Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Configuring Interface-Specific Firewall Filter Counters

This example shows how to configure and apply an interface-specific standard stateless firewall filter.

Requirements

Interface-specific stateless firewall filters are supported on T Series, M120, M320, and MX Series routers only.

No special configuration beyond device initialization is required before configuring this example.

Overview

In this example, you create an interface-specific stateless firewall filter that counts and accepts packets with source or destination addresses in a specified prefix and the IP protocol type field set to a specific value.

Topology

You configure the interface-specific stateless firewall filter filter_s_tcp to count and accept packets with IP source or destination addresses in the 10.0.0.0/12 prefix and the IP protocol type field set to tcp (or the numeric value 6).

The name of the firewall filter counter is count_s_tcp.

You apply the firewall filter to multiple logical interfaces:

  • at-1/1/1.0 input

  • so-2/2/2.2 output

Applying the filter to these two interfaces results in two instances of the filter: filter_s_tcp-at-1/1/1.0-i and filter_s_tcp-so-2/2/2.2-o, respectively.

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To configure this example, perform the following tasks:

CLI Quick Configuration

To quickly configure this example, copy the following commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.

Configure the Interface-Specific Firewall Filter

Step-by-Step Procedure

To configure the interface-specific firewall filter:

  1. Create the IPv4 firewall filter filter_s_tcp.

  2. Enable interface-specific instances of the filter.

  3. Configure the match conditions for the term.

  4. Configure the actions for the term.

Apply the Interface-Specific Firewall Filter to Multiple Interfaces

Step-by-Step Procedure

To apply the filter filter_s_tcp to logical interfaces at-1/1/1.0 and so-2/2/2.2:

  1. Apply the interface-specific filter to packets received on logical interface at-1/1/1.0.

  2. Apply the interface-specific filter to packets transmitted from logical interface so-2/2/2.2.

Confirm Your Candidate Configuration

Step-by-Step Procedure

To confirm your candidate configuration:

  1. Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

  2. Confirm the configuration of the interfaces by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Clear the Counters and Commit Your Candidate Configuration

Step-by-Step Procedure

To clear the counters and commit your candidate configuration:

  1. From operational command mode, use the clear firewall all command to clear the statistics for all firewall filters.

    To clear only the counters used in this example, include the interface-specific filter instance names:

  2. Commit your candidate configuration.

Verification

Confirm that the configuration is working properly.

Verifying That the Filter Is Applied to Each of the Multiple Interfaces

Purpose

Verify that the filter is applied to each of the multiple interfaces.

Action

Run the show interfaces command with the detail or extensive output level.

  1. Verify that the filter is applied to the input for at-1/1/1.0:

  2. Verify that the filter is applied to the output for so-2/2/2.2:

Verifying That the Counters Are Collected Separately by Interface

Purpose

Make sure that the count_s_tcp counters are collected separately for the two logical interfaces.

Action

Run the show firewall command.