Firewall Filter Match Conditions for Layer 2 Bridging Traffic

Only on MX Series routers and EX Series switches, you can configure a standard stateless firewall filter with match conditions for Layer 2 bridging traffic (family bridge). Table 1 describes the match-conditions you can configure at the [edit firewall family bridge filter filter-name term term-name from] hierarchy level.

Table 1: Standard Firewall Filter Match Conditions for Layer 2 Bridging (MX Series Routers and EX Series Switches Only)
Match Condition	Description
`destination-mac-address address`	Destination media access control (MAC) address of a Layer 2 packet in a bridging environment.
`destination-port number`	TCP or UDP destination port field. You cannot specify both the `port` and `destination-port` match conditions in the same term.
`destination-port-except`	Do not match the TCP/UDP destination port.
`destination-prefix-list` `named-list`	Match the IP destination prefixes in a `named-list`.
`dscp number`	Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant 6 bits of this byte form the DSCP. For more information, see Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic. You can specify a numeric value from `0` through `63`. To specify the value in hexadecimal form, include `0x` as a prefix. To specify the value in binary form, include `b` as a prefix. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): RFC 3246, An Expedited Forwarding PHB (Per-Hop Behavior), defines one code point: `ef` (46). RFC 2597, Assured Forwarding PHB Group, defines 4 classes, with 3 drop precedences in each class, for a total of 12 code points: `af11` (10), `af12` (12), `af13` (14), `af21` (18), `af22` (20), `af23` (22), `af31` (26), `af32` (28), `af33` (30), `af41` (34), `af42` (36), `af43` (38)
`dscp-except number`	Do not match on the DSCP number. For more information, see the `dscp-except` match condition.
`ether-type value`	Match the 2-octet IEEE 802.3 Length/EtherType field to the specified value or list of values. You can specify decimal or hexadecimal values from 0 through 65535 (0xFFFF). A value from 0 through 1500 (0x05DC) specifies the length of an Ethernet Version 1 frame. A value from 1536 (0x0600) through 65535 specifies the EtherType (nature of the MAC client protocol) of an Ethernet Version 2 frame. In place of the numeric value, you can specify one of the following text synonyms (the hexadecimal values are also listed): `aarp` (0x80F3), `appletalk` (0x809B), `arp` (0x0806), `ipv4` (0x0800), `ipv6` (0x86DD), `mpls-multicast` (0x8848), `mpls-unicast` (0x8847), `oam` (0x8902), `ppp` (0x880B), `pppoe-discovery` (0x8863), `pppoe-session` (0x8864), `sna` (0x80D5). Note: When matching on ip-address or ipv6-address, the ether-type ipv4 or ipv6, respectively, must also be specified in order to limit matches to ip traffic only.
`ether-type-except value`	Do not match the 2-octet IEEE 802.3 Length/EtherType field to the specified value or list of values. For details about specifying the `values`, see the `ether-type` match condition.
`flexible-match-mask` `value`	`bit-length`	Length of the data to be matched in bits, not needed for string input (0..128)
	`bit-offset`	Bit offset after the (match-start + byte) offset (0..7)
	`byte-offset`	Byte offset after the match start point
	`flexible-mask-name`	Select a flexible match from predefined template field
	`mask-in-hex`	Mask out bits in the packet data to be matched
	`match-start`	Start point to match in packet
	`prefix`	Value data/string to be matched

`flexible-match-range` `value`	`bit-length`	Length of the data to be matched in bits (0..32)
	`bit-offset`	Bit offset after the (match-start + byte) offset (0..7)
	`byte-offset`	Byte offset after the match start point
	`flexible-range-name`	Select a flexible match from predefined template field
	`match-start`	Start point to match in packet
	`range`	Range of values to be matched
	`range-except`	Do not match this range of values

`forwarding class class`	Forwarding class. Specify `assured-forwarding`, `best-effort`, `expedited-forwarding`, or `network-control`.
`forwarding-class-except class`	Ethernet type field of a Layer 2 packet environment. Specify `assured-forwarding`, `best-effort`, `expedited-forwarding`, or `network-control`.
