Flexible Match Firewall Filters

This topic briefly describes the flexible match firewall filter feature and its configuration on the QFX5230-64CD and QFX5240 Switches.

Overview

Note: This feature is applicable to the QFX5230-64CD and QFX5240 switches only.

You can use firewall filters on QFX Series Switches to control the network traffic on the basis of configured filtering criteria. These criteria include port number, source MAC address, destination MAC address, VLAN ID, EtherType, enabling or disabling any protocol, source IP address (in case of L3-aware mode), and so on. For more information about the firewall filters, see Overview of Firewall Filters for QFX Series Switches.

In addition to default firewall filters, the QFX5230-64CD and QFX5240 switches can filter data packets on the basis of specified packet fields. For example, users can define filters such as from which layer to start filtering, the number of bytes to offset, or identifying a field with a value of 1000. When a data packet matches the defined filters, users can choose to accept or reject it on the basis of its relevance or potential risk to the network.

Configure Ingress Firewall Filter

To configure an ingress firewall filter for Layer 2 – Ethernet-Switching family:

Configure Egress Firewall Filter

To configure an egress firewall filter on Layer 3 – INET family:

Verify Firewall Filter Configuration

To verify the firewall filter configuration:

References

For more information about firewall filters, see Firewall Filters Overview.
For more information about how to configure firewall filters, see Configuring Firewall Filters.
For information about the guidelines to configure firewall filters, see Guidelines for Configuring Firewall Filters.