You are on page 1of 548

Junos® OS

Firewall Filter and Policer Configuration Guide

Release

11.4

Published: 2011-11-08

Copyright © 2011, Juniper Networks, Inc.

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net This product includes the Envoy SNMP Engine, developed by Epilogue Technology, an Integrated Systems Company. Copyright © 1986-1997, Epilogue Technology Corporation. All rights reserved. This program and its documentation were developed at private expense, and no part of them is in the public domain. This product includes memory allocation software developed by Mark Moraes, copyright © 1988, 1989, 1993, University of Toronto. This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright © 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved. GateD software copyright © 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through release 3.0 by Cornell University and its collaborators. Gated is based on Kirton’s EGP, UC Berkeley’s routing daemon (routed), and DCN’s HELLO routing protocol. Development of Gated has been supported in part by the National Science Foundation. Portions of the GateD software copyright © 1988, Regents of the University of California. All rights reserved. Portions of the GateD software copyright © 1991, D. L. S. Associates. This product includes software developed by Maker Communications, Inc., copyright © 1996, 1997, Maker Communications, Inc. Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Products made or sold by Juniper Networks or components thereof might be covered by one or more of the following patents that are owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440, 6,192,051, 6,333,650, 6,359,479, 6,406,312, 6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

Junos OS Firewall Filter and Policer Configuration Guide 11.4 Copyright © 2011, Juniper Networks, Inc. All rights reserved. Revision History October 2011—R1 Junos OS 11.4 The information in this document is current as of the date listed in the revision history. YEAR 2000 NOTICE Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the year 2038. However, the NTP application is known to have some difficulty in the year 2036.

®

END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at

http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions
of that EULA.

ii

Copyright © 2011, Juniper Networks, Inc.

Abbreviated Table of Contents
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Part 1
Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9

Stateless Firewall Filters
Introduction to Stateless Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Standard Firewall Filter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Standard Firewall Filter Match Conditions Overview . . . . . . . . . . . . . . . . . . . 31 Standard Firewall Filter Match Conditions and Actions . . . . . . . . . . . . . . . . . 47 Standard Firewall Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Service Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Simple Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Stateless Firewall Filter Configuration in Logical Systems . . . . . . . . . . . . . 261 Summary of Stateless Firewall Filter Configuration Statements . . . . . . . 283

Part 2
Chapter 10 Chapter 11 Chapter 12 Chapter 13 Chapter 14 Chapter 15

Traffic Policers
Introduction to Traffic Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Single-Rate Two-Color Policer Configuration . . . . . . . . . . . . . . . . . . . . . . . . 327 Three-Color Policer Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 Logical and Physical Interface Policer Configuration . . . . . . . . . . . . . . . . . . 415 Layer 2 Policer Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437 Summary of Policer Configuration Statements . . . . . . . . . . . . . . . . . . . . . . 455

Part 3

Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507 Index of Statements and Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519

Copyright © 2011, Juniper Networks, Inc.

iii

Junos OS 11.4 Firewall Filter and Policer Configuration Guide

iv

Copyright © 2011, Juniper Networks, Inc.

Table of Contents
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Junos OS Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii Using the Indexes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii Using the Examples in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii Merging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii Merging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiv Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiv Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvi Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvi Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii

Part 1
Chapter 1

Stateless Firewall Filters
Introduction to Stateless Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Router Data Flow Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Flow of Routing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Flow of Data Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Flow of Local Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Interdependent Flows of Routing Information and Packets . . . . . . . . . . . . . . . 4 Stateless Firewall Filter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Packet Flow Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Data Packet Flow Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Local Packet Flow Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Stateless and Stateful Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Purpose of Stateless Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Stateless Firewall Filter Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Standard Stateless Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Service Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Simple Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Stateless Firewall Filter Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Protocol Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Filter Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Filter-Terminating Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Nonterminating Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Copyright © 2011, Juniper Networks, Inc.

v

Junos OS 11.4 Firewall Filter and Policer Configuration Guide

Flow Control Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Stateless Firewall Filter Application Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Supported Standards for Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Using the CLI Editor in Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Chapter 2

Standard Firewall Filter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Standard Stateless Firewall Filter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 How Standard Firewall Filters Evaluate Packets . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Firewall Filters That Contain a Single Term . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Firewall Filters That Contain Multiple Terms . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Firewall Filter Terms That Do Not Contain Any Match Conditions . . . . . . . . . . 21 Firewall Filter Terms That Do Not Contain Any Actions . . . . . . . . . . . . . . . . . . 21 Firewall Filter Default Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Guidelines for Configuring Standard Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . 21 Statement Hierarchy for Configuring Standard Firewall Filters . . . . . . . . . . . . 22 Standard Firewall Filter Protocol Families . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Standard Firewall Filter Names and Options . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Standard Firewall Filter Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23 Standard Firewall Filter Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 Standard Firewall Filter Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Guidelines for Applying Standard Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Applying Standard Firewall Filters Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Applying a Firewall Filter to a Router’s Physical Interfaces . . . . . . . . . . . 26 Applying a Firewall Filter to the Router’s Loopback Interface . . . . . . . . . 26 Applying a Firewall Filter to Multiple Interfaces . . . . . . . . . . . . . . . . . . . . 27 Statement Hierarchy for Applying Standard Firewall Filters . . . . . . . . . . . . . . 27 Restrictions on Applying Standard Firewall Filters . . . . . . . . . . . . . . . . . . . . . . 27 Number of Input and Output Filters Per Logical Interface . . . . . . . . . . . . 28 MPLS and Layer 2 CCC Firewall Filters in Lists . . . . . . . . . . . . . . . . . . . . . 28 Layer 2 CCC Firewall Filters on MX Series Routers . . . . . . . . . . . . . . . . . . 28 Protocol-Independent Firewall Filters on the Loopback Interface . . . . . 28 Understanding How to Use Standard Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . 29 Using Standard Firewall Filters to Affect Local Packets . . . . . . . . . . . . . . . . . 29 Trusted Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Flood Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Using Standard Firewall Filters to Affect Data Packets . . . . . . . . . . . . . . . . . 30

Chapter 3

Standard Firewall Filter Match Conditions Overview . . . . . . . . . . . . . . . . . . . 31
Firewall Filter Match Conditions Based on Numbers or Text Aliases . . . . . . . . . . . 31 Matching on a Single Numeric Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Matching on a Range of Numeric Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Matching on a Text Alias for a Numeric Value . . . . . . . . . . . . . . . . . . . . . . . . . 32 Matching on a List of Numeric Values or Text Aliases . . . . . . . . . . . . . . . . . . . 32 Firewall Filter Match Conditions Based on Bit-Field Values . . . . . . . . . . . . . . . . . . 32 Match Conditions for Bit-Field Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Match Conditions for Common Bit-Field Values or Combinations . . . . . . . . . 33 Logical Operators for Bit-Field Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Matching on a Single Bit-Field Value or Text Alias . . . . . . . . . . . . . . . . . . . . . . 35 Matching on Multiple Bit-Field Values or Text Aliases . . . . . . . . . . . . . . . . . . . 35 Matching on a Negated Bit-Field Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

vi

Copyright © 2011, Juniper Networks, Inc.

Table of Contents

Matching on the Logical OR of Two Bit-Field Values . . . . . . . . . . . . . . . . . . . 36 Matching on the Logical AND of Two Bit-Field Values . . . . . . . . . . . . . . . . . . 36 Grouping Bit-Field Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Firewall Filter Match Conditions Based on Address Fields . . . . . . . . . . . . . . . . . . . 37 Implied Match on the ’0/0 except’ Address for Firewall Filter Match Conditions Based on Address Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Matching an Address Field to a Subnet Mask or Prefix . . . . . . . . . . . . . . . . . . 37 IPv4 Subnet Mask Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Prefix Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Default Prefix Length for IPv4 Addresses . . . . . . . . . . . . . . . . . . . . . . . . . 38 Default Prefix Length for IPv6 Addresses . . . . . . . . . . . . . . . . . . . . . . . . . 38 Default Prefix Length for MAC Addresses . . . . . . . . . . . . . . . . . . . . . . . . . 38 Matching an Address Field to an Excluded Value . . . . . . . . . . . . . . . . . . . . . . 38 Excluding IP Addresses in IPv4 or IPv6 Traffic . . . . . . . . . . . . . . . . . . . . . 38 Excluding IP Addresses in VPLS or Layer 2 Bridging Traffic . . . . . . . . . . . 39 Excluding MAC Addresses in VPLS or Layer 2 Bridging Traffic . . . . . . . . . 40 Excluding All Addresses Requires an Explicit Match on the ’0/0’ Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Matching Either IP Address Field to a Single Value . . . . . . . . . . . . . . . . . . . . . 42 Matching Either IP Address Field in IPv4 or IPv6 Traffic . . . . . . . . . . . . . . 42 Matching Either IP Address Field in VPLS or Layer 2 Bridging Traffic . . . . 42 Matching an Address Field to Noncontiguous Prefixes . . . . . . . . . . . . . . . . . . 42 Matching an Address Field to a Prefix List . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44 Firewall Filter Match Conditions Based on Address Classes . . . . . . . . . . . . . . . . . 45 Source-Class Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Destination-Class Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Guidelines for Applying SCU or DCU Firewall Filters to Output Interfaces . . . 45

