accept a packet.

discard

Discard a packet silently without sending an Internet Control Message Protocol (ICMP) message.

reject message-type

Discard a packet, and send the ICMPv4 message (type 3) destination unreachable. You can log the rejected packets if you configure the syslog action modifier.

You can specify one of the following message codes: administratively-prohibited (default), bad-host-tos, bad-network-tos, host-prohibited, host-unknown, host-unreachable, network-prohibited, network-unknown, network-unreachable, port-unreachable, precedence-cutoff, precedence-violation, protocol-unreachable, source-host-isolated, source-route-failed, tcp-reset.

If you specify tcp-reset, a TCP reset is returned if the packet is a TCP packet. Otherwise nothing is returned.

If you do not specify a message type, the ICMP notification destination unreachable is sent with the default message communication administratively filtered.

routing-instance routing-instance-name

Forward matched packets to a virtual routing instance.

Note:

EX4200 switches do not support firewall-filter-based redirection to the default routing instance.

vlan vlan-name

Forward matched packets to a specific VLAN. Ensure that you specify the VLAN name or VLAN ID and not a VLAN range, because the vlan action does not support the vlan-range option.

Note:

If you have defined a VLAN that is enabled for dot1q tunneling, then that particular VLAN is not supported as an action (using the vlan vlan-name action) for an ingress VLAN firewall filter.

Action Modifiers for Firewall Filters

In addition to the actions described in Table 3, you can define action modifiers in a firewall filter configuration for a switch if packets match the filtering criteria defined in the match condition. Table 4 describes the action modifiers supported in a firewall filter configuration.

Table 4: Action Modifiers for Firewall Filters

Action Modifier

Description

analyzer analyzer-name

Mirror port traffic to a specified destination port or VLAN that is connected to a protocol analyzer application. Mirroring copies all packets seen on one switch port to a network monitoring connection on another switch port. The analyzer name must be configured under [edit ethernet-switching-options analyzer].

Note:

analyzer is not a supported action modifier for a management interface.

Note:

On EX4500 switches, you can configure only one analyzer and include it in a firewall filter. If you configure multiple analyzers, you cannot include any one of those analyzers in a firewall filter.

dscp number

Change the DSCP value for matched packets to the DSCP value specified with this action modifier. number specifies the Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant six bits of this byte form the DSCP.

You can specify DSCP in hexadecimal, binary, or decimal form.

For number, you can specify one of the following text synonyms (the field values are also listed):

  • ef (46)—as defined in RFC 2598, An Expedited Forwarding PHB.

  • af11 (10), af12 (12), af13 (14), af21 (18), af22 (20), af23 (22),

    af31 (26), af32 (28), af33 (30), af41 (34), af42 (36), af43 (38)

    These four classes, with three drop precedences in each class, are defined for 12 code points in RFC 2597, Assured Forwarding PHB Group.

count counter-name

Count the number of packets that pass this filter, term, or policer. A policer enables you to specify rate limits on traffic that enters an interface on a switch.

Note:

On EX4300 switches, you can configure the same number of counters and policers as the number of terms in the ternary content addressable memory (TCAM).

forwarding-class class

Classify the packet in one of the following forwarding classes:

  • assured-forwarding

  • best-effort

  • expedited-forwarding

  • network-control

gbp-src-tag (EX4400 and EX4650 only) Set the group based policy source tag (0..65535) for use with micro-segmentation on VXLAN, as described here: Example: Micro and Macro Segmentation using Group Based Policy in a VXLAN

interface interface-name

Forward the traffic to the specified interface bypassing the switching lookup.

log

Log the packet's header information in the Routing Engine. To view this information, issue the show firewall log command in the CLI.

Note:

If the log or the syslog action modifier is configured along with a vlan action or an interface action modifier, the events might not be logged. However, the redirect interface functionality works as expected.

loss-priority (high | low)

Set the packet loss priority (PLP).

policer policer-name

Apply rate limits to the traffic.

You can specify a policer in a firewall filter only for ingress traffic on a port, VLAN, and router.

Note:

A counter for a policer is not supported on EX8200 switches.

Note:

On EX4300 switches, you can configure the same number of counters and policers as the number of terms in the TCAM.

port-mirror

Mirror packets to the interface defined in the [edit forwarding-options analyzer] hierarchy.

port-mirror-instance instance-name

Mirror packets to the instance defined in the [edit forwarding-options analyzer] hierarchy.

syslog

Log an alert for this packet. You can specify that the log be sent to a server for storage and analysis.

Note:

If the log or the syslog action modifier is configured along with a vlan action or an interface action modifier, the events might not be logged. However, the redirect interface functionality works as expected.

three-color-policer

Apply a three-color policer.