`icmp-code message-code`	Match the ICMP message code field. If you configure this match condition, we recommend that you also configure the `ip-protocol icmp`, `ip-protocol icmp6`, or `ip-protocol icmpv6` match condition in the same term. If you configure this match condition, you must also configure the `icmp-type message-type` match condition in the same term. An ICMP message code provides more specific information than an ICMP message type, but the meaning of an ICMP message code is dependent on the associated ICMP message type. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated: parameter-problem: `ip6-header-bad` (0), `unrecognized-next-header` (1), `unrecognized-option` (2) time-exceeded: `ttl-eq-zero-during-reassembly` (1), `ttl-eq-zero-during-transit` (0) destination-unreachable: `address-unreachable` (3), `administratively-prohibited` (1), `no-route-to-destination` (0), `port-unreachable` (4)
`icmp-code-except message-code`	Do not match the ICMP message code field. For details, see the `icmp-code` match condition.
`icmp-type message-type`	Match the ICMP message type field. If you configure this match condition, we recommend that you also configure the `ip-protocol icmp`, `ip-protocol icmp6`, or `ip-protocol icmpv6` match condition in the same term. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): `destination-unreachable` (1), `echo-reply` (129), `echo-request` (128), `membership-query` (130), `membership-report` (131), `membership-termination` (132), `neighbor-advertisement` (136), `neighbor-solicit` (135), `node-information-reply` (140), `node-information-request` (139), `packet-too-big` (2), `parameter-problem` (4), `redirect` (137), `router-advertisement` (134), `router-renumbering` (138), `router-solicit` (133), or `time-exceeded` (3).
`icmp-type-except message-type`	Do not match the ICMP message type field. For details, see the `icmp-type` match condition.
`interface interface-name`	Interface on which the packet was received. You can configure a match condition that matches packets based on the interface on which they were received. Note: If you configure this match condition with an interface that does not exist, the term does not match any packet.
`interface-group group-number`	Match the logical interface on which the packet was received to the specified interface group or set of interface groups. For `group-number`, specify a single value or a range of values from `0` through `255`. To assign a logical interface to an interface group `group-number`, specify the `group-number` at the `[interfaces interface-name unit number family family filter group]` hierarchy level. For more information, see Filtering Packets Received on a Set of Interface Groups Overview.
`interface-group-except number`	Do not match the logical interface on which the packet was received to the specified interface group or set of interface groups. For details, see the `interface-group` match condition.
`interface-set interface-set-name`	Match the interface on which the packet was received to the specified interface set. To define an interface set, include the `interface-set` statement at the `[edit firewall]` hierarchy level. For more information, see Filtering Packets Received on an Interface Set Overview.
`ip-address address`	32-bit address that supports the standard syntax for IPv4 addresses. Note: In order to limit matches to IPv4 traffic only, the ether-type ipv4 must also be specified in the same term.
`ip-destination-address address`	32-bit address that is the final destination node address for the packet.
`ip-precedence ip-precedence-field`	IP precedence field. In place of the numeric field value, you can specify one of the following text synonyms (the field values are also listed): `critical-ecp` (0xa0), `flash` (0x60), `flash-override` (0x80), `immediate` (0x40), `internet-control` (0xc0), `net-control` (0xe0), `priority` (0x20), or `routine` (0x00).
`ip-precedence-except ip-precedence-field`	Do not match on the IP precedence field.
`ip-protocol number`	IP protocol field.
`ip-protocol-except`	Do not match the IP protocol type.
`ip-source-address address`	IP address of the source node sending the packet.
`ipv6-address` `address`	(MX Series only) 128-bit address that supports the standard syntax for IPv6 addresses. Note: In order to limit matches to IPv6 traffic only, the ether-type ipv6 must also be specified in the same term.
`ipv6-destination-address` `address`	(MX Series only) 128-bit address that is the final destination node address for this packet.
`ipv6-destination-prefix-list` `named-list`	(MX Series only) Match the IPv6 destination addresses in a `named-list`.
