Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Firewall Filter Match Conditions and Actions (ACX Series Routers)

On ACX Series Universal Metro Routers, you can configure firewall filters to filter packets and to perform an action on packets that match the filter. The match conditions specified to filter the packets are specific to the type of traffic being filtered.

Firewall filters with IPv6 match conditions not supported at the firewall family inet6 filter name hierarchy level on ACX6360-OR routers in Junos OS Release 19.1R1.

Note:

On ACX Series routers, the filter for the exiting traffic (egress filter) can be applied only for interface-specific instances of the firewall filter.

On ACX Series routers, TCAM errors are seen when you modify a prefix or a term on the applied firewall filters. To modify a prefix or a term in the firewall filter, you need to remove the existing firewall filter and then apply the modified filter.

Note:

On ACX Series routers, you cannot apply a firewall filter in the egress direction on IRB interfaces.

Overview of Firewall Filter Match Conditions and Actions on ACX Series Routers

Table 1 describes the types of traffic for which you can configure standard stateless firewall filters.

Table 1: Standard Firewall Filter Match Conditions by Protocol Family for ACX Series Routers

Traffic Type

Hierarchy Level at Which Match Conditions Are Specified

Protocol-independent

[edit firewall family any filter filter-name term term-name]

No match conditions are supported for this traffic type on ACX Series routers.

IPv4

[edit firewall family inet filter filter-name term term-name

For the complete list of match conditions, see Match Conditions for IPv4 Traffic (ACX Series Routers).

MPLS

[edit firewall family mpls filter filter-name term term-name]

For the complete list of match conditions, see Match Conditions for MPLS Traffic (ACX Series Routers).

Layer 2 CCC

[edit firewall family ccc filter filter-name term term-name]

No match conditions are supported for this traffic type on ACX Series routers.

Bridge

[edit firewall family bridge filter filter-name term term-name]

[edit firewall family ethernet-switching filter filter-name term term-name] (Applicable to ACX5048 and ACX5096 routers only.)

On ACX5448 router, the following ingress family filters can be scaled based on the availability of external-tcam:

  • family ethernet-switching

  • family ccc

  • family inet

  • family inet6

  • family mpls

  • family vpls

Under the then statement for a standard stateless firewall filter term, you can specify the actions to be taken on a packet that matches the term.

Table 2 summarizes the types of actions you can specify in a standard stateless firewall filter term.

Table 2: Standard Firewall Filter Action Categories for ACX Series Routers

Type of Action

Description

Comment

Terminating

Halts all evaluation of a firewall filter for a specific packet. The router performs the specified action, and no additional terms are used to examine the packet.

You can specify only one terminating action in a standard firewall filter. You can, however, specify one terminating action with one or more nonterminating actions in a single term. For example, within a term, you can specify accept with count and syslog.

See Terminating Actions (ACX Series Routers).

Nonterminating

Performs other functions on a packet (such as incriminating a counter, logging information about the packet header, sampling the packet data, or sending information to a remote host using the system log functionality), but any additional terms are used to examine the packet.

See Nonterminating Actions (ACX Series Routers).

Match Conditions for Bridge Family Firewall Filters (ACX Series Routers)

Bridge Family Firewall Filters on ACX Series Routers

Bridge family firewall filters can be configured at the IFL-family level on ACX series routers. Bridge family filters are used to match the L2 bridge flows based on the supported Layer2/Layer3 fields and take firewall action. The maximum number of terms supported for bridge firewall filters on ACX Series routers is 124.

Note:

On ACX5448 and ACX7000 series routers, you need to apply the layer 2 firewall filters only on the layer 2 switched packets, even if the bridge domain has IRB attached to the bridge domain. If the packet is layer 3 forwarded, then layer 3 filters must be applied on the IRB.

Note:

On ACX Series routers, you cannot apply a firewall filter in the egress direction on IRB interfaces.

Table 3 shows the match conditions supported for bridge family filters.

