Firewall Filter Match Conditions for Layer 2 Bridging Traffic
Only on MX Series routers and EX Series switches, you can configure a standard stateless
firewall filter with match conditions for Layer 2 bridging traffic
(family bridge
). Table 1 describes the match-conditions
you can configure at the
[edit firewall family bridge filter filter-name term
term-name from]
hierarchy level.
Match Condition |
Description |
|
---|---|---|
|
Destination media access control (MAC) address of a Layer 2 packet in a bridging environment. |
|
|
TCP or UDP destination port field. You cannot specify both the |
|
|
Do not match the TCP/UDP destination port. |
|
|
Match the IP destination prefixes in a named-list. |
|
|
Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant 6 bits of this byte form the DSCP. For more information, see Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic. You can specify a numeric value from In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):
|
|
|
Do not match on the DSCP number. For more information, see the
|
|
|
Match the 2-octet IEEE 802.3 Length/EtherType field to the specified value or list of values. You can specify decimal or hexadecimal values from 0 through 65535 (0xFFFF). A value from 0 through 1500 (0x05DC) specifies the length of an Ethernet Version 1 frame. A value from 1536 (0x0600) through 65535 specifies the EtherType (nature of the MAC client protocol) of an Ethernet Version 2 frame. In place of the numeric value, you can specify one of the following text synonyms (the
hexadecimal values are also listed): Note:
When matching on ip-address or ipv6-address, the ether-type ipv4 or ipv6, respectively, must also be specified in order to limit matches to ip traffic only. |
|
|
Do not match the 2-octet IEEE 802.3 Length/EtherType field to the specified value or list of values. For details about specifying the |
|
|
|
Length of the data to be matched in bits, not needed for string input (0..128) |
|
Bit offset after the (match-start + byte) offset (0..7) |
|
|
Byte offset after the match start point |
|
|
Select a flexible match from predefined template field |
|
|
Mask out bits in the packet data to be matched |
|
|
Start point to match in packet |
|
|
Value data/string to be matched |
|
|
|
Length of the data to be matched in bits (0..32) |
|
Bit offset after the (match-start + byte) offset (0..7) |
|
|
Byte offset after the match start point |
|
|
Select a flexible match from predefined template field |
|
|
Start point to match in packet |
|
|
Range of values to be matched |
|
|
Do not match this range of values |
|
|
Forwarding class. Specify |
|
|
Ethernet type field of a Layer 2 packet environment. Specify
|
|
|
Match the ICMP message code field. If you configure this
match condition, we recommend that you also configure the If you configure this match condition, you must also
configure the In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:
|
|
|
Do not match the ICMP message code field. For details, see the |
|
|
Match the ICMP message type field. If you configure this
match condition, we recommend that you also configure the In place of the numeric value, you can specify one of the following
text synonyms (the field values are also listed):
|
|
|
Do not match the ICMP message type field. For details, see the |
|
|
Interface on which the packet was received. You can configure a match condition that matches packets based on the interface on which they were received. Note:
If you configure this match condition with an interface that does not exist, the term does not match any packet. |
|
|
Match the logical interface on which the packet was received to the specified interface
group or set of interface groups. For To assign a logical interface to an interface group
For more information, see Filtering Packets Received on a Set of Interface Groups Overview. |
|
|
Do not match the logical interface on which the packet was received to the specified
interface group or set of interface groups. For details, see the
|
|
|
Match the interface on which the packet was received to the specified interface set. To define an interface set, include the |
|
|
32-bit address that supports the standard syntax for IPv4 addresses. Note:
In order to limit matches to IPv4 traffic only, the ether-type ipv4 must also be specified in the same term. |
|
|
32-bit address that is the final destination node address for the packet. |
|
|
IP precedence field. In place of the numeric field value, you can specify one of the
following text synonyms (the field values are also listed):
|
|
|
Do not match on the IP precedence field. |
|
|
IP protocol field. |
|
|
Do not match the IP protocol type. |
|
|
IP address of the source node sending the packet. |
|
|
(MX Series only) 128-bit address that supports the standard syntax for IPv6 addresses. Note:
In order to limit matches to IPv6 traffic only, the ether-type ipv6 must also be specified in the same term. |
|
|
(MX Series only) 128-bit address that is the final destination node address for this packet. |
|
|
(MX Series only) Match the IPv6 destination addresses in a named-list. |
|
|
(MX Series only) Match IPv6 next header protocol type. The following list shows the supported values for protocol:
|
|
|
(MX Series only) Do not match the IPv6 next header protocol type. |
|
|
(MX Series only) Match IPv6 payload protocol type. The following list shows the supported values for protocol:
|
|
|
(MX Series only) Do not match the IPv6 payload protocol. |
|
|
(MX Series only) Match the IPv6 address in a named-list. |
|
|
(MX Series only) 128-bit address that is the originating source node address for this packet. |
|
|
(MX Series only) Match the IPv6 source address in a named-list. |
|
|
(MX Series only) Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant 6 bits of this byte form the DSCP. For more information, see Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic. You can specify a numeric value from In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):
|
|
|
Do not match the DSCP |
|
|
(Supported with Provider Backbone Bridging [PBB]) Match internet service identifier. |
|
|
(Supported with PBB) Match the Internet service identifier drop eligibility indicator (DEI) bit. |
|
|
(Supported with PBB) Do not match the Internet service identifier DEI bit. |
|
|
(Supported with PBB) Match the Internet service identifier priority code point. |
|
|
(Supported with PBB) Do not match the Internet service identifier priority code point. |
|
|
(MX Series routers and EX Series switches only) Match on the IEEE 802.1p learned VLAN
priority bits in the provider VLAN tag (the only tag in a single-tag frame with 802.1Q VLAN
tags or the outer tag in a dual-tag frame with 802.1Q VLAN tags). Specify a single value or
multiple values from Compare with the |
|
|
(MX Series routers and EX Series switches only) Do not match on the IEEE 802.1p learned
VLAN priority bits. For details, see the |
|
|
(Supported with bridging) Match user virtual LAN (VLAN) identifier DEI bit. |
|
|
(Supported with bridging) Do not match user VLAN identifier DEI bit. |
|
|
VLAN identifier used for MAC learning. |
|
|
Do not match on the VLAN identifier used for MAC learning. |
|
|
Packet loss priority (PLP) level. Specify a single level or multiple levels:
Supported on M120 and M320 routers; M7i and M10i routers with the Enhanced CFEB (CFEB-E); and MX Series routers and EX Series switches. For IP traffic on M320, MX Series, and T Series routers with Enhanced II Flexible PIC
Concentrators (FPCs), and EX Series switches, you must include the For information about the |
|
|
Do not match on the packet loss priority level. Specify a single level or multiple levels:
For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see the Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic. |
|
|
TCP or UDP source or destination port. You cannot specify both the |
|
|
Source MAC address of a Layer 2 packet. |
|
|
TCP or UDP source port field. You cannot specify the |
|
|
Do not match the TCP/UDP source port. |
|
|
Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header. To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:
In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all packets sent after the initial packet. You can string together multiple flags using the bit-field logical operators. Configuring the |
|
|
Traffic type. Specify |
|
|
Do not match on the traffic type. |
|
|
(MX Series routers and EX Series switches only) Match on the IEEE 802.1p user priority
bits in the customer VLAN tag (the inner tag in a dual-tag frame with 802.1Q VLAN tags).
Specify a single value or multiple values from Compare with the |
|
|
(MX Series routers and EX Series switches only) Do not match on the IEEE 802.1p user
priority bits. For details, see the |
|
|
(MX Series routers and EX Series switches only) Match the first VLAN identifier that is part of the payload. |
|
|
(MX Series routers and EX Series switches only) Do not match on the first VLAN identifier that is part of the payload. |
|
|
VLAN Ethernet type field of a Layer 2 bridging packet. |
|
|
Do not match on the VLAN Ethernet type field of a Layer 2 bridging packet. |
For matches flexible-match-mask
and flexible-match-range
match-start layer-4 used to match over IPV6 header will not work for L2 family filters such as
"bridge, CCC, VPLS". Instead, use layer-3 with appropriate offset to match over IPV6 payload
fields.