Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Firewall Filter Match Conditions for Layer 2 Bridging Traffic

Only on MX Series routers and EX Series switches, you can configure a standard stateless firewall filter with match conditions for Layer 2 bridging traffic (family bridge). Table 1 describes the match-conditions you can configure at the [edit firewall family bridge filter filter-name term term-name from] hierarchy level.

Table 1: Standard Firewall Filter Match Conditions for Layer 2 Bridging (MX Series Routers and EX Series Switches Only)

Match Condition

Description

destination-mac-address address

Destination media access control (MAC) address of a Layer 2 packet in a bridging environment.

destination-port number

TCP or UDP destination port field. You cannot specify both the port and destination-port match conditions in the same term.

destination-port-except

Do not match the TCP/UDP destination port.

destination-prefix-list named-list

Match the IP destination prefixes in a named-list.

dscp number

Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant 6 bits of this byte form the DSCP. For more information, see Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic.

You can specify a numeric value from 0 through 63. To specify the value in hexadecimal form, include 0x as a prefix. To specify the value in binary form, include b as a prefix.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

  • RFC 3246, An Expedited Forwarding PHB (Per-Hop Behavior), defines one code point: ef (46).

  • RFC 2597, Assured Forwarding PHB Group, defines 4 classes, with 3 drop precedences in each class, for a total of 12 code points:

af11 (10), af12 (12), af13 (14),

af21 (18), af22 (20), af23 (22),

af31 (26), af32 (28), af33 (30),

af41 (34), af42 (36), af43 (38)

dscp-except number

Do not match on the DSCP number. For more information, see the dscp-except match condition.

ether-type value

Match the 2-octet IEEE 802.3 Length/EtherType field to the specified value or list of values.

You can specify decimal or hexadecimal values from 0 through 65535 (0xFFFF). A value from 0 through 1500 (0x05DC) specifies the length of an Ethernet Version 1 frame. A value from 1536 (0x0600) through 65535 specifies the EtherType (nature of the MAC client protocol) of an Ethernet Version 2 frame.

In place of the numeric value, you can specify one of the following text synonyms (the hexadecimal values are also listed): aarp (0x80F3), appletalk (0x809B), arp (0x0806), ipv4 (0x0800), ipv6 (0x86DD), mpls-multicast (0x8848), mpls-unicast (0x8847), oam (0x8902), ppp (0x880B), pppoe-discovery (0x8863), pppoe-session (0x8864), sna (0x80D5).

Note:

When matching on ip-address or ipv6-address, the ether-type ipv4 or ipv6, respectively, must also be specified in order to limit matches to ip traffic only.

ether-type-except value

Do not match the 2-octet IEEE 802.3 Length/EtherType field to the specified value or list of values.

For details about specifying the values, see the ether-type match condition.

flexible-match-mask value

bit-length

Length of the data to be matched in bits, not needed for string input (0..128)

bit-offset

Bit offset after the (match-start + byte) offset (0..7)

byte-offset

Byte offset after the match start point

flexible-mask-name

Select a flexible match from predefined template field

mask-in-hex

Mask out bits in the packet data to be matched

match-start

Start point to match in packet

prefix

Value data/string to be matched

 

flexible-match-range value

bit-length

Length of the data to be matched in bits (0..32)

bit-offset

Bit offset after the (match-start + byte) offset (0..7)

byte-offset

Byte offset after the match start point

flexible-range-name

Select a flexible match from predefined template field

match-start

Start point to match in packet

range

Range of values to be matched

range-except

Do not match this range of values

 

forwarding class class

Forwarding class. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.

forwarding-class-except class

Ethernet type field of a Layer 2 packet environment. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control.

icmp-code message-code

Match the ICMP message code field.

If you configure this match condition, we recommend that you also configure the ip-protocol icmp, ip-protocol icmp6, or ip-protocol icmpv6 match condition in the same term.

If you configure this match condition, you must also configure the icmp-type message-type match condition in the same term. An ICMP message code provides more specific information than an ICMP message type, but the meaning of an ICMP message code is dependent on the associated ICMP message type.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:

  • parameter-problem: ip6-header-bad (0), unrecognized-next-header (1), unrecognized-option (2)

  • time-exceeded: ttl-eq-zero-during-reassembly (1), ttl-eq-zero-during-transit (0)

  • destination-unreachable: address-unreachable (3), administratively-prohibited (1), no-route-to-destination (0), port-unreachable (4)

icmp-code-except message-code

Do not match the ICMP message code field. For details, see the icmp-code match condition.

icmp-type message-type

Match the ICMP message type field.

If you configure this match condition, we recommend that you also configure the ip-protocol icmp, ip-protocol icmp6, or ip-protocol icmpv6 match condition in the same term.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): destination-unreachable (1), echo-reply (129), echo-request (128), membership-query (130), membership-report (131), membership-termination (132), neighbor-advertisement (136), neighbor-solicit (135), node-information-reply (140), node-information-request (139), packet-too-big (2), parameter-problem (4), redirect (137), router-advertisement (134), router-renumbering (138), router-solicit (133), or time-exceeded (3).

icmp-type-except message-type

Do not match the ICMP message type field. For details, see the icmp-type match condition.

interface interface-name

Interface on which the packet was received. You can configure a match condition that matches packets based on the interface on which they were received.