Chapter 4

Standard Firewall Filter Match Conditions and Actions . . . . . . . . . . . . . . . . . 47
Standard Firewall Filter Match Conditions for Protocol-Independent Traffic . . . . 47 Standard Firewall Filter Match Conditions for IPv4 Traffic . . . . . . . . . . . . . . . . . . . 48 Standard Firewall Filter Match Conditions for IPv6 Traffic . . . . . . . . . . . . . . . . . . . 57 Standard Firewall Filter Match Conditions for MPLS Traffic . . . . . . . . . . . . . . . . . 62 Standard Firewall Filter Match Conditions for MPLS-Tagged IPv4 Traffic . . . . . . 64 Matching on IPv4 Packet Header Address or Port Fields in MPLS Flows . . . . 64 IP Address Match Conditions for MPLS Traffic . . . . . . . . . . . . . . . . . . . . . . . . 65 IP Port Match Conditions for MPLS Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Standard Firewall Filter Match Conditions for VPLS Traffic . . . . . . . . . . . . . . . . . . 66 Standard Firewall Filter Match Conditions for Layer 2 CCC Traffic . . . . . . . . . . . . . 73 Standard Firewall Filter Match Conditions for Layer 2 Bridging Traffic . . . . . . . . . 75 Standard Firewall Filter Terminating Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Standard Firewall Filter Nonterminating Actions . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Chapter 5

Standard Firewall Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Standard Firewall Filters That Match Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Example: Configuring a Filter to Match on IPv6 Flags . . . . . . . . . . . . . . . . . . . 89 Example: Configuring a Filter to Match on Port and Protocol Fields . . . . . . . . 91 Example: Configuring a Filter to Match on Two Unrelated Criteria . . . . . . . . . 94

Copyright © 2011, Juniper Networks, Inc.

vii

Junos OS 11.4 Firewall Filter and Policer Configuration Guide

Example: Configuring a Filter to Limit TCP Access to a Port Based On a Prefix List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Standard Firewall Filters That Count Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100 Example: Configuring a Filter to Count Accepted and Rejected Packets . . . 100 Example: Configuring a Filter to Count and Discard IP Options Packets . . . . 103 Example: Configuring a Filter to Count IP Options Packets . . . . . . . . . . . . . . 106 Standard Firewall Filters That Act on Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 Example: Configuring a Filter to Set the DSCP Bit to Zero . . . . . . . . . . . . . . . . 111 Example: Configuring a Filter to Count and Sample Accepted Packets . . . . . 114 Standard Firewall Filters for Trusted Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Example: Configuring a Stateless Firewall Filter to Accept Traffic from Trusted Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118 Example: Configuring a Filter to Block Telnet and SSH Access . . . . . . . . . . . 123 Example: Configuring a Filter to Block TFTP Access . . . . . . . . . . . . . . . . . . . 129 Example: Configuring a Filter to Accept OSPF Packets from a Prefix . . . . . . 132 Example: Configuring a Filter to Accept DHCP Packets Based on Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134 Example: Configuring a Filter to Block TCP Access to a Port Except from Specified BGP Peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Standard Firewall Filters That Prevent IP Packet Flooding . . . . . . . . . . . . . . . . . . 143 Example: Configuring a Stateless Firewall Filter to Protect Against TCP and ICMP Floods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Example: Configuring a Filter to Accept Packets Based on IPv6 TCP Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Standard Firewall Filters That Handle Fragmented Packets . . . . . . . . . . . . . . . . . 152 Firewall Filters That Handle Fragmented Packets Overview . . . . . . . . . . . . . 152 Example: Configuring a Stateless Firewall Filter to Handle Fragments . . . . . 152 Standard Firewall Filters That Set Rate Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 Stateless Firewall Filters That Reference Policers Overview . . . . . . . . . . . . . 157 Example: Configuring a Rate-Limiting Filter Based on Destination Class . . . 158 Multiple Standard Firewall Filters Applied as a List . . . . . . . . . . . . . . . . . . . . . . . . 161 Multiple Standard Firewall Filters Applied as a List Overview . . . . . . . . . . . . 161 The Challenge: Simplify Large-Scale Firewall Filter Administration . . . . 161 A Solution: Apply Lists of Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . 162 Configuration of Multiple Filters for Filter Lists . . . . . . . . . . . . . . . . . . . . 162 Application of Filter Lists to a Router Interface . . . . . . . . . . . . . . . . . . . . 162 Interface-Specific Names for Filter Lists . . . . . . . . . . . . . . . . . . . . . . . . . 163 How Filter Lists Evaluate Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Guidelines for Applying Multiple Standard Firewall Filters as a List . . . . . . . 164 Statement Hierarchy for Applying Lists of Multiple Firewall Filters . . . . 164 Filter Input Lists and Output Lists for Router Interfaces . . . . . . . . . . . . . 164 Types of Filters Supported in Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164 Restrictions on Applying Filter Lists for MPLS or Layer 2 CCC Traffic . . . 165 Example: Applying Lists of Multiple Standard Firewall Filters . . . . . . . . . . . . 165 Multiple Standard Firewall Filters in a Nested Configuration . . . . . . . . . . . . . . . . 170 Multiple Standard Firewall Filters in a Nested Configuration Overview . . . . . 170 The Challenge: Simplify Large-Scale Firewall Filter Administration . . . 170 A Solution: Configure Nested References to Firewall Filters . . . . . . . . . . 171 Configuration of Nested Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 171

viii

Copyright © 2011, Juniper Networks, Inc.

Table of Contents

Application of Nested Firewall Filters to a Router Interface . . . . . . . . . . . 171 Guidelines for Nesting References to Multiple Standard Firewall Filters . . . . 172 Statement Hierarchy for Configuring Nested Firewall Filters . . . . . . . . . 172 Filter-Defining Terms and Filter-Referencing Terms . . . . . . . . . . . . . . . . 172 Types of Filters Supported in Nested Configurations . . . . . . . . . . . . . . . 173 Number of Filter References in a Single Filter . . . . . . . . . . . . . . . . . . . . . 173 Depth of Filter Nesting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Example: Nesting References to Multiple Standard Firewall Filters . . . . . . . . 173 Interface-Specific Firewall Filter Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177 Interface-Specific Firewall Filter Instances Overview . . . . . . . . . . . . . . . . . . . 177 Instantiation of Interface-Specific Firewall Filters . . . . . . . . . . . . . . . . . . 177 Interface-Specific Names for Firewall Filter Instances . . . . . . . . . . . . . . 178 Interface-Specific Firewall Filter Counters . . . . . . . . . . . . . . . . . . . . . . . 178 Interface-Specific Firewall Filter Policers . . . . . . . . . . . . . . . . . . . . . . . . 179 Statement Hierarchy for Configuring Interface-Specific Firewall Filters . . . . 179 Statement Hierarchy for Applying Interface-Specific Firewall Filters . . . . . . 180 Example: Configuring Interface-Specific Firewall Filter Counters . . . . . . . . . 180 Filtering Packets Received on a Set of Interface Groups . . . . . . . . . . . . . . . . . . . . 185 Filtering Packets Received on a Set of Interface Groups Overview . . . . . . . . 185 Statement Hierarchy for Assigning Interfaces to Interface Groups . . . . . . . . 185 Statement Hierarchy for Configuring a Filter to Match on a Set of Interface Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186 Statement Hierarchy for Applying Filters to an Interface Group . . . . . . . . . . 187 Example: Filtering Packets Received on an Interface Group . . . . . . . . . . . . . 188 Filtering Packets Received on an Interface Set . . . . . . . . . . . . . . . . . . . . . . . . . . . 192 Filtering Packets Received on an Interface Set Overview . . . . . . . . . . . . . . . 192 Statement Hierarchy for Defining an Interface Set . . . . . . . . . . . . . . . . . . . . 192 Statement Hierarchy for Configuring a Filter to Match on an Interface Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193 Example: Filtering Packets Received on an Interface Set . . . . . . . . . . . . . . . 193 Filter-Based Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Filter-Based Forwarding Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Filters That Classify Packets or Direct Them to Routing Instances . . . . 199 Input Filtering to Classify and Forward Packets Within the Router . . . . 200 Output Filtering to Forward Packets to Another Routing Table . . . . . . 200 Restrictions for Applying Filter-Based Forwarding . . . . . . . . . . . . . . . . 200 Statement Hierarchy for Configuring FBF for IPv4 or IPv6 Traffic . . . . . . . . . 201 Statement Hierarchy for Configuring FBF for MPLS-Tagged IPv4 Traffic . . . 201 Matching on IPv4 Address Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Matching on TCP Port Number Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 202 Matching on UDP Port Number Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 203 Statement Hierarchy for Configuring Routing Instances for FBF . . . . . . . . . 204 Statement Hierarchy for Applying FBF Filters to Interfaces . . . . . . . . . . . . . 205 Example: Configuring Filter-Based Forwarding on the Source Address . . . . 206 Accounting for Standard Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211 Accounting for Standard Firewall Filters Overview . . . . . . . . . . . . . . . . . . . . . 211 Statement Hierarchy for Configuring Firewall Filter Accounting Profiles . . . . 211 Statement Hierarchy for Applying Firewall Filter Accounting Profiles . . . . . . 212 Example: Configuring Statistics Collection for a Standard Firewall Filter . . . 213

