Overview of Firewall Filters (QFX Series)
Firewall filters, sometimes called access control lists (ACLs), provide rules that define whether to accept or discard packets that are transiting an interface. If a packet is accepted, you can configure more actions on the packet, such as class-of-service (CoS) marking (grouping similar types of traffic together and treating each type of traffic as a class with its own level of service priority) and traffic policing (controlling the maximum rate of traffic sent or received).
You can configure firewall filters to determine where to accept or discard a packet before it enters or exits a port, VLAN, Layer 2 CCC, Layer 3 (routed) interface, Routed VLAN interface (RVI), or MPLS interface.
An ingress (input) firewall filter is applied to packets that are entering an interface or VLAN, and an egress (output) firewall filter is applied to packets that are exiting an interface or VLAN.
Policers on network port, layer 2 and layer 3, or IRB interfaces do not police host-bound traffic. But if you want to prevent DDoS attacks, then you can create a firewall filter on the lo0 that protects the routing engine.
Where You Can Apply Filters
After you configure the firewall filter, you can apply it to the following:
-
Port—Filters Layer 2 traffic transiting system ports.
-
VLAN—Filters and provides access control for Layer 2 packets that enter a VLAN, are bridged within a VLAN, or leave a VLAN.
-
Layer 3 (routed) interface—Filters traffic on IPv4 and IPv6 interfaces, routed VLAN interfaces (RVI), and the loopback interface. The loopback interface filters traffic sent to the switch itself or generated by the switch.
-
Layer 2 CCC interface—Filters Layer 2 circuit cross-connect (CCC) interfaces.
-
MPLS—Filters MPLS interfaces.
You can also apply a firewall filter to a management interface (for example, me0) on a QFX and EX4600 standalone switch. You can’t apply a filter to a management interface on a QFX3000-G or QFX3000-M system.
You can apply only one firewall filter to a port, VLAN, or Layer 2 CCC interface for a given direction. For example, for interface ge-0/0/6.0, you can apply one filter for the ingress direction and one for the egress direction.
-
(QFX Series) Starting with Junos OS Release 13.2X51-D15, you can apply a filter to a loopback interface in the egress direction.
-
(QFX10000) Starting with Junos OS Release 18.2R1, you can apply ingress and egress firewall filters with
count
anddiscard
as policer actions on Layer 2 circuit interfaces. -
(QFX10002-36Q, QFX10002-72Q, QFX10002-60C, QFX10008, QFX10016, PTX10008, PTX10016) Starting with Junos OS Release 19.2R1, you can apply the
interface
,forwarding-class
, andloss-priority
match conditions in the egress direction on IPv4 and IPv6 interfaces.
The EX4600 , QFX5000 series and QFX5000 EVO series switches do not depend on the VRF match for loopback filters configured at different routing instances. Loopback filters per routing instance (such as lo0.100, lo0.103, lo0.105) are not supported and may cause unpredictable behavior. We recommend that you only apply the loopback filter (lo0.0) to the master routing instance.
What Makes up a Firewall Filter
When you configure a firewall filter, you define the family address type (ethernet-switching, inet (for IPv4), inet6 (for IPv6), circuit cross-connect (CCC), or MPLS), the filtering criteria (terms, with match conditions,) and the action to take if a match occurs.
Each term consists of the following
-
Match condition—Values that a packet must contain to be considered a match. You can specify values for most fields in the IP, TCP, UDP, or ICMP headers. You can also match on interface names.
-
Action—Action taken if a packet matches a match condition. You can configure a firewall filter to accept, discard, or reject a matching packet and then perform more actions, such as counting, classifying, and policing. The default action is accept.
How Firewall Filters are Processed
If there are multiple terms in a filter, the order of the terms is important. If a packet matches the first term, the switch takes the action defined by that term, and no other terms are evaluated. If the switch doesn’t find a match between the packet and the first term, it compares the packet to the next term. If no match occurs between the packet and the second term, the system continues to compare the packet to each successive term in the filter until a match is found. If no terms are matched, the switch discards the packet by default.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.
interface
, forwarding-class
, and loss-priority
match
conditions in the egress direction on IPv4 and IPv6 interfaces. count
and discard
as policer actions on Layer 2 circuit interfaces.