Table 3: Bridge Family Firewall Filter Match Conditions for ACX Series Routers

Match Condition

Description

apply-groups

Set the groups from which to inherit configuration data

apply-groups-except

Set which groups will not broadcast configuration data

destination-mac-address

Set the destination MAC address

destination-port

Match the TCP/UDP destination port

destination-prefix-list

Match IP destination prefixes in named list.

dscp

Match the Differentiated Services (DiffServ) code point

ether-type

Match the Ethernet type

icmp-code

Match a ICMP message code

icmp-type

Match a ICMP message type

interface-group

Match an interface group

ip-destination-address

Match an IP destination address

ip-precedence

Match an IP precedence value

ip-protocol

Match an IP protocol type

ip-source-address

Match an IP source address

learn-vlan-1p-priority

Match the learned 802.1p VLAN Priority

learn-vlan-dei

Match user VLAN ID DEI bit

learn-vlan-id

Match a learnt VLAN ID

source-mac-address

Set the source MAC address

source-prefix-list

Match IP source prefixes in named list.

source-port

Match a TCP/UDP source port

user-vlan-1p-priority

Match user 802.1p VLAN Priority

user-vlan-id

Match a user VLAN ID

vlan-ether-type

Match a VLAN Ethernet type

Table 4 shows the action fields supported.

Table 4: Bridge Family Firewall Filter Action Fields for ACX Series Routers

Action Field

Description

accept

Accept the packet

count

Count the packet in the named counter

discard

Discard the packet

forwarding-class

Classify packet to forwarding class

loss-priority

Packet’s loss priority

log

Log the packet header information in a buffer within the Packet Forwarding Engine. You can access this information by issuing the show firewall log command at the command-line interface (CLI).

policer

Name of policer to use to rate-limit traffic

syslog

Log the packet to the system log file.

three-color-policer

Police the packet using a three-colo-policer

Note:

Bridge family firewall filters can be applied as an output filter on Layer 2 interfaces. When the Layer 2 interface is on a bridge-domain configured with the vlan-id statement, ACX series routers can match the outer-vlan of the packet using the user vlan-id match specified in the bridge family firewall filter.

Match Conditions for CCC Firewall Family Filters (ACX Series Routers)

Match Conditions for CCC Family Firewall Filters

On ACX Series routers, you can configure a standard firewall filter with match conditions for circuit cross-connection (CCC) traffic (family ccc).

Table 5 describes the match conditions you can configure at the [edit firewall family ccc filter filter-name term term-name] hierarchy level.

Table 5: CCC Family Firewall Filter Match Conditions for ACX Series Routers

Field

Description

destination-mac-address

Destination MAC address

destination-port

Matches TCP/UDP destination port

dscp

Matches differentiated services (DiffServ) code point

icmp-code

Matches ICMP message code

icmp-type

Matches ICMP message type

ip-destination-address

Matches destination IP address

ip-precedence

Matches IP precedence value

ip-protocol

Matches IP protocol type

ip-source-address

Matches source IP address

learn-vlan-1p-priority

Matches learned 802.1p VLAN priority

source-mac-address

Source MAC address

source-port

Matches TCP/UDP source port

user-vlan-1p-priority

Matches user 802.1p VLAN priority

Match Conditions for IPv4 Traffic (ACX Series Routers)

On ACX Series routers, you can configure a standard stateless firewall filter with match conditions for IP version 4 (IPv4) traffic (family inet). Table 6 describes the match conditions you can configure at the [edit firewall family inet filter filter-name term term-name from] hierarchy level.

Table 6: Firewall Filter Match Conditions for IPv4 Traffic on ACX Series Routers

Match Condition

Description

destination-address address

Match the IPv4 destination address field.

Note:

On ACX Series routers, you can specify only one destination address. A list of IPv4 destination addresses is not supported.

destination-port number

Match the UDP or TCP destination port field.

If you configure this match condition, we recommend that you also configure the protocol udp or protocol tcp match statement in the same term to specify which protocol is being used on the port.

In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), ldp (646), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs (49), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), or xdmcp (177).

destination-prefix-list

Match IP destination prefixes in named list.

dscp number

Match the Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant 6 bits of this byte form the DSCP. For more information, see Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic.

You can specify a numeric value from 0 through 63. To specify the value in hexadecimal form, include 0x as a prefix. To specify the value in binary form, include b as a prefix.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

  • RFC 3246, An Expedited Forwarding PHB (Per-Hop Behavior), defines one code point: ef (46).

