Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Firewall Filters and Profiles

Learn about firewall filters and profiles on the ACX7000 family of routers. The ACX7000 family of routers includes ACX7020, ACX7024, ACX7024X, ACX7100, ACX7332, ACX7348, and ACX7509 routers.

The ACX7000 family of routers supports two predefined profiles for ingress IPv6 firewall filters—profile-one and profile-two. Each profile supports a subset of IPv6 firewall filter match conditions. The profiles are associated to different profile categories. You can apply profile-one or profile-two either to the combined profile categories or to each of the profile categories separately. Profile categories, listed below, distinguish firewall filters based on the direction and interface type.

  • ingress-inet6-user-acl—For firewall filters applied at the ingress on the Layer 3 routed interface or on a routing instance.

  • ingress-inet6-lo0-acl—For firewall filters applied at the ingress on loopback interfaces.

  • egress-inet6-user-acl—For firewall filters applied at the egress on the Layer 3 routed interface.

Ingress and Egress IPv6 Firewall Filter Match Conditions

Support for firewall filter match conditions varies between the profiles as shown in the following table. The tables do not list match conditions that are supported for both profiles.

Table 1: Ingress and Egress IPv6 Firewall Filters Match Conditions

Firewall Filter Match Condition

Profile Two

Profile One

source-address (up to 64 bits)

Yes

Yes

source-prefix-list (up to 64 bits)

Yes

Yes

prefix-list (up to 64 bits)

Yes

Yes

source-address (up to 128 bits)

No

Yes

source-prefix-list (up to 128 bits)

No

Yes

prefix-list (up to 128 bits)

No

Yes

hop-limit

Yes

No

tcp-established

Yes

No

tcp-flags

Yes

No

tcp-initial

Yes

No

traffic-class

Yes

No
Table 2: Ingress Loopback (Lo0) Firewall Filter Match Conditions

Firewall Filter Match Condition

Profile Two

Profile One

destination-address (up to 64 bit)

Yes

Yes

destination-prefix-list (up to 64 bit)

Yes

Yes

prefix-list (up to 64 bit)

Yes

Yes

destination-address (up to 128 bits)

No

Yes

destination-prefix-list (up to 128 bits)

No

Yes

prefix-list (up to 128 bits)

No

Yes

hop-limit

Yes

No

tcp-established

Yes

No

tcp-flags

Yes

No

tcp-initial

Yes

No

traffic-class

Yes

No
Table 3: Supported Bindpoints

Bindpoint

Profile Two (Ingress)

Profile Two (Ingress Loopback)

Profile One (Ingress)

Profile One (Ingress Loopback)

Forwarding table filter (FTF)

Yes

NA

No

NA

BGP flow-spec filter

Yes

NA

No

NA

Non-default routing-instance (lo0.1, lo0.2, and other logical units)

NA

Yes

NA

No

For more information, see Overview of Firewall Filter Profiles on ACX Series Routers (Junos OS Evolved).

Define and Apply Firewall Filters

Firewall filters on the ACX7000 family of routers control packet filtering and actions based on match conditions specific to traffic types such as IPv4, IPv6, or bridge family.

Configure firewall filters under the [edit firewall family family-name] hierarchy level, where family-name is inet (IPv4), inet6 (IPv6), ethernet-switching (Layer 2), or other protocol families such as ccc (circuit cross-connect).

Define Firewall Filters

Define a firewall filter with terms containing from (match conditions) and then (actions) statements.

Match conditions include source or destination IP address, ports, MAC addresses, prefix-lists, among others. For example, match conditions for bridge family include destination-mac-address, destination-port, and source-prefix-list. Actions include accept, discard, count (counters), sample (for monitoring), or apply policers.

For more information, see Firewall Filter Match Conditions and Actions in ACX Series Routers (Junos OS Evolved).

Apply Firewall Filters

Apply firewall filters under the [edit interfaces interface-name unit logical-unit family family-name] hierarchy level.

For VLANs, apply the firewall filters to the VLAN under the [edit vlans vlan-name filter input filter-name] hierarchy level.

Apply Firewall Filter Profiles

The ACX7000 family of routers support predefined IPv6 ingress profiles (profile-one and profile-two) for lo0 interfaces, limiting match conditions. The following is a sample configuration for applying firewall filter profiles:

For more information on firewall filters, see Routing Policies, Firewall Filters, and Traffic Policers User Guide.