Copyright © 2011, Juniper Networks, Inc.

ix

Junos OS 11.4 Firewall Filter and Policer Configuration Guide

Logging of Stateless Firewall Filter Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 System Logging Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218 System Logging of Events Generated for the Firewall Facility . . . . . . . . . . . . 219 Logging of Packet Headers Evaluated by a Firewall Filter Term . . . . . . . . . . . 221 Example: Configuring Logging for a Stateless Firewall Filter Term . . . . . . . . 222

Chapter 6

Service Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Service Filter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Service Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227 Service Rule Refinement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Service Filter Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 How Service Filters Evaluate Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228 Service Filters That Contain a Single Term . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Service Filters That Contain Multiple Terms . . . . . . . . . . . . . . . . . . . . . . . . . 229 Service Filter Terms That Do Not Contain Any Match Conditions . . . . . . . . . 229 Service Filter Terms That Do Not Contain Any Actions . . . . . . . . . . . . . . . . . 229 Service Filter Default Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Guidelines for Configuring Service Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 Statement Hierarchy for Configuring Service Filters . . . . . . . . . . . . . . . . . . . 230 Service Filter Protocol Families . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 Service Filter Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 Service Filter Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 Service Filter Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 Service Filter Terminating Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231 Guidelines for Applying Service Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 Restrictions for Adaptive Services Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . 232 Adaptive Services Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232 System Logging to a Remote Host from M Series Routers . . . . . . . . . . . 232 Statement Hierarchy for Applying Service Filters . . . . . . . . . . . . . . . . . . . . . 232 Associating Service Rules with Adaptive Services Interfaces . . . . . . . . . . . . 233 Filtering Traffic Before Accepting Packets for Service Processing . . . . . . . . 233 Postservice Filtering of Returning Service Traffic . . . . . . . . . . . . . . . . . . . . . . 234 Service Filter Match Conditions and Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Service Filter Match Conditions for IPv4 or IPv6 Traffic . . . . . . . . . . . . . . . . . 235 Service Filter Terminating Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Service Filter Nonterminating Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Example: Configuring and Applying Service Filters . . . . . . . . . . . . . . . . . . . . . . . . 242

Chapter 7

Simple Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Simple Filter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 How Simple Filters Evaluate Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Simple Filters That Contain a Single Term . . . . . . . . . . . . . . . . . . . . . . . . . . . 249 Simple Filters That Contain Multiple Terms . . . . . . . . . . . . . . . . . . . . . . . . . 250 Simple Filter Terms That Do Not Contain Any Match Conditions . . . . . . . . . 250 Simple Filter Terms That Do Not Contain Any Actions . . . . . . . . . . . . . . . . . 250 Simple Filter Default Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250 Guidelines for Configuring Simple Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251 Statement Hierarchy for Configuring Simple Filters . . . . . . . . . . . . . . . . . . . . 251 Simple Filter Protocol Families . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

x

Copyright © 2011, Juniper Networks, Inc.

. . Juniper Networks. . . . . . . . . 270 Valid Reference to a Firewall Filter Outside of the Logical System . . . . . . . . . . . . Inc. . . . . . . . . . . . . .Table of Contents Simple Filter Names . . . . . . . . . . . . 279 Chapter 9 Summary of Stateless Firewall Filter Configuration Statements . . . . . . . . 289 interface-set . . . . . . . . . . . . . . . . . . 269 Invalid Reference to a Firewall Filter Outside of the Logical System . . . . . . . . . . . . 284 family . . . . . . . . . . . . . . . . . . . . . 272 Restrictions for Stateless Firewall Filters in Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 Guidelines for Configuring and Applying Firewall Filters in Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Identifiers for Firewall Objects in Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 Firewall Filter Match Conditions in Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255 Chapter 8 Stateless Firewall Filter Configuration in Logical Systems . . . . . . . . . . . . . . . . 289 interface-specific . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 Firewall Filter Actions in Logical Systems . . . . . . . . . . . . . . . . 262 Statement Hierarchy for Configuring Firewall Filters in Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269 Valid Reference to a Firewall Filter Within the Logical System . . . . . . . 251 Simple Filter Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262 Filter Types in Logical Systems . 268 Resolution of References from a Nonfirewall Object to a Firewall Filter . . . . . . . . 266 Resolution of References from a Firewall Filter to Nonfirewall Objects . . . . . . . . . . . 275 Example: Configuring a Stateless Firewall Filter to Protect a Logical System Against ICMP Floods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285 filter . . . . . . . . . . . . . . . . . . . . 261 Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264 References from a Firewall Filter in a Logical System to Subordinate Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 filter (Configuring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266 Valid Reference to a Nonfirewall Object Outside of the Logical System . . . . . . . 283 accounting-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . 273 Unsupported Actions for Firewall Filters in Logical Systems . . . . . . . . . . . . 265 Resolution of References from a Firewall Filter to Subordinate Objects . 261 Stateless Firewall Filters in Logical Systems Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287 filter (Applying to a Logical Interface) . . . . . . . . . . . . . . . 253 Simple Filter Nonterminating Actions . . . . . . . . . . 288 firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254 Restrictions for Applying Simple Filters . . . . . . . . . . . . . . . . . . . . . . . 254 Statement Hierarchy for Applying Simple Filters . . . . . 273 Unsupported Firewall Filter Statements for Logical Systems . . . . . . . . . 264 Statement Hierarchy for Applying Firewall Filters in Logical Systems . . . . . . . . . . 290 service-filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi . 267 References from a Nonfirewall Object in a Logical System to a Firewall Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261 Stateless Firewall Filters in Logical Systems . . . . . . . . . . . . . . . 253 Guidelines for Applying Simple Filters . 263 Firewall Filter Protocol Families in Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265 Valid Reference from a Firewall Filter to a Subordinate Object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252 Simple Filter Terminating Actions . . . . . . . . . . . . 254 Example: Configuring and Applying a Simple Filter . . . . . 290 Copyright © 2011. . . . . . 265 References from a Firewall Filter in a Logical System to Nonfirewall Objects . . . . . . . . . . . . . . . . . . . . . 252 Simple Filter Match Conditions . . 283 enhanced-mode . . .