  • RFC 2597, Assured Forwarding PHB Group, defines 4 classes, with 3 drop precedences in each class, for a total of 12 code points:

    • af11 (10), af12 (12), af13 (14)

    • af21 (18), af22 (20), af23 (22)

    • af31 (26), af32 (28), af33 (30)

    • af41 (34), af42 (36), af43 (38)

fragment-flags number

(Ingress only) Match the three-bit IP fragmentation flags field in the IP header.

In place of the numeric field value, you can specify one of the following keywords (the field values are also listed): dont-fragment (0x4), more-fragments (0x2), or reserved (0x8).

icmp-code number

Match the ICMP message code field.

If you configure this match condition, we recommend that you also configure the protocol icmp match condition in the same term.

If you configure this match condition, you must also configure the icmp-type message-type match condition in the same term. An ICMP message code provides more specific information than an ICMP message type, but the meaning of an ICMP message code is dependent on the associated ICMP message type.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:

  • parameter-problem: ip-header-bad (0), required-option-missing (1)

  • redirect: redirect-for-host (1), redirect-for-network (0), redirect-for-tos-and-host (3), redirect-for-tos-and-net (2)

  • time-exceeded: ttl-eq-zero-during-reassembly (1), ttl-eq-zero-during-transit (0)

  • unreachable: communication-prohibited-by-filtering (13), destination-host-prohibited (10), destination-host-unknown (7), destination-network-prohibited (9), destination-network-unknown (6), fragmentation-needed (4), host-precedence-violation (14), host-unreachable (1), host-unreachable-for-TOS (12), network-unreachable (0), network-unreachable-for-TOS (11), port-unreachable (3), precedence-cutoff-in-effect (15), protocol-unreachable (2), source-host-isolated (8), source-route-failed (5)

icmp-type number

Match the ICMP message type field.

If you configure this match condition, we recommend that you also configure the protocol icmp match condition in the same term.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): echo-reply (0), echo-request (8), info-reply (16), info-request (15), mask-request (17), mask-reply (18), parameter-problem (12), redirect (5), router-advertisement (9), router-solicit (10), source-quench (4), time-exceeded (11), timestamp (13), timestamp-reply (14), or unreachable (3).

ip-options values

Match the 8-bit IP option field, if present, to the specified value.

ACX Series routers support only the ip-options_any match condition, which ensures that the packets are sent to the Packet Forwarding Engine for processing.

Note:

On ACX Series routers, you can specify only one IP option value. Configuring multiple values is not supported.

precedence ip-precedence-field

Match the IP precedence field.

In place of the numeric field value, you can specify one of the following text synonyms (the field values are also listed): critical-ecp (0xa0), flash (0x60), flash-override (0x80), immediate (0x40), internet-control (0xc0), net-control (0xe0), priority (0x20), or routine (0x00). You can specify precedence in hexadecimal, binary, or decimal form.

protocol number

Match the IP protocol type field. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): dstopts (60), egp (8), esp (50), fragment (44), gre (47), hop-by-hop (0), icmp (1), icmp6 (58), icmpv6 (58), igmp (2), ipip (4), ipv6 (41), no-next-header, ospf (89), pim (103), routing, rsvp (46), sctp (132), tcp (6), udp  (17), or vrrp (112).

source-address address

Match the IPv4 address of the source node sending the packet.

source-port number

Match the UDP or TCP source port field.

If you configure this match condition for IPv4 traffic, we recommend that you also configure the protocol udp or protocol tcp match statement in the same term to specify which protocol is being used on the port.

In place of the numeric value, you can specify one of the text synonyms listed with the destination-port number match condition.

source-prefix-list

Match IP source prefixes in named list.

tcp-flags value

Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header.

To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:

  • fin (0x01)

  • syn (0x02)

  • rst (0x04)

  • push (0x08)

  • ack (0x10)

  • urgent (0x20)

In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all packets sent after the initial packet.

You can string together multiple flags using the bit-field logical operators.

For combined bit-field match conditions, see the tcp-initial match conditions.

If you configure this match condition, we recommend that you also configure the protocol tcp match statement in the same term to specify that the TCP protocol is being used on the port.

tcp-initial

Match the initial packet of a TCP connection. This is an alias for tcp-flags "(!ack & syn)".