`ipv6-next-header` `protocol`	(MX Series only) Match IPv6 next header protocol type. The following list shows the supported values for `protocol`: `ah`—IP Security authentication header `dstopts`—IPv6 destination options `egp`—Exterior gateway protocol `esp`—IPSec Encapsulating Security Payload `fragment`—IPv6 fragment header `gre`—Generic routing encapsulation `hop-by-hop`—IPv6 hop by hop options `icmp`—Internet Control Message Protocol `icmp6`—Internet Control Message Protocol Version 6 `igmp`—Internet Group Management Protocol `ipip`—IP in IP `ipv6`—IPv6 in IP `no-next-header`—IPv6 no next header `ospf`—Open Shortest Path First `pim`—Protocol Independent Multicast `routing`—IPv6 routing header `rsvp`—Resource Reservation Protocol `sctp`—Stream Control Transmission Protocol `tcp`—Transmission Control Protocol `udp`—User Datagram Protocol `vrrp`—Virtual Router Redundancy Protocol
`ipv6-next-header-except` `protocol`	(MX Series only) Do not match the IPv6 next header protocol type.
`ipv6-payload-protocol` `protocol`	(MX Series only) Match IPv6 payload protocol type. The following list shows the supported values for `protocol`: `ah`—IP Security authentication header `dstopts`—IPv6 destination options `egp`—Exterior gateway protocol `esp`—IPSec Encapsulating Security Payload `fragment`—IPv6 fragment header `gre`—Generic routing encapsulation `hop-by-hop`—IPv6 hop by hop options `icmp`—Internet Control Message Protocol `icmp6`—Internet Control Message Protocol Version 6 `igmp`—Internet Group Management Protocol `ipip`—IP in IP `ipv6`—IPv6 in IP `no-next-header`—IPv6 no next header `ospf`—Open Shortest Path First `pim`—Protocol Independent Multicast `routing`—IPv6 routing header `rsvp`—Resource Reservation Protocol `sctp`—Stream Control Transmission Protocol `tcp`—Transmission Control Protocol `udp`—User Datagram Protocol `vrrp`—Virtual Router Redundancy Protocol
`ipv6-payload-protocol-except` `protocol`	(MX Series only) Do not match the IPv6 payload protocol.
`ipv6-prefix-list` `named-list`	(MX Series only) Match the IPv6 address in a `named-list`.
`ipv6-source-address` `address`	(MX Series only) 128-bit address that is the originating source node address for this packet.
`ipv6-source-prefix-list` `named-list`	(MX Series only) Match the IPv6 source address in a `named-list`.
`ipv6-traffic-class` `number`	(MX Series only) Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant 6 bits of this byte form the DSCP. For more information, see Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic. You can specify a numeric value from `0` through `63`. To specify the value in hexadecimal form, include `0x` as a prefix. To specify the value in binary form, include `b` as a prefix. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): RFC 3246, An Expedited Forwarding PHB (Per-Hop Behavior), defines one code point: `ef` (46). RFC 2597, Assured Forwarding PHB Group, defines 4 classes, with 3 drop precedences in each class, for a total of 12 code points: `af11` (10), `af12` (12), `af13` (14), `af21` (18), `af22` (20), `af23` (22), `af31` (26), `af32` (28), `af33` (30), `af41` (34), `af42` (36), `af43` (38)
`ipv6-traffic-class-except` `number`	Do not match the DSCP `number`.
`isid number`	(Supported with Provider Backbone Bridging [PBB]) Match internet service identifier.
`isid-dei number`	(Supported with PBB) Match the Internet service identifier drop eligibility indicator (DEI) bit.
`isid-dei-except number`	(Supported with PBB) Do not match the Internet service identifier DEI bit.
`isid-priority-code-point number`	(Supported with PBB) Match the Internet service identifier priority code point.
`isid-priority-code-point-except number`	(Supported with PBB) Do not match the Internet service identifier priority code point.
