Firewall Filter Terminating and Nonterminating Actions for Protocol-Independent Traffic in Dynamic Service Profiles
Firewall filters in dynamic service profiles support a set of
terminating actions that halt all evaluation of a firewall filter
for a specific packet. The router performs the specified action, and
no additional terms are examined. Table 1 describes the
terminating actions conditions that are supported for protocol-independent
traffic—that is, configured under family any
—for
filters in dynamic service profiles.
You cannot configure the next action with a terminating action in the same filter term. However, you can configure the next action with another nonterminating action in the same filter term.
Protocol-independent firewall filters in dynamic service profiles are supported only on MX Series routers with MPCs.
Terminating Action |
Description |
---|---|
accept |
Accept the packet. |
|
Discard a packet silently, without sending an Internet Control Message Protocol (ICMP) message. Discarded packets are available for logging and sampling. |
Firewall filters in dynamic service profiles also support a
set of nonterminating actions that are performed for a specific packet
before the packet is passed to any subsequent actions in the term. Table 1 describes the
terminating actions conditions that are supported for protocol-independent
traffic—that is, configured under family any
—for
filters in dynamic service profiles.
Nonterminating Action |
Description |
---|---|
|
Count the packet in the named counter. |
|
By default, a hierarchical policer processes the traffic
it receives according to the traffic’s forwarding class. Premium,
expedited-forwarding traffic, has priority for bandwidth over aggregate,
best-effort traffic. The Note:
The |
|
Classify the packet to the named forwarding class:
Note:
This action is supported on ingress only. |
|
Police the packet using the specified hierarchical policer. |
|
Set the packet loss priority (PLP) level. You cannot also configure the You must include the For information about the For information about the Note:
This action is supported on ingress only. |
|
Proceed to the next filter term. |
|
Name of policer to use to rate-limit traffic. |
|
Port-mirror the packet based on the specified family. Note:
This action is supported on ingress only. |
|
Use the inline counting mechanism when capturing subscriber per-service statistics. Count the packet for service accounting. The count is applied
to a specific named counter ( The Note:
This action is not supported on T4000 Type 5 FPCs and PTX Series Packet Transport Routers. |
|
Use the deferred counting mechanism when capturing subscriber
per-service statistics. The count is applied to a specific named counter
( The Note:
This action is not supported on T4000 Type 5 FPCs and PTX Series Packet Transport Routers. |
|
(Only if the Indicate to subsequent filters in the chain that the packet
was already processed. This action, coupled with the Note:
This action is not supported on T4000 Type 5 FPCs and PTX Series Packet Transport Routers. |
|
Police the packet using the specified single-rate or two-rate three-color-policer. Note:
You cannot also configure the |