This condition does not implicitly check that the protocol is TCP. If you configure this match condition, we recommend that you also configure the protocol tcp match condition in the same term.

ttl number

Match the IPv4 time-to-live number. Specify a TTL value or a range of TTL values. For number, you can specify one or more values from 2 through 255.

Match Conditions for IPv6 Traffic (ACX Series Routers)

You can configure a firewall filter with match conditions for Internet Protocol version 6 (IPv6) traffic (family inet6). Table 7 describes the match conditions you can configure at the [edit firewall family inet6 filter filter-name term term-name from] hierarchy level.

Table 7: Firewall Filter Match Conditions for IPv6 Traffic

Match Condition

Description

destination-address address

Match the IPv6 destination address field.

destination-port number

Match the UDP or TCP destination port field.

You cannot specify both the port and destination-port match conditions in the same term.

If you configure this match condition, we recommend that you also configure the next-header udp or next-header tcp match condition in the same term to specify which protocol is being used on the port.

In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), ldp (646), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs (49), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), or xdmcp (177).

destination-prefix-list

Match IP destination prefixes in named list.

extension-headers header-type

Match an extension header type that is contained in the packet by identifying a Next Header value.

In the first fragment of a packet, the filter searches for a match in any of the extension header types. When a packet with a fragment header is found (a subsequent fragment), the filter only searches for a match of the next extension header type because the location of other extension headers is unpredictable.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ah (51), destination (60), esp (50), fragment (44), hop-by-hop (0), mobility (135), or routing (43).

To match any value for the extension header option, use the text synonym any.

Note:

Only the first extension header of the IPv6 packet can be matched. L4 header beyond one IPv6 extension header will be matched.

hop-limit hop-limit

Match the hop limit to the specified hop limit or set of hop limits. For hop-limit, specify a single value or a range of values from 0 through 255.

icmp-code message-code

Match the ICMP message code field.

If you configure this match condition, we recommend that you also configure the next-header icmp or next-header icmp6 match condition in the same term.

If you configure this match condition, you must also configure the icmp-type message-type match condition in the same term. An ICMP message code provides more specific information than an ICMP message type, but the meaning of an ICMP message code is dependent on the associated ICMP message type.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:

  • parameter-problem: ip6-header-bad (0), unrecognized-next-header (1), unrecognized-option (2)

  • time-exceeded: ttl-eq-zero-during-reassembly (1), ttl-eq-zero-during-transit (0)

  • destination-unreachable: administratively-prohibited (1), address-unreachable (3), no-route-to-destination (0), port-unreachable (4)

icmp-type message-type

Match the ICMP message type field.

If you configure this match condition, we recommend that you also configure the next-header icmp or next-header icmp6 match condition in the same term.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): certificate-path-advertisement (149), certificate-path-solicitation (148), destination-unreachable (1), echo-reply (129), echo-request (128), home-agent-address-discovery-reply (145), home-agent-address-discovery-request (144), inverse-neighbor-discovery-advertisement (142), inverse-neighbor-discovery-solicitation (141), membership-query (130), membership-report (131), membership-termination (132), mobile-prefix-advertisement-reply (147), mobile-prefix-solicitation (146), neighbor-advertisement (136), neighbor-solicit (135), node-information-reply (140), node-information-request (139), packet-too-big (2), parameter-problem (4), private-experimentation-100 (100), private-experimentation-101 (101), private-experimentation-200 (200), private-experimentation-201 (201), redirect (137), router-advertisement (134), router-renumbering (138), router-solicit (133), or time-exceeded (3).

For private-experimentation-201 (201), you can also specify a range of values within square brackets.

next-header header-type

Match the first 8-bit Next Header field in the packet. Support for the next-header firewall match condition is available in Junos OS Release 13.3R6 and later.

For IPv6, we recommend that you use the payload-protocol term rather than the next-header term when configuring a firewall filter with match conditions. Although either can be used, payload-protocol provides the more reliable match condition because it uses the actual payload protocol to find a match, whereas next-header simply takes whatever appears in the first header following the IPv6 header, which may or may not be the actual protocol. In addition, if next-header is used with IPv6, the accelerated filter block lookup process is bypassed and the standard filter used instead.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ah (51), dstops (60), egp (8), esp (50), fragment (44), gre (47), hop-by-hop (0), icmp (1), icmp6 (58), icmpv6 (58), igmp (2), ipip (4), ipv6 (41), mobility (135), no-next-header (59), ospf (89), pim (103), routing (43), rsvp (46), sctp (132), tcp (6), udp  (17), or vrrp (112).