Note:

If you configure this match condition with an interface that does not exist, the term does not match any packet.

interface-group group-number

Match the logical interface on which the packet was received to the specified interface group or set of interface groups. For group-number, specify a single value or a range of values from 0 through 255.

To assign a logical interface to an interface group group-number, specify the group-number at the [interfaces interface-name unit number family family filter group] hierarchy level.

For more information, see Filtering Packets Received on a Set of Interface Groups Overview.

interface-group-except number

Do not match the logical interface on which the packet was received to the specified interface group or set of interface groups. For details, see the interface-group match condition.

interface-set interface-set-name

Match the interface on which the packet was received to the specified interface set.

To define an interface set, include the interface-set statement at the [edit firewall] hierarchy level. For more information, see Filtering Packets Received on an Interface Set Overview.

ip-address address

32-bit address that supports the standard syntax for IPv4 addresses.

Note:

In order to limit matches to IPv4 traffic only, the ether-type ipv4 must also be specified in the same term.

ip-destination-address address

32-bit address that is the final destination node address for the packet.

ip-precedence ip-precedence-field

IP precedence field. In place of the numeric field value, you can specify one of the following text synonyms (the field values are also listed): critical-ecp (0xa0), flash (0x60), flash-override (0x80), immediate (0x40), internet-control (0xc0), net-control (0xe0), priority (0x20), or routine (0x00).

ip-precedence-except ip-precedence-field

Do not match on the IP precedence field.

ip-protocol number

IP protocol field.

ip-protocol-except

Do not match the IP protocol type.

ip-source-address address

IP address of the source node sending the packet.

ipv6-address address

(MX Series only) 128-bit address that supports the standard syntax for IPv6 addresses.

Note:

In order to limit matches to IPv6 traffic only, the ether-type ipv6 must also be specified in the same term.

ipv6-destination-address address

(MX Series only) 128-bit address that is the final destination node address for this packet.

ipv6-destination-prefix-list named-list

(MX Series only) Match the IPv6 destination addresses in a named-list.

ipv6-next-header protocol

(MX Series only) Match IPv6 next header protocol type.

The following list shows the supported values for protocol:

  • ah—IP Security authentication header

  • dstopts—IPv6 destination options

  • egp—Exterior gateway protocol

  • esp—IPSec Encapsulating Security Payload

  • fragment—IPv6 fragment header

  • gre—Generic routing encapsulation

  • hop-by-hop—IPv6 hop by hop options

  • icmp—Internet Control Message Protocol

  • icmp6—Internet Control Message Protocol Version 6

  • igmp—Internet Group Management Protocol

  • ipip—IP in IP

  • ipv6—IPv6 in IP

  • no-next-header—IPv6 no next header

  • ospf—Open Shortest Path First

  • pim—Protocol Independent Multicast

  • routing—IPv6 routing header

  • rsvp—Resource Reservation Protocol

  • sctp—Stream Control Transmission Protocol

  • tcp—Transmission Control Protocol

  • udp—User Datagram Protocol

  • vrrp—Virtual Router Redundancy Protocol

ipv6-next-header-except protocol

(MX Series only) Do not match the IPv6 next header protocol type.

ipv6-payload-protocol protocol

(MX Series only) Match IPv6 payload protocol type.

The following list shows the supported values for protocol:

  • ah—IP Security authentication header

  • dstopts—IPv6 destination options

  • egp—Exterior gateway protocol

  • esp—IPSec Encapsulating Security Payload

  • fragment—IPv6 fragment header

  • gre—Generic routing encapsulation

  • hop-by-hop—IPv6 hop by hop options

  • icmp—Internet Control Message Protocol

  • icmp6—Internet Control Message Protocol Version 6

  • igmp—Internet Group Management Protocol

  • ipip—IP in IP

  • ipv6—IPv6 in IP

  • no-next-header—IPv6 no next header

  • ospf—Open Shortest Path First

  • pim—Protocol Independent Multicast

  • routing—IPv6 routing header

  • rsvp—Resource Reservation Protocol

  • sctp—Stream Control Transmission Protocol

  • tcp—Transmission Control Protocol

  • udp—User Datagram Protocol

  • vrrp—Virtual Router Redundancy Protocol

ipv6-payload-protocol-except protocol

(MX Series only) Do not match the IPv6 payload protocol.

ipv6-prefix-list named-list

(MX Series only) Match the IPv6 address in a named-list.

ipv6-source-address address

(MX Series only) 128-bit address that is the originating source node address for this packet.

ipv6-source-prefix-list named-list

(MX Series only) Match the IPv6 source address in a named-list.

ipv6-traffic-class number

(MX Series only) Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant 6 bits of this byte form the DSCP. For more information, see Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic.

