Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Filtering Packets Received on an Interface Set

This example shows how to configure a standard stateless firewall filter to match packets tagged for a particular interface set.

Requirements

No special configuration beyond device initialization is required before configuring this example.

Overview

In this example, you apply a stateless firewall filter to the input of the router or switch loopback interface. The firewall filter includes a term that matches packets tagged for a particular interface set.

Topology

You create the firewall filter L2_filter to apply rate limits to the protocol-independent traffic received on the following interfaces:

  • fe-0/0/0.0

  • fe-1/0/0.0

  • fe-1/1/0.0

Note:

The interface type in this topic is just an example. The fe- interface type is not supported by EX Series switches.

First, for protocol-independent traffic received on fe-0/0/0.0, the firewall filter term t1 applies policer p1.

For protocol-independent traffic received on any other Fast Ethernet interfaces, firewall filter term t2 applies policer p2. To define an interface set that consists of all Fast Ethernet interfaces, you include the interface-set interface-set-name interface-name statement at the [edit firewall] hierarchy level. To define a packet-matching criteria based on the interface on which a packet arrives to a specified interface set, you configure a term that uses the interface-set firewall filter match condition.

Finally, for any other protocol-independent traffic, firewall filter term t3 applies policer p3.

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To configure this example, perform the following tasks:

CLI Quick Configuration

To quickly configure this example, copy the following configuration commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.

Configuring the Interfaces for Which the Stateless Firewall Filter Terms Take Rate-Limiting Actions

Step-by-Step Procedure

To configure the interfaces for which the stateless firewall filter terms take rate-limiting actions:

  1. Configure the logical interface whose input traffic will be matched by the first term of the firewall filter.

  2. Configure the logical interfaces whose input traffic will be matched by the second term of the firewall filter.

  3. If you are done configuring the device, commit the configuration.

Results

Confirm the configuration of the router (or switch) transit interfaces by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

Configuring the Stateless Firewall Filter That Rate-Limits Protocol-Independent Traffic Based on the Interfaces on Which Packets Arrive

Step-by-Step Procedure

To configure the standard stateless firewall L2_filter that uses policers (p1, p2, and p3) to rate-limit protocol-independent traffic based on the interfaces on which the packets arrive:

  1. Configure the firewall statements.

  2. Configure the policer p1 to discard traffic that exceeds a traffic rate of 5m bps or a burst size of 10m bytes.

  3. Configure the policer p2 to discard traffic that exceeds a traffic rate of 40m bps or a burst size of 100m bytes .

  4. Configure the policer p3 to discard traffic that exceeds a traffic rate of 600m bps or a burst size of 1g bytes.

  5. Define the interface set ifset to be the group of all Fast Ethernet interfaces on the router.

  6. Create the stateless firewall filter L2_filter.

  7. Configure filter term t1 to match IPv4, IPv6, or MPLS packets received on interface fe-0/0/0.0 and use policer p1 to rate-limit that traffic.

  8. Configure filter term t2 to match packets received on interface-set ifset and use policer p2 to rate-limit that traffic.

  9. Configure filter term t3 to use policer p3 to rate-limit all other traffic.

  10. If you are done configuring the device, commit the configuration.

Results

Confirm the configuration of the stateless firewall filter and the policers referenced as firewall filter actions by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

Applying the Stateless Firewall Filter to the Routing Engine Input Interface

Step-by-Step Procedure

To apply the stateless firewall filter to the Routing Engine input interface:

  1. Apply the stateless firewall filter to the Routing Engine interface in the input direction.

  2. If you are done configuring the device, commit the configuration.

Results

Confirm the application of the firewall filter to the Routing Engine input interface by entering the show interfaces command again. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.

Verification

To confirm that the configuration is working properly, use the show firewall filter L2_filter operational mode command to monitor traffic statistics about the firewall filter and three counters.