Firewall Filter Match Conditions for Protocol-Independent Traffic

You can configure a firewall filter with match conditions for protocol-independent traffic (family any).

To apply a protocol-independent firewall filter to a logical interface, configure the filter statement under the logical unit.

Table 1 describes the match-conditions you can configure at the [edit firewall family any filter filter-name term term-name from] hierarchy level.

Table 1: Firewall Filter Match Conditions for Protocol-Independent Traffic
Match Condition	Description
`egress-interface interface-name`	Match the egress interface of the packet. Applicable for filters applied to output (egress) traffic.
`forwarding-class class`	Match the forwarding class of the packet. Specify `assured-forwarding`, `best-effort`, `expedited-forwarding`, or `network-control`. For information about forwarding classes and router-internal output queues, see Understanding How Forwarding Classes Assign Classes to Output Queues.
`forwarding-class-except class`	Do not match on the forwarding class. For details, see the `forwarding-class` match condition.
`interface interface-name`	Match the interface on which the packet was received. Note: If you configure this match condition with an interface that does not exist, the term does not match any packet.
`interface-set interface-set-name`	Match the interface on which the packet was received to the specified interface set. To define an interface set, include the `interface-set` statement at the `[edit firewall]` hierarchy level. For more information, see Filtering Packets Received on an Interface Set Overview.
`loss-priority level`	Match the packet loss priority (PLP) level. Specify a single level or multiple levels: `low`, `medium-low`, `medium-high`, or `high`. For IP traffic you must include the `tri-color` statement at the `[edit class-of-service]` hierarchy level to commit a PLP configuration with any of the four levels specified. If the `tri-color` statement is not enabled, you can only configure the `high` and `low` levels. This applies to all protocol families. For information about the `tri-color` statement, see Configuring and Applying Tricolor Marking Policers. For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see Understanding How Forwarding Classes Assign Classes to Output Queues.
`loss-priority-except level`	Do not match the PLP level. For details, see the `loss-priority` match condition.
`mpls-bottom-of-stack`	Match if the MPLS label is the bottom of the stack (i.e., the last label before the payload). Applicable for filters applied to MPLS traffic.
`packet-length bytes`	Match the length of the received packet, in bytes. The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead. You can also specify a range of values to be matched.
`packet-length-except bytes`	Do not match on the received packet length, in bytes. For details, see the `packet-length` match type.
`packet-length bytes`	Match the length of the received packet, in bytes. The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead. You can also specify a range of values to be matched.
`policy-map` `policy-map-name`	Match packets based on a predefined policy map. You must specify the exact name of a configured policy map. The name must match a policy map defined at the `edit policy-options policy-statement` hierarchy level. Example: `policy-map "high-priority-traffic"`
`policy-map-exceptpolicy-map-name`	Exclude packets that match a predefined policy map. You must specify the exact name of a configured policy map. The name must match a policy map defined at the `edit policy-options policy-statement` hierarchy level. Use this to exclude traffic matched by the specified policy map from the current firewall filter term. Example: `policy-map-except "low-priority-traffic"`
`vlan-id number`	Match the VLAN ID of the packet. The range is 0 - 4095.

Platform-Specific Behavior

Use Feature Explorer to confirm platform and release support for specific features.

Use the following table to review platform-specific behavior for your platform:

Platform	Difference
MX Series Routers	On MX Series routers, attach a protocol-independent firewall filter to a logical interface by configuring the `filter` statement directly under the logical unit: `[edit interfaces name unit number filter]` `[edit logical-systems name interfaces name unit number filter]` On all other supported devices, attach a protocol-independent firewall filter to a logical interface by configuring the `filter` statement under the protocol family (`family any`): [edit interfaces name unit number family any filter] [edit logical-systems name interfaces name unit number family any filter]

Platform

Difference

MX Series Routers

On MX Series routers, attach a protocol-independent firewall filter to a logical interface by configuring the filter statement directly under the logical unit:

[edit interfaces name unit number filter]
[edit logical-systems name interfaces name unit number filter]

On all other supported devices, attach a protocol-independent firewall filter to a logical interface by configuring the filter statement under the protocol family (family any):

[edit interfaces name unit number family
            any filter]

[edit logical-systems name interfaces name unit number family any
        filter]

Firewall Filter Match Conditions for Protocol-Independent Traffic

Platform-Specific Behavior

Related Documentation