Understanding Multiple Firewall Filters in a Nested Configuration
The Challenge: Simplify Large-Scale Firewall Filter Administration
Typically, you apply a single firewall filter to an interface in the input or output direction or both. This approach might not be practical, however, when you have a router (or switch) configured with many, even hundreds of interfaces. In an environment of this scale, you want the flexibility of being able to modify filtering terms common to multiple interfaces without having to reconfigure the filter of every affected interface.
In general, the solution is to apply an effectively “chained” structure of multiple stateless firewall filters to a single interface. You partition your filtering terms into multiple firewall filters configured so that you can apply a unique filter to each router (or switch) interface but also apply common filters to multiple router (or switch) interfaces as required. The Junos OS policy framework provides two options for managing the application of multiple separate firewall filters to individual router (or switch) interfaces. One option is to apply multiple filters as a single input list or output list. The other option is to reference a stateless firewall filter from within the term of another stateless firewall filter.
A Solution: Configure Nested References to Firewall Filters
The most structured way to avoid configuring duplicate filtering terms common to multiple firewall filters is to configure multiple firewall filters so that each filter includes the shared filtering terms by referencing a separate filter that contains the common filtering terms. The Junos OS uses the filter terms—in the order in which they appear in the filter definition—to evaluate packets that transit the interface. If you need to modify filtering terms shared across multiple interfaces, you only need to modify one firewall filter.
Similar to the alternative approach (applying a list of firewall filters), configuring a nested firewall filter combines multiple firewall filters into a new firewall filter definition.
Configuration of Nested Firewall Filters
Configuring a nested firewall filter for each router (or switch) interface involves separating shared packet-filtering rules from interface-specific packet-filtering rules as follows:
For each set of packet-filtering rules common across multiple interfaces, configure a separate firewall filter that contains the shared filtering terms.
For each router (or switch) interface, configure a separate firewall filter that contains:
All the filtering terms unique to that interface.
An additional filtering term that includes a
filter
reference to the firewall filter that contains the common filtering terms.
Application of Nested Firewall Filters to a Router or Switch Interface
Applying nested firewall filters is no different from applying an unnested firewall
filter. For each interface, you can include an input
or
output
statement (or both) within the filter
stanza to specify the appropriate nested firewall filter.
Applying nested firewall filters to an interface, the shared filtering terms and the
interface-specific firewall filters are applied through a single nested firewall
filter that includes other filters through the filter
statement within a separate filtering term.
Commit check and commit do not fail for unsupported nested filters. Unsupported
nested filters are the filter combinations which are are not mentioned in vty
command show jexpr dfw filter-types.