Guidelines for Configuring and Applying Firewall Filters in Logical Systems
Statement Hierarchy for Configuring Firewall Filters in Logical Systems
To configure a firewall filter in a logical system, include the filter, service-filter, or simple-filter statement at the [edit logical-systems logical-system-name firewall family family-name] hierarchy level.
[edit]
logical systems {
logical-system-name {
firewall {
family family-name {
filter filter-name {
interface-specific;
physical-interface-filter;
term term-name {
filter filter-name;
from {
match-conditions;
}
then {
actions;
}
}
}
service-filter filter-name { # For ’family inet’ or ’family inet6’ only.
term term-name {
from {
match-conditions;
}
then {
actions;
}
}
}
simple-filter filter-name { # For ’family inet’ only.
term term-name {
from {
match-conditions;
}
then {
actions;
}
}
}
}
}
}
}
Filter Types in Logical Systems
There are no special restrictions on the types of stateless firewall filter types that you can configure in logical systems.
In a logical system, you can use the same types of stateless firewall filters that are available on a physical router or switch:
Standard stateless firewall filters
Service filters
Simple filters
Firewall Filter Protocol Families in Logical Systems
There are no special restrictions on the protocol families supported with stateless firewall filters in logical systems.
In a logical system, you can filter the same protocol families as you can on a physical router or switch.
Standard stateless firewall filters—In logical systems, you can filter the following traffic types: protocol-independent, IPv4, IPv6, MPLS, MPLS-tagged IPv4 or IPv6, VPLS, Layer 2 circuit cross-connection, and Layer 2 bridging.
Service filters—In logical systems, you can filter IPv4 and IPv6 traffic.
Simple filters—In logical systems, you can filter IPv4 traffic only.
Firewall Filter Match Conditions in Logical Systems
There are no special restrictions on the match conditions supported with stateless firewall filters in logical systems.
Firewall Filter Actions in Logical Systems
There are no special restrictions on the actions supported with stateless firewall filters in logical systems.
Statement Hierarchy for Applying Firewall Filters in Logical Systems
To apply a firewall filter in a logical system, include the filter filter-name, service-filter service-filter-name, or simple-filter simple-filter-name statement to a logical interface in the logical system.
The following configuration shows the hierarchy levels at which you can apply the statements:
[edit]
logical-systems logical-system-name {
interfaces {
interface-name {
unit logical-unit-number {
family family-name {
filter {
group group-name;
input filter-name;
input-list [ filter-names ];
output filter-name;
output-list [ filter-names ]
}
rpf-check { # For ’family inet’ or ’family inet6’ only.
fail-filter filter-name;
mode loose;
}
service { # For ’family inet’ or ’family inet6’ only.
input {
service-set service-set-name <service-filter service-filter-name>;
post-service-filter service-filter-name;
}
output {
service-set service-set-name <service-filter service-filter-name>;
}
}
simple-filter { # For ’family inet’ only.
input simple-filter-name;
}
}
}
}
}
}