. . . . . . . . . . . . . . . . . . . . . . 302 Two-Rate Three-Color Policers . . . . . . . . . . . . . . . . . . . . 301 Bandwidth Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 Statement Hierarchy for Configuring Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Firewall Filter and Policer Configuration Guide simple-filter . . . . . . . . . . . . 299 Forwarding Classes and PLP Levels . . . 304 Order of Policer and Firewall Filter Operations . . . . . . . . . . . . . . . . . . . . . .Junos OS 11. . . . . . . . . . . . . . 316 Policer Bandwidth and Burst-Size Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Juniper Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320 Single Token Bucket Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inc. . . . . . . 303 Logical Interface (Aggregate) Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291 term . . . . 323 Burst-Size Limit Based on the Line Rate of the Interface . . . . . . . . . . . . . . . . . . 303 Policers Applied to Layer 2 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301 Single-Rate Two-Color Policers . . . . . . . . 311 Hierarchical Policer Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 298 Traffic Color Marking . . . . 325 xii Copyright © 2011. 321 Dual Token Bucket Algorithms . . . 302 Hierarchical Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319 Token Bucket Concepts . . . 301 Basic Single-Rate Two-Color Policer . . . . . . . . . . . . . 320 Conformance Measurement for Two-Color Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316 Policer Color-Marking and Actions . 323 Guidelines for Choosing a Burst-Size Limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 Single-Rate Three-Color Policers . . . . . . . . . . . . . . . . 316 Introduction to Policer Rate Limits and Actions . . 303 Physical Interface Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300 Policer Application to Traffic . . . . . . . . . . 297 Traffic Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297 Congestion Management for IP Traffic Flows . 304 Multifield Classification . . . . . . . . . . . . . . . . . . . . . . . 304 Introduction to Policer Configuration . . . 305 Two-Color Policer Configuration Overview . . . . . . . . . . . . . . . . . . . . . 321 Token Bucket Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Calculation of Policer Burst-Size Limit . . . . . . . . . . . . . . . . . 307 Three-Color Policer Configuration Overview . . . . . . . . . . . . . 302 Three-Color Policers . . 318 Single Token Bucket Algorithm . . . . . . . . . . . . . . . . . . . . . 322 Nonconformance Measurement for Two-Rate Three-Color Marking . . . . . . . . . . . . . 300 Traffic Policer Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302 Logical Bandwidth Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 Nonconformance Measurement for Single-Rate Three-Color Marking . . . . . . . . . . . . 314 Guidelines for Applying Traffic Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 Two-Color and Three-Color Policer Options . . . . . . . . 297 Traffic Policing Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 Guaranteed Bandwidth for Three-Color Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292 Part 2 Chapter 10 Traffic Policers Introduction to Traffic Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . 327 Example: Configuring a Single-Rate Two-Color Policer . . . . 361 Filter-Specific Counter and Policer Set Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 334 Bandwidth Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378 Multifield Classification Limitations on M Series Routers . . . . . . . . . . . . . . . 353 Prefix-Specific Counting and Policing Actions . . . . . . 377 CoS Tricolor Marking Requirement . . . . . . . . . . . . Inc. . . . . . . . . . . . . Juniper Networks. . . . . . 327 Single-Rate Two-Color Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . 369 Scenario 1: Firewall Filter Term Matches on Multiple Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326 Chapter 11 Single-Rate Two-Color Policer Configuration . 378 Problem: Output-Filter Matching on Input-Filter Classification . . . . 373 Multifield Classification . . . 344 Guidelines for Configuring a Bandwidth Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352 Example: Configuring a Stateless Firewall Filter to Protect Against TCP and ICMP Floods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 Prefix-Specific Counting and Policing Overview . . . . . . . . . . . . . . . . . . . . 343 Bandwidth Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359 Separate Counting and Policing for Each IPv4 Address Range . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386 Copyright © 2011. . . 375 Multifield Classification Overview . . . . . . . . . . . . . . . . . . . 378 Workaround: Configure All Actions in the Ingress Filter . . . . . . . . . . . . . . . . . xiii . . . . 362 Prefix-Specific Counting and Policing Configuration Scenarios . . . . . . . . . . . . . . . . . . . . . . 344 Guidelines for Applying a Bandwidth Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352 Filter-Specific Policer Overview . . . . . . . . . . . . . . 372 Scenario 3: Subnet Prefix Is Shorter Than the Prefix in the Firewall Filter Match Condition . . . . . . . . . . . . . . . 380 Example: Configuring and Applying a Firewall Filter for a Multifield Classifier . . . . . . . . . . . . . . . . . . . . . . . . 379 Example: Configuring Multifield Classification . . . . 375 Multifield Classification and BA Classification . . . . . 377 Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 328 Example: Configuring Interface and Firewall Filter Policers at the Same Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378 Restrictions . . . . . . . . . . . . . . . . . . . . . 344 Example: Configuring a Logical Bandwidth Policer . . . . . . 359 Prefix-Specific Action Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 Forwarding Classes and PLP Levels . . . . . . . . . . . . 325 Supported Standards for Policing . . . . . . . . . . . . . . . . . . . . . 376 Multifield Classification Requirements and Restrictions . . . 376 Multifield Classification Used In Conjunction with Policers . . . . . . . . . . . . . . . . . 369 Prefix Length of the Action and Prefix Length of Addresses in Filtered Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Table of Contents Burst-Size Limit Based on the MTU of Traffic on the Interface . . . . 360 Counter and Policer Set Size and Indexing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362 Example: Configuring Prefix-Specific Counting and Policing . . . . . . . . . . . 327 Basic Single-Rate Two-Color Policers . . . . . . . . . . . . . . . . . . . 345 Filter-Specific Counters and Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370 Scenario 2: Subnet Prefix Is Longer Than the Prefix in the Filter Match Condition . . . . . . . . . . . . . . . . . . . . . . . . .

. . . 445 Statement Hierarchy for Configuring a Two-Color Policer for Layer 2 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 Example: Configuring a Two-Color Logical Interface (Aggregate) Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427 Physical Interface Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444 Two-Color Policing at Layer 2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Example: Configuring Policer Overhead to Account for Rate Shaping . 439 Two-Color and Three-Color Policers at Layer 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401 Example: Configuring a Single-Rate Three-Color Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391 Chapter 12 Three-Color Policer Configuration . . . . . . . . . 437 Hierarchical Policers . . . . . 401 Single-Rate Three-Color Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415 Logical Interface (Aggregate) Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444 Guidelines for Configuring Two-Color Policing of Layer 2 Traffic . . . . . . . . . . . . . . . . . . . . 446 Statement Hierarchy for Applying a Three-Color Policer to Layer 2 Traffic .4 Firewall Filter and Policer Configuration Guide Policer Overhead to Account for Rate Shaping in the Traffic Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Juniper Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 Platforms Supported for Three-Color Policers . . . . . . . . . 399 Three-Color Policer Configuration Guidelines . . . . . 445 Statement Hierarchy for Applying a Two-Color Policer to Layer 2 Traffic . . . 400 Basic Single-Rate Three-Color Policers . . . . . . . . . . 416 Example: Configuring a Three-Color Logical Interface (Aggregate) Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409 Chapter 13 Logical and Physical Interface Policer Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399 Color Modes for Three-Color Policers . . . . . . . . . . . 445 Three-Color Policing at Layer 2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421 Two-Color and Three-Color Physical Interface Policers . . . . . . . 447 Example: Configuring a Three-Color Logical Interface (Aggregate) Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400 Naming Conventions for Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437 Example: Configuring a Hierarchical Policer . . 447 xiv Copyright © 2011. . . . 400 Color-Aware Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Inc. . . . . . . . . . 446 Guidelines for Configuring Three-Color Policing of Layer 2 Traffic . . . . . . . . . . . . . . . 402 Basic Two-Rate Three-Color Policers . . . . . . . . . . . . . 437 Hierarchical Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . .Junos OS 11. . . . . . 427 Example: Configuring a Physical Interface Policer for Aggregate Traffic at a Physical Interface . . . . . . . . . . . . . . . . . . 400 Color-Blind Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429 Chapter 14 Layer 2 Policer Configuration . . . . . 415 Two-Color and Three-Color Logical Interface Policers . . . 446 Statement Hierarchy for Configuring a Three-Color Policer for Layer 2 Traffic . . . . . . . . . . . . . . . . . 407 Two-Rate Three-Color Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390 Policer Overhead to Account for Rate Shaping Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408 Example: Configuring a Two-Rate Three-Color Policer . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . 481 load-balance-group . . . . . . . . . . . . . . . . 468 committed-information-rate . . . . . . . . . . . . . . . 485 output-policer . . . . . . . . . . . . . . . . . . . .Table of Contents Chapter 15 Summary of Policer Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492 policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496 prefix-action (Firewall Filter Action) . . . . . . 474 hierarchical-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479 input-three-color . . . . . . . . . 502 Copyright © 2011. . . . . . . . . . . . . 455 action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457 bandwidth-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484 loss-priority (Firewall Filter Action) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498 single-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 if-exceeding (Policer) . . . . . . 466 color-blind . . . . . . . . . 467 committed-burst-size . . . . . . 479 input-policer . . . . . . . . . . . . . . . . . . . . . . 472 filter-specific . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486 output-three-color . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477 if-exceeding (Hierarchical Policer) . . . . . . . . . . . 494 policer (Firewall Filter Action) . . . . . . . . . . . . . . . . . . . . . . 482 logical-interface-policer . . . . . . . . . . . . . . . . . 473 forwarding-class (Firewall Filter Action) . . . . . 491 physical-interface-policer . . . . . . . . . . . . . 484 loss-priority high then discard (Three-Color Policer) . . . 493 policer (Applying to a Logical Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483 loss-priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Juniper Networks. . . 493 policer (Configuring) . . . . . . . . . . 463 burst-size-limit (Policer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461 burst-size-limit . . . . . . . . . . . . . . . . . . . . . . 478 input-hierarchical-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464 color-aware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463 burst-size-limit (Hierarchical Policer) . . . . . . . . . . . 458 bandwidth-limit (Policer) . . . . 488 peak-information-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459 bandwidth-percent . . . . . . . . . . . . . . . . . . 480 layer2-policer . . . . . 458 bandwidth-limit (Hierarchical Policer) . . . . . . . . . 495 prefix-action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490 physical-interface-filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501 three-color-policer (Firewall Filter Action) . . . . . . . . . . . . . . . 497 premium (Hierarchical Policer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475 if-exceeding . . . . . . . . . . . . . . . . . . . . 500 three-color-policer (Configuring) . . . . . . . . . . . . . . 482 logical-bandwidth-policer . . . . . 499 three-color-policer . . . . . . . . . . . . . . . . . . . . . 496 prefix-action (Configuring) . . . . . . . . . . . . . . . . . . . . . . Inc. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456 aggregate (Hierarchical Policer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470 excess-burst-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487 peak-burst-size . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Juniper Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519 xvi Copyright © 2011. . . . . . .4 Firewall Filter and Policer Configuration Guide two-rate . . . .Junos OS 11. . . . . . . . . . . . . . . . . . . Inc. . . . . . . . . . . . . . . . . . . 503 Part 3 Index Index . . . . . . . . 507 Index of Statements and Commands . .

