Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Overview of Firewall Filter Profiles on ACX Series Routers (Junos OS Evolved)

Firewall Filter Profiles on ACX Series Routers (Junos OS Evolved)

Junos OS Evolved supports two pre-defined profiles for ingress IPv6 firewall filters - profile-one and profile-two. Each profile supports a subset of IPv6 firewall filter match conditions. The profiles are associated to different profile categories. Profile categories are a way to distinguish firewall filters based on the direction and interface type. The profile categories are namely ingress-inet6-user-acl and ingress-inet6-lo0-acl. From 24.4R1 onwards, a new category egress-inet6-user-acl is also introduced.

  • ingress-inet6-user-acl profile category is for firewall filters with IPv6 match conditions (and actions) applied at the ingress on the Layer 3 routed interface or Routing instance.

  • ingress-inet6-lo0-acl profile category is for firewall filters with IPv6 match conditions (and actions) applied at the ingress on loopback interfaces.

From 24.4R1 onwards:

  • egress-inet6-user-acl profile category is for firewall filters with IPv6 match conditions (and actions) applied at the egress on the Layer 3 routed interface.

You can apply profiles to profile categories combinedly or separately.

  • For ingress-inet6-user-acl and ingress-inet6-lo0-acl profile categories you can use the following configuration statement to set profile-one or profile-two to both the profile categories combinedly. At any point in time, only one profile will be applied for both profiles categories.

  • From 24.4R1 onwards, to apply profile-one or profile-two to only the ingress-inet6-lo0-acl profile category, you use the following configuration statement.

  • From 24.4R1 onwards, to apply profile-one or profile-two to only the egress-inet6-user-acl profile category, you use the following configuration statement.

Note:

  • By default, profile-two is active for all profile categories.

  • The packet forward engine (PFE) is restarted automatically when there is difference in profile settings for the new configurations to take effect.

  • Before 24.4R1:

    • show evo-pfemand filter profile-summary can be used to display the current profile that is being used.

    • show evo-pfemand filter profile-info can be used to display profile information for all the profiles.

    • show evo-pfemand filter hw summary can be used to display the current profile in effect in even older releases (before 23.1R1).

    After 24.4R1:

    • show system packet-forwarding-options firewall-profile profile-summary can be used to display the current profile in effect for all profile categories.

    • show system packet-forwarding-options firewall-profile profile-info can be used to display profile information for all the profiles in all profile categories.

  • Configurations for all profile categories can co-exist together.

The following are the differences in the supported firewall filter match conditions on the profiles. Other matches and actions which is supported for both profiles are not listed here.

Table 1: Ingress/Egress IPv6 Firewall Filters Match Conditions

Firewall filter match conditions

Profile Two

Profile One

source-address (up to 64 bits)

Yes

Yes

source-prefix-list (up to 64 bits)

Yes

Yes

prefix-list (up to 64 bits)

Yes

Yes

source-address (up to 128 bits)

No

Yes

source-prefix-list (up to 128 bits)

No

Yes

prefix-list (up to 128 bits)

No

Yes

hop-limit

Yes

No

tcp-established

Yes

No

tcp-flags

Yes

No

tcp-initial

Yes

No

traffic-class

Yes

No
Table 2: Ingress Loopback (Lo0) Firewall Filters Match Conditions

Firewall filter match conditions

Profile Two

Profile One

destination-address (up to 64 bit)

Yes

Yes

destination-prefix-list (up to 64 bit)

Yes

Yes

prefix-list (up to 64 bit)

Yes

Yes

destination-address (up to 128 bits)

No

Yes

destination-prefix-list (up to 128 bits)

No

Yes

prefix-list (up to 128 bits)

No

Yes

hop-limit

Yes

No

tcp-established

Yes

No

tcp-flags

Yes

No

tcp-initial

Yes

No

traffic-class

Yes

No
Table 3: Supported bindpoints

Bindpoint

Profile Two (Ingress)

Profile Two (Ingress Loopback)

Profile One (Ingress)

Profile One (Ingress Loopback)

Forwarding Table Filter (FTF)

Yes

NA

No

NA

BGP Flow-spec Filter

Yes

NA

No

NA

Non-default routing-instance ( lo0.1, lo0.2 etc.)

NA

Yes

NA

No