You can specify a numeric value from 0 through 63. To specify the value in hexadecimal form, include 0x as a prefix. To specify the value in binary form, include b as a prefix.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

  • RFC 3246, An Expedited Forwarding PHB (Per-Hop Behavior), defines one code point: ef (46).

  • RFC 2597, Assured Forwarding PHB Group, defines 4 classes, with 3 drop precedences in each class, for a total of 12 code points:

af11 (10), af12 (12), af13 (14),

af21 (18), af22 (20), af23 (22),

af31 (26), af32 (28), af33 (30),

af41 (34), af42 (36), af43 (38)

ipv6-traffic-class-except number

Do not match the DSCP number.

isid number

(Supported with Provider Backbone Bridging [PBB]) Match internet service identifier.

isid-dei number

(Supported with PBB) Match the Internet service identifier drop eligibility indicator (DEI) bit.

isid-dei-except number

(Supported with PBB) Do not match the Internet service identifier DEI bit.

isid-priority-code-point number

(Supported with PBB) Match the Internet service identifier priority code point.

isid-priority-code-point-except number

(Supported with PBB) Do not match the Internet service identifier priority code point.

learn-vlan-1p-priority value

(MX Series routers and EX Series switches only) Match on the IEEE 802.1p learned VLAN priority bits in the provider VLAN tag (the only tag in a single-tag frame with 802.1Q VLAN tags or the outer tag in a dual-tag frame with 802.1Q VLAN tags). Specify a single value or multiple values from 0 through 7.

Compare with the user-vlan-1p-priority match condition.

learn-vlan-1p-priority-except value

(MX Series routers and EX Series switches only) Do not match on the IEEE 802.1p learned VLAN priority bits. For details, see the learn-vlan-1p-priority match condition.

learn-vlan-dei number

(Supported with bridging) Match user virtual LAN (VLAN) identifier DEI bit.

learn-vlan-dei-except number

(Supported with bridging) Do not match user VLAN identifier DEI bit.

learn-vlan-id number

VLAN identifier used for MAC learning.

learn-vlan-id-except number

Do not match on the VLAN identifier used for MAC learning.

loss-priority level

Packet loss priority (PLP) level. Specify a single level or multiple levels: low, medium-low, medium-high, or high.

Supported on M120 and M320 routers; M7i and M10i routers with the Enhanced CFEB (CFEB-E); and MX Series routers and EX Series switches.

For IP traffic on M320, MX Series, and T Series routers with Enhanced II Flexible PIC Concentrators (FPCs), and EX Series switches, you must include the tri-color statement at the [edit class-of-service] hierarchy level to commit a PLP configuration with any of the four levels specified. If the tri-color statement is not enabled, you can only configure the high and low levels. This applies to all protocol families.

For information about the tri-color statement, see Configuring and Applying Tricolor Marking Policers. For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see Understanding How Forwarding Classes Assign Classes to Output Queues.

loss-priority-except level

Do not match on the packet loss priority level. Specify a single level or multiple levels: low, medium-low, medium-high, or high.

For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see the Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic.

port number

TCP or UDP source or destination port. You cannot specify both the port match condition and either the destination-port or source-port match conditions in the same term.

source-mac-address address

Source MAC address of a Layer 2 packet.

source-port number

TCP or UDP source port field. You cannot specify the port and source-port match conditions in the same term.

source-port-except

Do not match the TCP/UDP source port.

tcp-flags flags

Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header.

To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:

  • fin (0x01)

  • syn (0x02)

  • rst (0x04)

  • push (0x08)

  • ack (0x10)

  • urgent (0x20)

In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all packets sent after the initial packet.

You can string together multiple flags using the bit-field logical operators.

Configuring the tcp-flags match condition requires that you configure the next-header-tcp match condition.

traffic-type type

Traffic type. Specify broadcast, multicast, unknown-unicast, or known-unicast.

traffic-type-except type

Do not match on the traffic type.

user-vlan-1p-priority value

(MX Series routers and EX Series switches only) Match on the IEEE 802.1p user priority bits in the customer VLAN tag (the inner tag in a dual-tag frame with 802.1Q VLAN tags). Specify a single value or multiple values from 0 through 7.

Compare with the learn-vlan-1p-priority match condition.

user-vlan-1p-priority-except value

(MX Series routers and EX Series switches only) Do not match on the IEEE 802.1p user priority bits. For details, see the user-vlan-1p-priority match condition.

user-vlan-id number

(MX Series routers and EX Series switches only) Match the first VLAN identifier that is part of the payload.

user-vlan-id-except number

(MX Series routers and EX Series switches only) Do not match on the first VLAN identifier that is part of the payload.

vlan-ether-type value

VLAN Ethernet type field of a Layer 2 bridging packet.

vlan-ether-type-except value

Do not match on the VLAN Ethernet type field of a Layer 2 bridging packet.

Note:

For matches flexible-match-mask and flexible-match-range match-start layer-4 used to match over IPV6 header will not work for L2 family filters such as "bridge, CCC, VPLS". Instead, use layer-3 with appropriate offset to match over IPV6 payload fields.