. . . . . . . . . . . . . . . . . . 3 Figure 1: Flows of Routing Information and Packets . . . . . . . . . . . . 261 Figure 3: Logical System with a Stateless Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . 279 Part 2 Chapter 10 Traffic Policers Introduction to Traffic Policers . . . . . . . . . . . . . . . . . . 4 Chapter 5 Standard Firewall Filter Configuration . . . 298 Figure 5: Incoming and Outgoing Policers and Firewall Filters . . . . . . . . . xvii . . . . . . . . . . . . . . . . 297 Figure 4: Network Traffic and Burst Rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Figure 2: Typical Network with BGP Peer Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 Copyright © 2011. . . . . . . . . . . .List of Figures Part 1 Chapter 1 Stateless Firewall Filters Introduction to Stateless Firewall Filters . . . . . . . . . 138 Chapter 8 Stateless Firewall Filter Configuration in Logical Systems . . . . . . . . . . Inc. Juniper Networks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. Inc. Juniper Networks.Junos OS 11.4 Firewall Filter and Policer Configuration Guide xviii Copyright © 2011.

. . . . . . 12 Chapter 2 Standard Firewall Filter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi Table 1: Notice Icons . . . . . . . . . 63 Table 15: IP Address-Specific Firewall Filter Match Conditions for MPLS Traffic . . . . . . . . . . . . . . . . . . Juniper Networks. . . . . . . . . . Inc. . . . . . . 241 Copyright © 2011. . . . . . . . . . . . . . . . . . . . 67 Table 18: Standard Firewall Filter Match Conditions for Layer 2 CCC Traffic . . . . . . . . . . . . . . . . . . . . . . . . 48 Table 13: Standard Firewall Filter Match Conditions for IPv6 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 Table 17: Standard Firewall Filter Match Conditions for VPLS Traffic . . . . . 31 Table 8: Binary and Bit-Field Match Conditions for Firewall Filters . . . . . . . 219 Table 23: Packet-Header Logs for Stateless Firewall Filter Terms . . . . . . . . . . . . . 74 Table 19: Standard Firewall Filter Match Conditions for Layer 2 Bridging (MX Series 3D Universal Edge Routers Only) . . . . . . . 3 Table 3: Firewall Filter Protocol Families . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . 57 Table 14: Standard Firewall Filter Match Conditions for MPLS Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 Chapter 5 Standard Firewall Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Chapter 4 Standard Firewall Filter Match Conditions and Actions . . . . . . . . 24 Table 7: Standard Firewall Filter Action Categories . . . . . 19 Table 6: Standard Firewall Filter Match Conditions by Protocol Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 Table 16: IP Port-Specific Firewall Filter Match Conditions for MPLS Traffic . . . . . . . . xix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .List of Tables About This Guide . . . . . . . . . . . . . 235 Table 25: Terminating Actions for Service Filters . . . . . . . . . . . . . 222 Chapter 6 Service Filter Configuration . . . . . . . . . . . 89 Table 22: Syslog Message Destinations for the Firewall Facility . . 8 Table 5: Stateless Firewall Filter Configuration and Application Summary . . . . . . . . . 33 Table 9: Bit-Field Match Conditions for Common Combinations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Table 10: Bit-Field Logical Operators . . . . . . . . . . . xxv Part 1 Chapter 1 Stateless Firewall Filters Introduction to Stateless Firewall Filters . . . . . . . . . . . . . . . . 8 Table 4: Filter Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 Table 12: Standard Firewall Filter Match Conditions for IPv4 Traffic . . . 227 Table 24: Service Filter Match Conditions for IPv4 or IPv6 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Table 20: Terminating Actions for Standard Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . 81 Table 21: Nonterminating Actions for Standard Firewall Filters . . . . . . . . . . . . . 47 Table 11: Standard Firewall Filter Match Conditions for Protocol-Independent Traffic . . . . . . . . . . . . . . . . 25 Chapter 3 Standard Firewall Filter Match Conditions Overview . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318 Table 35: Example Calculations of Policer Burst-Size Limit . . . . . . . . . . . . . 369 Chapter 12 Three-Color Policer Configuration . 401 xx Copyright © 2011. . . . . . .Junos OS 11. . . . . . . . . . . . 361 Table 37: Summary of Prefix-Specific Action Scenarios . . . . . . . . 315 Table 33: Policer Bandwidth Limits and Burst-Size Limits . . . . . . . . . . . . . . 317 Table 34: Implicit and Configurable Policer Actions Based on Color Marking . . . . . . . 307 Table 31: Three-Color Policer Configuration and Application Overview . . 275 Part 2 Chapter 10 Traffic Policers Introduction to Traffic Policers . . . . . . . . . . . . . . . . . . . . 249 Table 27: Simple Filter Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . .4 Firewall Filter and Policer Configuration Guide Table 26: Nonterminating Actions for Service Filters . . . . . . . . . . . 399 Table 38: Recommended Naming Convention for Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Chapter 11 Single-Rate Two-Color Policer Configuration . . . . . . . . . . . . . . . . . . . Inc. . . 261 Table 28: Unsupported Firewall Statements for Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . Juniper Networks. . . . . . . . . . . . . . . . . . . . 312 Table 32: Hierarchical Policer Configuration and Application Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242 Chapter 7 Simple Filter Configuration . . . 297 Table 30: Two-Color Policer Configuration and Application Overview . . . . . . . . 327 Table 36: Examples of Counter and Policer Set Size and Indexing . . . . . 274 Table 29: Unsupported Actions for Firewall Filters in Logical Systems . . . . . . . . . . . 252 Chapter 8 Stateless Firewall Filter Configuration in Logical Systems . . . . . . . . . . . . . . .

deployment. The current list can be viewed at http://www.net/books .net/techpubs/ . To obtain the most current version of all Juniper Networks technical documentation.net/techpubs/software/junos/ . and administration using the Junos operating system (Junos OS) and Juniper Networks devices. Juniper Networks. published in conjunction with O'Reilly Media. Juniper Networks supports a technical book program to publish books by Juniper Networks engineers and subject matter experts with book publishers around the world.juniper. If the information in the latest release notes differs from the information in the documentation.juniper. These books go beyond the technical documentation to explore the nuances of network architecture. see the product documentation page on the Juniper Networks website at http://www. All the books are for sale at technical bookstores and book outlets around the world. and availability using Junos OS configuration techniques.About This Guide This preface provides the following guidelines for using the Junos OS Firewall Filter and Policer Configuration Guide: • • • • • • • • • ® Junos OS Documentation and Release Notes on page xxi Objectives on page xxii Audience on page xxii Supported Platforms on page xxii Using the Indexes on page xxiii Using the Examples in This Manual on page xxiii Documentation Conventions on page xxiv Documentation Feedback on page xxvi Requesting Technical Support on page xxvi Junos OS Documentation and Release Notes For a list of related Junos OS documentation.juniper. Inc. reliability. ® Copyright © 2011. follow the Junos OS Release Notes. explores improving network security. see http://www. the Juniper Networks Technical Library. xxi . In addition.

Juniper Networks. MX Series. and must abide by the instructions provided by the documentation. or J Series router or switch. or hostile manner. networking principles. EX Series. . You must also be familiar with one or more of the following Internet routing protocols: • • • • • • • • • • • Border Gateway Protocol (BGP) Distance Vector Multicast Routing Protocol (DVMRP) Intermediate System-to-Intermediate System (IS-IS) Internet Control Message Protocol (ICMP) router discovery Internet Group Management Protocol (IGMP) Multiprotocol Label Switching (MPLS) Open Shortest Path First (OSPF) Protocol-Independent Multicast (PIM) Resource Reservation Protocol (RSVP) Routing Information Protocol (RIP) Simple Network Management Protocol (SNMP) Personnel operating the equipment must be trained and competent. you need a broad understanding of networks in general.Junos OS 11. must not conduct themselves in a careless. Inc. the Junos OS currently supports the following platforms: • • J Series M Series xxii Copyright © 2011.4 Firewall Filter and Policer Configuration Guide Objectives This guide provides an overview of stateless firewall filters and traffic policers for the Junos OS and describes how to configure firewall filters and policers on the router. NOTE: For additional information about the Junos OS—either corrections to or information that might have been omitted from this guide—see the software release notes at http://www. Supported Platforms For the features described in this manual. Audience This guide is designed for network administrators who are configuring and monitoring a Juniper Networks M Series. T Series. and network configuration.net/ . the Internet in particular. willfully negligent. To use this guide.juniper.

save the file with a name. In this case. These procedures are described in the following sections. For example. In the complete index. the example is a full example. follow these steps: 1. use the load merge relative command. and an index of statements and commands only. Copy the ex-script. From the HTML or PDF version of the manual. If the example configuration does not start at the top level of the hierarchy.conf. Merging a Full Example To merge a full example. xxiii . In this case. the example is a snippet.About This Guide • • • MX Series T Series EX Series Using the Indexes This reference contains two indexes: a complete index that includes topic entries. The example does not become active until you commit the candidate configuration. system { scripts { commit { file ex-script.xsl. and copy the file to a directory on your routing platform. you can use the load merge or the load merge relative command. copy a configuration example into a text file. In the index of statements and commands. an entry refers to a statement summary section only. refers to the section in a configuration guidelines chapter that describes how to use the statement or command. use the load merge command. usage guidelines. copy the following configuration to a file and name the file ex-script. If the example configuration contains the top level of the hierarchy (or multiple hierarchies). } } } interfaces { fxp0 { Copyright © 2011. The secondary entry. Using the Examples in This Manual If you want to use the examples in this manual. Inc.conf file to the /var/tmp directory on your routing platform. These commands cause the software to merge the incoming configuration into the current candidate configuration. the entry for a configuration statement or command contains at least two parts: • • The primary entry refers to the statement summary section. Juniper Networks.

xxiv Copyright © 2011.conf file to the /var/tmp directory on your routing platform. Documentation Conventions Table 1 on page xxv defines notice icons used in this guide.Junos OS 11. copy the following snippet to a file and name the file ex-script-snippet. follow these steps: 1.conf load complete For more information about the load command. Copy the ex-script-snippet. } } } } 2. } 2.4 Firewall Filter and Policer Configuration Guide disable.0. and copy the file to a directory on your routing platform.conf.xsl.0. From the HTML or PDF version of the manual. Merge the contents of the file into your routing platform configuration by issuing the load merge relative configuration mode command: [edit system scripts] user@host# load merge relative /var/tmp/ex-script-snippet. Move to the hierarchy level that is relevant for this snippet by issuing the following configuration mode command: [edit] user@host# edit system scripts [edit system scripts] 3. copy a configuration snippet into a text file. save the file with a name. see the Junos OS CLI User Guide. unit 0 { family inet { address 10. For example. Juniper Networks.conf load complete Merging a Snippet To merge a snippet. Inc. .1/24. commit { file ex-script-snippet. Merge the contents of the file into your routing platform configuration by issuing the load merge configuration mode command: [edit] user@host# load merge /var/tmp/ex-script.

configuration hierarchy levels. A policy term is a named structure that defines match conditions and actions. The console port is labeled CONSOLE. include the stub statement at the [edit protocols ospf area area-id] hierarchy level. • < > (angle brackets) stub <default-metric metric>. Table 2 on page xxv defines the text and syntax conventions used in this guide. Laser warning Alerts you to the risk of personal injury from a laser. Juniper Networks. and directories. xxv .About This Guide Table 1: Notice Icons Icon Meaning Informational note Description Indicates important features or instructions. type the configure command: user@host> configure Fixed-width text like this Represents output that appears on the terminal screen. interface names. To configure a stub area. Warning Alerts you to the risk of personal injury or death. Copyright © 2011. Identifies RFC and Internet draft titles. BGP Communities Attribute • • Italic text like this Represents variables (options for which you substitute a value) in commands or configuration statements. files. Junos OS System Basics Configuration Guide RFC 1997. commands. Caution Indicates a situation that might result in loss of data or hardware damage. Table 2: Text and Syntax Conventions Convention Bold text like this Description Represents text that you type. Inc. Enclose optional keywords or variables. or labels on routing platform components. Identifies book names. user@host> show chassis alarms No alarms currently active • Italic text like this • • • Introduces important new terms. Configure the machine’s domain name: [edit] root@# set system domain-name domain-name • Text like this Represents names of configuration statements. Examples To enter configuration mode.

Identifies a leaf statement at a configuration hierarchy level. Inc.net. or fill out the documentation feedback form at https://www. To cancel the configuration. Documentation Feedback We encourage you to provide feedback. comments. Indicates a comment specified on the same line as the configuration statement to which it applies. You can send your comments to techpubs-comments@juniper. Identify a level in the configuration hierarchy. (semicolon) [edit] routing-options { static { route default { nexthop address. . xxvi Copyright © 2011.net/cgi-bin/docbugreport/ . Examples broadcast | multicast (string1 | string2 | string3) # (pound sign) rsvp { # Required for dynamic MPLS only [ ] (square brackets) community name members [ community-ids ] Indention and braces ( { } ) . The set of choices is often enclosed in parentheses for clarity.Junos OS 11. If you are using e-mail. • > (bold right angle bracket) Separates levels in a hierarchy of J-Web selections. select Protocols>Ospf. Enclose a variable for which you can substitute one or more values. If you are a customer with an active J-Care or JNASC support contract. Juniper Networks.juniper. and suggestions so that we can improve the documentation.4 Firewall Filter and Policer Configuration Guide Table 2: Text and Syntax Conventions (continued) Convention | (pipe symbol) Description Indicates a choice between the mutually exclusive keywords or variables on either side of the symbol. be sure to include the following information with your comments: • • • Document or topic name URL or page number Software release version (if applicable) Requesting Technical Support Technical product support is available through the Juniper Networks Technical Assistance Center (JTAC). select All Interfaces. } } } J-Web GUI Conventions Bold text like this Represents J-Web graphical user interface (GUI) items you click or select. retain. • In the Logical Interfaces box. In the configuration editor hierarchy. click Cancel.

review the JTAC User Guide located at http://www. Canada.juniper. visit http://www.net/customers/support/ Find product documentation: http://www.net/us/en/local/pdf/resource-guides/7100059-en. • • Use the Case Management tool in the CSC at http://www.net/support/requesting-support.net/support/warranty/ . visit us at http://www. For international or direct-dial options in countries without toll-free numbers. JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day. and Mexico). and need postsales technical support.juniper. use our Serial Number Entitlement (SNE) Tool: https://tools.juniper.juniper. you can access our tools and resources online or open a case with JTAC.net/alerts/ • Join and participate in the Juniper Networks Community Forum: http://www. Inc.juniper.juniper. Juniper Networks. Product warranties—For product warranty information.net/ Download the latest versions of software and review release notes: http://www. • • Self-Help Online Tools and Resources For quick and easy problem resolution.juniper. xxvii .juniper.net/customers/csc/software/ • Search technical bulletins for relevant hardware and software notifications: https://www.juniper.pdf . 7 days a week.About This Guide or are covered under warranty.net/company/communities/ • Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/ .net/cm/ To verify service entitlement by product serial number.html Copyright © 2011.juniper.juniper. Juniper Networks has designed an online self-service portal called the Customer Support Center (CSC) that provides you with the following features: • • • • Find CSC offerings: http://www. • JTAC policies—For a complete understanding of our JTAC procedures and policies. Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA. 365 days a year.net/SerialNumberEntitlementSearch/ Opening a Case with JTAC You can open a case with JTAC on the Web or by telephone.net/techpubs/ Find solutions and answer questions using our Knowledge Base: http://kb.

. Inc.Junos OS 11.4 Firewall Filter and Policer Configuration Guide xxviii Copyright © 2011. Juniper Networks.

1 . Inc.PART 1 Stateless Firewall Filters • • • • • • • • • Introduction to Stateless Firewall Filters on page 3 Standard Firewall Filter Overview on page 19 Standard Firewall Filter Match Conditions Overview on page 31 Standard Firewall Filter Match Conditions and Actions on page 47 Standard Firewall Filter Configuration on page 89 Service Filter Configuration on page 227 Simple Filter Configuration on page 249 Stateless Firewall Filter Configuration in Logical Systems on page 261 Summary of Stateless Firewall Filter Configuration Statements on page 283 Copyright © 2011. Juniper Networks.

4 Firewall Filter and Policer Configuration Guide 2 Copyright © 2011. Juniper Networks.Junos OS 11. . Inc.

which are sets of rules that the policy framework uses to preempt default routing policies. Inc. the master routing table. This information is stored in routing tables.CHAPTER 1 Introduction to Stateless Firewall Filters • • • • • • • Router Data Flow Overview on page 3 Stateless Firewall Filter Overview on page 5 Stateless Firewall Filter Types on page 6 Stateless Firewall Filter Components on page 7 Stateless Firewall Filter Application Points on page 12 Supported Standards for Filtering on page 14 Using the CLI Editor in Configuration Mode on page 15 Router Data Flow Overview The Junos OS provides a policy framework. you can configure routing policies. • • • • Flow of Routing Information on page 3 Flow of Data Packets on page 4 Flow of Local Packets on page 4 Interdependent Flows of Routing Information and Packets on page 4 Flow of Routing Information Routing information is the information about routes learned by the routing protocols from a router’s neighbors. and the master forwarding table. An active route is a route that is chosen from all routes in the routing table to reach a destination. The routing protocols advertise active routes only from the routing tables. which is the router’s control plane. The Routing Engine. 3 . Copyright © 2011. which is a collection of Junos OS policies that enable you to control flows of routing information and packets within the router. The Routing Engine runs the Junos OS and routing policies and stores the active router configuration. handles the flow of routing information between the routing protocols and the routing tables and between the routing tables and the forwarding table. To control which routes the routing protocols place in the routing tables and which routes the routing protocols advertise from the routing tables. Juniper Networks.

it forwards the packet to the appropriate process or to the kernel. in turn. Figure 1: Flows of Routing Information and Packets Routing policies determine which routes the Routing Engine places in the forwarding table. and data for administrative protocols such as the Internet Control Message Protocol (ICMP).Junos OS 11. Local packets usually contain routing protocol data. Flow of Local Packets Local packets are chunks of data that are destined for or sent by the router. When the Routing Engine receives a local packet. The router then forwards the data packet toward its destination through the appropriate interface.4 Firewall Filter and Policer Configuration Guide Flow of Data Packets Data packets are chunks of data that transit the router as they are being forwarded from a source to a destination. Inc. Although routing information flows and packet flows are very different from one another. or to the Packet Forwarding Engine. . handles the flow of data packets in and out of the router’s physical interfaces. data for IP services such as Telnet or SSH. which are both part of the Routing Engine. Related Documentation • • Stateless Firewall Filter Overview on page 5 “Packet Flow Within Routers Overview” in the Junos OS Class of Service Configuration Guide 4 Copyright © 2011. Interdependent Flows of Routing Information and Packets Figure 1 on page 4 illustrates the flow of data through a router. they are also interdependent. it determines where to forward the packet by looking in the forwarding table for the best route to a destination. When a router receives a data packet on an interface. Juniper Networks. Although the Packet Forwarding Engine contains Layer 3 and Layer 4 header information. The Routing Engine handles the flow of local packets from the router’s physical interfaces and to the Routing Engine. The forwarding table. which is the router’s forwarding plane. it does not contain the packet data itself (the packet's payload). The Packet Forwarding Engine. has an integral role in determining the appropriate physical interface through which to forward a packet.

called filter terms.Chapter 1: Introduction to Stateless Firewall Filters • “Understanding BGP Path Selection” in the Junos OS Routing Protocols Configuration Guide • “Understanding Route Preference Values” in the Junos OS Routing Protocols Configuration Guide • “Routing Policy Overview” in the Junos OS Routing Policy Configuration Guide Stateless Firewall Filter Overview This topic covers the following information: • • • Packet Flow Control on page 5 Stateless and Stateful Firewall Filters on page 5 Purpose of Stateless Firewall Filters on page 6 Packet Flow Control To influence which packets are allowed to transit the system and to apply special actions to packets as necessary. you can apply stateless firewall filters to the input or output of the router’s physical interfaces. does not statefully inspect traffic. You typically apply a stateless firewall filter to one or more interfaces that have been configured with protocol family features. you can configure policers. also known as an access control list (ACL). including fragmented packets. an egress interface. A filter term specifies match conditions to use to determine a match and actions to take on a matched packet. Inc. To enforce a specified bandwidth and maximum burst size for traffic sent or received on an interface. A stateless firewall specifies a sequence of one or more packet-filtering rules. You can apply a stateless firewall filter to an ingress interface. Local Packet Flow Control To control the flow of local packets between the physical interfaces and the Routing Engine. Juniper Networks. The loopback interface (lo0) is the interface to the Routing Engine and carries no data packets. Stateless and Stateful Firewall Filters A stateless firewall filter. or both. you can configure stateless firewall filters. Data Packet Flow Control To control the flow of data packets transiting the device as the packets are being forwarded from a source to a destination. based on evaluation of Layer 3 and Layer 4 header fields. In contrast. 5 . Policers are a specialized type of stateless firewall filter and a primary component of the Junos OS class-of-service (CoS). a stateful firewall filter uses connection Copyright © 2011. it evaluates packet contents statically and does not keep track of the state of network connections. Instead. you can apply stateless firewall filters to the input or output of the loopback interface. A stateless firewall filter enables you to manipulate any packet of a particular protocol family.

from denial-of-service attacks. Juniper Networks. For example. such as forwarding or dropping packets that match the criteria you specify.Junos OS 11. For information about Junos OS stateful firewall policies for J Series and SRX Series security devices.4 Firewall Filter and Policer Configuration Guide state information derived from other applications and past communications in the data flow to make dynamic control decisions. 6 Copyright © 2011. The typical use of a stateless firewall filter is to protect the Routing Engine processes and resources from malicious or untrusted packets. You can configure firewall filters to protect the local router or to protect another device that is either directly or indirectly connected to the local router. SSH. The Junos OS Firewall Filter and Policer Configuration Guide describes stateless firewall filters supported on T Series. such as Telnet. . Inc. Packet filtering enables you to inspect the components of incoming or outgoing packets and then perform the actions you specify on packets that match the criteria you specify. and MX Series routers. see “Security Policies Overview” in the Junos OS Security Configuration Guide. you can use the filters to restrict the local packets that pass from the router’s physical interfaces to the Routing Engine. and BGP. Such filters are useful in protecting the IP services that run on the Routing Engine. M Series. Purpose of Stateless Firewall Filters The basic purpose of a stateless firewall filter is to enhance security through the use of packet filtering. Related Documentation • • • Router Data Flow Overview on page 3 Stateless Firewall Filter Types on page 6 “Traffic Policing Overview on page 297” in the Junos OS Firewall Filter and Policer Configuration Guide • “Packet Flow Through the CoS Process Overview” in the Junos OS Class of Service Configuration Guide Stateless Firewall Filter Types This topic covers the following information: • • • Standard Stateless Firewall Filters on page 6 Service Filters on page 7 Simple Filters on page 7 Standard Stateless Firewall Filters The Junos OS standard stateless firewall filters support a rich set of packet-matching criteria that you can use to match on specific traffic and perform specific actions.

Juniper Networks. Inc. Simple filters always accept packets. Also. simple filters support IPv4 traffic only and have a number of restrictions. MultiServices PICs. you can specify the protocol family for which you want to filter traffic. any firewall filter that is configured on the Routing Engine loopback interface (lo0) cannot be applied to the targeted broadcast packets that are forwarded to the Routing Engine. simple filters can be applied only as input filters. Unlike standard filters. Service filters filter IPv4 and IPv6 traffic only and can be applied to logical interfaces on Adaptive Services PICs. You can apply a service filter to the inbound or outbound traffic at an adaptive services interface to perform packet filtering on traffic before it is accepted for service processing. You can also apply a service filter to the traffic that is returning to the services interface after service processing to perform postservice processing. Service Filters A service filter defines packet-filtering (a set of match conditions and a set of actions) for IPv4 or IPv6 traffic. and MultiServices DPCs only. Simple filters are recommended for metropolitan Ethernet applications. Service filters are not supported on J Series devices and Branch SRX devices. and you can only apply a firewall filter to local next hop routes for traffic directed toward the Routing Engine. This is because broadcast packets are forwarded as flood next hop traffic and not as local next hop traffic. Copyright © 2011. Simple Filters Simple filters are supported on Gigabit Ethernet intelligent queuing (IQ2) and Enhanced Queuing Dense Port Concentrator (EQ DPC) interfaces only. They are not supported on outbound traffic. you cannot configure a terminating action for a simple filter.Chapter 1: Introduction to Stateless Firewall Filters NOTE: If you configured targeted broadcast for virtual routing and forwarding (VRF) by including the forward-and-send-to-re statement. For example. 7 . Related Documentation • • Stateless Firewall Filter Overview on page 5 Stateless Firewall Filter Components on page 7 Stateless Firewall Filter Components This topic covers the following information: • • • • • Protocol Family on page 7 Filter Type on page 8 Terms on page 9 Match Conditions on page 10 Actions on page 11 Protocol Family Under the firewall statement.