`learn-vlan-1p-priority value`	(MX Series routers and EX Series switches only) Match on the IEEE 802.1p learned VLAN priority bits in the provider VLAN tag (the only tag in a single-tag frame with 802.1Q VLAN tags or the outer tag in a dual-tag frame with 802.1Q VLAN tags). Specify a single value or multiple values from `0` through `7`. Compare with the `user-vlan-1p-priority` match condition.
`learn-vlan-1p-priority-except value`	(MX Series routers and EX Series switches only) Do not match on the IEEE 802.1p learned VLAN priority bits. For details, see the `learn-vlan-1p-priority` match condition.
`learn-vlan-dei number`	(Supported with bridging) Match user virtual LAN (VLAN) identifier DEI bit.
`learn-vlan-dei-except number`	(Supported with bridging) Do not match user VLAN identifier DEI bit.
`learn-vlan-id number`	VLAN identifier used for MAC learning.
`learn-vlan-id-except number`	Do not match on the VLAN identifier used for MAC learning.
`loss-priority level`	Packet loss priority (PLP) level. Specify a single level or multiple levels: `low`, `medium-low`, `medium-high`, or `high`. Supported on M120 and M320 routers; M7i and M10i routers with the Enhanced CFEB (CFEB-E); and MX Series routers and EX Series switches. For IP traffic on M320, MX Series, and T Series routers with Enhanced II Flexible PIC Concentrators (FPCs), and EX Series switches, you must include the `tri-color` statement at the `[edit class-of-service]` hierarchy level to commit a PLP configuration with any of the four levels specified. If the `tri-color` statement is not enabled, you can only configure the `high` and `low` levels. This applies to all protocol families. For information about the `tri-color` statement, see Configuring and Applying Tricolor Marking Policers. For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see Understanding How Forwarding Classes Assign Classes to Output Queues.
`loss-priority-except level`	Do not match on the packet loss priority level. Specify a single level or multiple levels: `low`, `medium-low`, `medium-high`, or `high`. For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see the Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic.
`port number`	TCP or UDP source or destination port. You cannot specify both the `port` match condition and either the `destination-port` or `source-port` match conditions in the same term.
`source-mac-address address`	Source MAC address of a Layer 2 packet.
`source-port number`	TCP or UDP source port field. You cannot specify the `port` and `source-port` match conditions in the same term.
`source-port-except`	Do not match the TCP/UDP source port.
`tcp-flags flags`	Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header. To specify individual bit fields, you can specify the following text synonyms or hexadecimal values: `fin` (0x01) `syn` (0x02) `rst` (0x04) `push` (0x08) `ack` (0x10) `urgent` (0x20) In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all packets sent after the initial packet. You can string together multiple flags using the bit-field logical operators. Configuring the `tcp-flags` match condition requires that you configure the `next-header-tcp` match condition.
`traffic-type type`	Traffic type. Specify `broadcast`, `multicast`, `unknown-unicast`, or `known-unicast`.
`traffic-type-except type`	Do not match on the traffic type.
`user-vlan-1p-priority value`	(MX Series routers and EX Series switches only) Match on the IEEE 802.1p user priority bits in the customer VLAN tag (the inner tag in a dual-tag frame with 802.1Q VLAN tags). Specify a single value or multiple values from `0` through `7`. Compare with the `learn-vlan-1p-priority` match condition.
`user-vlan-1p-priority-except value`	(MX Series routers and EX Series switches only) Do not match on the IEEE 802.1p user priority bits. For details, see the `user-vlan-1p-priority` match condition.
`user-vlan-id number`	(MX Series routers and EX Series switches only) Match the first VLAN identifier that is part of the payload.
`user-vlan-id-except number`	(MX Series routers and EX Series switches only) Do not match on the first VLAN identifier that is part of the payload.
`vlan-ether-type value`	VLAN Ethernet type field of a Layer 2 bridging packet.
`vlan-ether-type-except value`	Do not match on the VLAN Ethernet type field of a Layer 2 bridging packet.

Firewall Filter Match Conditions for Layer 2 Bridging Traffic

Related Documentation