Configuring Firewall Filters (CLI Procedure)
You configure firewall filters on EX Series switches to control traffic that enters ports on the switch or enters and exits VLANs on the network and Layer 3 (routed) interfaces. To configure a firewall filter you must configure the filter and then apply it to a port, VLAN, or Layer 3 interface.
Configuring a Firewall Filter
Before you can apply a firewall filter to a port, VLAN, or Layer 3 interface, you must configure a firewall filter with the required details, such as type of family for the firewall filter, firewall filter name, and match conditions. A match condition in the firewall filter configuration can contain multiple terms that define the criteria for the match condition. For each term, you must specify an action to be performed if a packet matches the conditions in the term. For information on different match conditions and actions, see Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches.
To configure a firewall filter:
Configuring a Term Specifically for IPv4 or IPv6 Traffic
To configure a term in a firewall filter configuration specifically for IPv4 traffic:
To configure a term in a firewall filter configuration specifically for IPv6 traffic:
Perform one of these tasks:
Define
ether-type ipv6
in a term in the configuration.Define
ip-version ipv6
in a term in the configuration.Define both
ether-type ipv6
andip-version ipv4
in a term in the configuration.Note:By default, a configuration that does not contain either
ether-type ipv6
orip-version ipv6
in a term applies to IPv4 traffic.
Ensure that other match conditions in the term are valid for IPv6 traffic.
If the term contains either of the match conditions ether-type ipv6
or ip-version ipv6
, with no other IPv6 match condition specified, all IPv6 traffic
is matched.
To configure a firewall filter for both IPv4 and IPv6 traffic, you must include two separate terms, one for IPv4 traffic and the other for IPv6 traffic.
Applying a Firewall Filter to a Port on a Switch
You can apply a firewall filter to a port on a switch to filter ingress or egress traffic on the switch. When you configure the firewall filter, you can specify any match condition, action, and action modifiers specified in Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches. The action specified in the match condition indicates the action for the matched packets in the ingress or egress traffic.
To apply a firewall filter to a port to filter ingress or egress traffic:
For applying a firewall filter to a management interface, see Applying a Firewall Filter to a Management Interface on a Switch
Applying a Firewall Filter to a Management Interface on a Switch
You can configure and apply a firewall filter to a management interface to control traffic that is entering or exiting the interface on a switch. You can use utilities such as SSH or Telnet to connect to the management interface over the network and then use management protocols such as SNMP to gather statistical data from the switch. Similar to configuring a firewall filter on other types of interfaces, you can configure a firewall filter on a management interface using any match condition, action, and action modifier specified in Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches except for the following action modifiers:
loss-priority
forwarding-class
You can apply a firewall filter to the management Ethernet interface on any EX Series switch. You can also apply a firewall filter to the virtual management Ethernet (VME) interface on the EX4200 switch. For more information on the management Ethernet interface and the VME interface, see Interfaces Overview for Switches.
To apply a firewall filter on the management interface to filter ingress or egress traffic:
Applying a Firewall Filter to a VLAN on a Network
You can apply a firewall filter to a VLAN on a network to filter ingress or egress traffic on the network. To apply a firewall filter to a VLAN, specify the VLAN name and ID, and then apply the firewall filter to the VLAN. When you configure the firewall filter, you can specify any match condition, action, and action modifiers specified in Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches. The action specified in the match condition indicates the action for the matched packets in the ingress or egress traffic.
To apply a firewall filter to a VLAN:
Applying a Firewall Filter to a Layer 3 (Routed) Interface
You can apply a firewall filter to a Layer 3 (routed) interface to filter ingress or egress traffic on the switch. When you configure the firewall filter, you can specify any match condition, action, and action modifiers specified in Firewall Filter Match Conditions, Actions, and Action Modifiers for EX Series Switches. The action specified in the match condition indicates the action for the matched packets in the ingress or egress traffic.
To apply a firewall filter to a Layer 3 interface on a switch: