Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Configuring Filters to Permit Expected Traffic

You must explicitly configure your firewall filter to permit expected traffic, such as DHCP traffic, to pass. Otherwise, the expected traffic is denied when the filter is applied to the interface. This requirement applies to both classic and fast update filters.

The following example shows a fast update filter that might be used to accept DHCP traffic. The actual filter you use depends on the expected traffic in your network.

In the example, the term allow-dhcp accepts all DHCP traffic from all source addresses. The term also includes the only-at-create option to specify that the term is applied only when the filter is first applied. The term sub-allow-dhcp includes the Junos OS predefined variable $junos-subscriber-ip-address, which permits all subscriber-specific DHCP traffic.

The match-order statement configuration lists the conditions from most-specific to least-specific, as recommended in Configuring the Match Order for Fast Update Filters. Because this filter is designed to permit ingress DHCP traffic, the source-address condition is listed first.