Note:

next-header icmp6 and next-header icmpv6 match conditions perform the same function. next-header icmp6 is the preferred option. next-header icmpv6 is hidden in the Junos OS CLI.

source-address address

Match the IPv6 address of the source node sending the packet.

source-port number

Match the UDP or TCP source port field.

You cannot specify the port and source-port match conditions in the same term.

If you configure this match condition, we recommend that you also configure the next-header udp or next-header tcp match condition in the same term to specify which protocol is being used on the port.

In place of the numeric value, you can specify one of the text synonyms listed with the destination-port number match condition.

source-prefix-list

Match IP source prefixes in named list.

tcp-flags flags

Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header.

To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:

  • fin (0x01)

  • syn (0x02)

  • rst (0x04)

  • push (0x08)

  • ack (0x10)

  • urgent (0x20)

In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all packets sent after the initial packet.

You can string together multiple flags using the bit-field logical operators.

For combined bit-field match conditions, see the tcp-established and tcp-initial match conditions.

If you configure this match condition, we recommend that you also configure the next-header tcp match condition in the same term to specify that the TCP protocol is being used on the port.

tcp-initial

Match the initial packet of a TCP connection. This is a text synonym for tcp-flags "(!ack & syn)".

This condition does not implicitly check that the protocol is TCP. If you configure this match condition, we recommend that you also configure the next-header tcp match condition in the same term.

traffic-class number

Match the 8-bit field that specifies the class-of-service (CoS) priority of the packet.

This field was previously used as the type-of-service (ToS) field in IPv4.

You can specify a numeric value from 0 through 63. To specify the value in hexadecimal form, include 0x as a prefix. To specify the value in binary form, include b as a prefix.

In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):

  • RFC 3246, An Expedited Forwarding PHB (Per-Hop Behavior), defines one code point: ef (46).

  • RFC 2597, Assured Forwarding PHB Group, defines 4 classes, with 3 drop precedences in each class, for a total of 12 code points:

    • af11 (10), af12 (12), af13 (14)

    • af21 (18), af22 (20), af23 (22)

    • af31 (26), af32 (28), af33 (30)

    • af41 (34), af42 (36), af43 (38)

Note:

If you specify an IPv6 address in a match condition (the address, destination-address, or source-address match conditions), use the syntax for text representations described in RFC 4291, IP Version 6 Addressing Architecture. For more information about IPv6 addresses, see IPv6 Overview and Supported IPv6 Standards.

The following is a sample firewall family inet6 configuration:

Match Conditions for MPLS Traffic (ACX Series Routers)

On ACX Series routers, you can configure a standard stateless firewall filter with match conditions for MPLS traffic (family mpls).

Note:

The input-list filter-names and output-list filter-names statements for firewall filters for the mpls protocol family are supported on all interfaces with the exception of management interfaces and internal Ethernet interfaces (fxp or em0), loopback interfaces (lo0), and USB modem interfaces (umd).

Table 8 describes the match conditions you can configure at the [edit firewall family mpls filter filter-name term term-name from] hierarchy level.

Table 8: Standard Firewall Filter Match Conditions for MPLS Traffic on ACX Series Routers
Match Condition Description

exp number

Experimental (EXP) bit number or range of bit numbers in the MPLS header. For number, you can specify one or more values from 0 through 7 in decimal, binary, or hexadecimal format.

Nonterminating Actions (ACX Series Routers)

Standard stateless firewall filters support different sets of nonterminating actions for each protocol family.

Note:

ACX Series routers do not support the next term action.

ACX Series routers support log and syslog actions in ingress and egress directions for family inet and family bridge.

ACX5448, ACX710 and ACX7100 series routers do not support log, syslog, reject, forwarding-class, and loss-priority in the egress direction. In the ingress and egress direction, the routers support interface specific semantics only.

Table 9 describes the nonterminating actions you can configure for a standard firewall filter term.

Table 9: Nonterminating Actions for Standard Firewall Filters on ACX Series Routers

Nonterminating Action

Description

Protocol Families

count counter-name

Count the packet in the named counter.

  • family any

  • family inet

  • family mpls

  • family ccc

  • family bridge

  • family vpls

forwarding-class class-name

Classify the packet based on the specified forwarding class:

  • assured-forwarding

  • best-effort

  • expedited-forwarding

  • network-control

Note:

This action is supported on ingress only.

  • family inet

  • family inet6

  • family mpls

  • family ccc

  • family bridge

  • family vpls

log

Log the packet header information in a buffer within the Packet Forwarding Engine. You can access this information by issuing the show firewall log command at the command-line interface (CLI).

Note:

This action is supported on ingress and egress. The action on egress is not supported for family inet6.

  • family inet

  • family inet6

  • family bridge

loss-priority (high | medium-high | low)

Set the packet loss priority (PLP) level.

You cannot also configure the three-color-policer nonterminating action for the same firewall filter term. These two nonterminating actions are mutually exclusive.

You must include the tri-color statement at the [edit class-of-service] hierarchy level to commit a PLP configuration with any of the four levels specified. If the tri-color statement is not enabled, you can configure only the high and low levels. This applies to all protocol families.

For information about the tri-color statement, see Configuring and Applying Tricolor Marking Policers. For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see Understanding How Forwarding Classes Assign Classes to Output Queues.

Note:

This action is supported on ingress only.

  • family any

  • family inet

  • family inet6

  • family mpls

  • family ccc

  • family bridge

  • family vpls

policer policer-name

Name of policer to use to rate-limit traffic.

  • family any

  • family inet

  • family inet6

  • family mpls

  • family ccc

  • family bridge

  • family vpls

port-mirror

Port-mirror the packet based on the specified family.

Note:

This action is supported on ingress only.

ACX5048 and ACX5096 routers do not support port-mirror.

family inet

syslog

Log the packet to the system log file.

Note:

This action is supported on ingress and egress. The action on egress is not supported for family inet6.

  • family inet

  • family inet6

  • family bridge

three-color-policer (single-rate | two-rate) policer-name

Police the packet using the specified single-rate or two-rate three-color policer.

You cannot also configure the loss-priority action for the same firewall filter term. These two actions are mutually exclusive.

  • family any

  • family inet

  • family inet6

  • family mpls

  • family ccc

  • family bridge

  • family vpls

traffic-class

Set traffic-class code point

Note:

This action is supported on ingress only.

family inet6

Terminating Actions (ACX Series Routers)

Standard stateless firewall filters support different sets of terminating actions for each protocol family.

Note:

ACX Series routers do not support the next term action.

Table 10 describes the terminating actions you can specify in a standard firewall filter term.

Table 10: Terminating Actions for Standard Firewall Filters on ACX Series Routers

Terminating Action

Description

Protocols

accept

Accept the packet.

  • family any

  • family inet

  • family mpls

  • family ccc

discard

Discard a packet silently, without sending an Internet Control Message Protocol (ICMP) message. Discarded packets are available for logging and sampling.

  • family any

  • family inet

  • family mpls

  • family ccc

reject message-type

Reject the packet and return an ICMPv4 or ICMPv6 message:

  • If no message type is specified, a destination-unreachable message is returned by default.

  • If tcp-reset is specified as the message type, tcp-reset is returned only if the packet is a TCP packet. Otherwise, the administratively-prohibited message, which has a value of 13, is returned.

  • If any other message type is specified, that message is returned.

Note:
  • Rejected packets can be sampled or logged if you configure the sample or syslog action.

  • This action is supported on ingress only.

The message-type option can have one of the following values: address-unreachable, administratively-prohibited, bad-host-tos, bad-network-tos, beyond-scope, fragmentation-needed, host-prohibited, host-unknown, host-unreachable, network-prohibited, network-unknown, network-unreachable, no-route, port-unreachable, precedence-cutoff, precedence-violation, protocol-unreachable, source-host-isolated, source-route-failed, or tcp-reset.

family inet

routing-instance routing-instance-name

Direct the packet to the specified routing instance.

  • family inet