Juniper Networks. Internet Protocol version 4 (IPv4) family inet Internet Protocol version 6 (IPv6) MPLS MPLS-tagged IPv4 family inet6 family mpls family mpls Supports matching on IP addresses and ports. Table 4 on page 8 describes the firewall filter types. Filter Type Under the family family-name statement. you can specify the type and name of the filter you want to configure.Junos OS 11. up to five MPLS stacked labels. Table 4: Filter Types Filter Type Stateless Firewall Filter Filter Configuration Statement filter filter-name Description Filters the following traffic types: • • • • • • • • Protocol independent IPv4 IPv6 MPLS MPLS-tagged IPv4 VPLS Layer 2 CCC Layer 2 bridging (MX Series routers only) 8 Copyright © 2011. Virtual private LAN service (VPLS) Layer 2 Circuit Cross-Connection Layer 2 Bridging family vpls family ccc family bridge MX Series routers only. The family inet statement is optional for IPv4. Inc. Table 3: Firewall Filter Protocol Families Protocol Family Configuration Statement family any Type of Traffic to Be Filtered Protocol Independent Comments All protocol families configured on a logical interface. .4 Firewall Filter and Policer Configuration Guide Table 3 on page 8 describes the firewall filter protocol families.

The match conditions define the values or fields that the packet must contain to be considered a match. or simple-filter statement. By default. Copyright © 2011.Chapter 1: Introduction to Stateless Firewall Filters Table 4: Filter Types (continued) Filter Type Service Filter Filter Configuration Statement service-filter service-filter-name Description Defines packet-filtering to be applied to ingress or egress before it is accepted for service processing or applied to returning service traffic after service processing has completed. you must configure a unique name for each term. the corresponding action is taken. A term is a named structure in which match conditions and actions are defined. a packet that does not match a firewall filter is discarded. Inc. Filters the following traffic types: • • IPv4 IPv6 Supported at logical interfaces configured on the following hardware only: • Adaptive Services (AS) PICs on M Series and T Series routers Multiservices (MS) PICs on M Series and T Series routers Multiservices (MS) DPCs on MX Series routers • • Simple Filter simple-filter simple-filter-name Defines packet filtering to be applied to ingress traffic only. Filters the following traffic type: • IPv4 Supported at logical interfaces configured on the following hardware only: • Gigabit Ethernet Intelligent Queuing (IQ2) PICs installed on M120. Within a firewall filter. Juniper Networks. As a result. you must configure at least one firewall filter term. or T Series routers Enhanced Queuing Dense Port Concentrators (EQ DPCs) installed on MX Series routers • Terms Under the filter. TIP: You cannot apply a different filter on each direction of traffic on the same interface. service-filter. M320. and each term consists of two components—match conditions and actions. it is common to create firewall filters with multiple terms. 9 . All stateless firewall filters contain one or more terms. If a packet is a match.

the packet is accepted by default. IP options. TCP flags. and outgoing logical or physical interface. . you specify characteristics that the packet must have for the action in the subsequent then statement to be performed.Junos OS 11. TCP or UDP source port field. you can configure a stateless firewall filter within the term of another filter. IP protocol field. Internet Control Message Protocol (ICMP) packet type. Consequently. a match occurs if any of the values matches the packet. the router takes the configured action on the packet. In the from statement in a firewall filter term. the packet must match all the conditions in the term. This method enables you to add common terms to multiple filters without having to modify all filter definitions. The packet must match all conditions in the from statement for the action to be performed. You can configure one filter with the desired common terms. you need to modify only one filter that contains the common terms. a number of match conditions for VPLS traffic are supported only on the MX Series 3D Universal Edge Routers. and configure this filter as a term in other filters. a packet must match only one of the values to be considered a match for the firewall filter term. Inc. IP destination address field. The scope of match conditions you can specify in a firewall filter term depends on the protocol family under which the firewall filter is configured. If a packet matches a firewall filter term. Each protocol family supports a different set of match conditions. Additionally. Juniper Networks. such as a range of values. which also means that the order of the conditions in the from statement is not important. 10 Copyright © 2011. instead of multiple filters. For a match to occur.4 Firewall Filter and Policer Configuration Guide If a packet arrives on an interface for which no firewall filter is applied for the incoming traffic on that interface. If a single match condition is configured with multiple values. The characteristics are referred to as match conditions. and some match conditions are supported only on certain routing devices. including the IP source address field. For example. You can define various match conditions. If a firewall filter term contains multiple match conditions. called a match condition. to specify the field or value that a packet must contain in order to be considered a match for the firewall filter term. incoming logical or physical interface. NOTE: A firewall filter with a large number of terms can adversely affect both the configuration commit time and the performance of the Routing Engine. If an individual match condition can specify a list of values (such as multiple source and destination addresses) or a range of numeric values. to make a change in these common terms. Match Conditions A firewall filter term must contain at least one packet-filtering criteria. a packet must meet all match conditions to be considered a match for the firewall filter term.

Flow Control Action For standard stateless firewall filters only. Firewall filter actions fall into the following categories: Filter-Terminating Actions A filter-terminating action halts all evaluation of a firewall filter for a specific packet. If you are using the CLI. Juniper Networks. • Actions The actions specified in a firewall filter term define the actions to take for any packet that matches the conditions specified in the term. Related Documentation • Stateless Firewall Filter Types on page 6 Copyright © 2011. select the synonym from the appropriate list. or sending information to a remote host using the system log functionality. For a complete list of synonyms: • If you are using the J-Web interface. Actions that are configured within a single term are all taken on traffic that matches the conditions configured. sampling the packet data. Any packet that matches all the conditions of the term is automatically accepted unless the term specifies other or additional actions. the term accepts all packets and the actions specified in the term’s then statement are optional. your candidate configuration results in a commit error. 11 . such as incrementing a counter. type a question mark (?) after the from statement. The router performs the specified action. logging information about the packet header. the action next term enables the router to perform configured actions on the packet and then evaluate the following term in the filter. rather than terminating the filter. NOTE: Some of the numeric range and bit-field match conditions allow you to specify a text synonym. If you configure a standard filter that exceeds this limit.Chapter 1: Introduction to Stateless Firewall Filters If a filter term does not specify match conditions. Inc. Nonterminating Actions Nonterminating actions are used to perform other functions on a packet. A maximum of 1024 next term actions are supported per standard stateless firewall filter configuration. BEST PRACTICE: We strongly recommend that you explicitly configure one or more actions per firewall filter term. and no additional terms are examined.

the table describes the types of firewall filters supported at that point. } NOTE: A filter configured with the implicit inet protocol family cannot be included in an input filter list or an output filter list. routing interfaces. Application Point Logical interface Apply at the [edit interfaces interface-name unit unit-number family inet] hierarchy level by including the input filter-name or output filter-name statements: Restrictions Supported on the following routers: • • • • T Series routers M320 routers M7i routers with the enhanced CFEB (CFEB-e) M10i routers with the enhanced CFEB-e Also supported on the following Modular Port Concentrators (MPCs) on MX Series routers: • • • 10-Gigabit Ethernet MPC 60-Gigabit Ethernet Queuing MPC 60-Gigabit Ethernet Enhanced Queuing MPC 12 Copyright © 2011. You use an output list to apply multiple firewall filters to the outbound traffic on an interface. you must apply it to an application point. outbound traffic. You typically apply one filter with multiple terms to a single logical interface. filter { input filter-name. Juniper Networks. or both at the same time. NOTE: If you do not include the family statement. Table 5 on page 12 describes each point to which you can apply a firewall filter. and a large number of terms can take a long time to process during a commit operation. output filter-name.Junos OS 11. However. . the router hierarchy level at which the filter can be applied. physical interfaces. Input filters take action on packets being received on the specified interface. the firewall filter processes IPv4 traffic by default. More counters require more terms. but there are some practical considerations. These application points include logical interfaces. You use an input list to apply multiple firewall filters to the incoming traffic on an interface. or both. Inc. In most cases. There is no limit to the number of filters and counters you can set. and any platform-specific limitations. to incoming traffic. However. For each application point. you can apply a firewall filter as an input filter or an output filter.4 Firewall Filter and Policer Configuration Guide • “Inserting a New Identifier in a Junos Configuration” in the Junos OS CLI User Guide Stateless Firewall Filter Application Points After you define the firewall filter. filters with more than 4000 terms and counters have been implemented successfully. whereas output filters take action on packets that are transmitted through the specified interface. You can include up to 16 filters in an input list or an output list. there are times when you might want to chain together multiple firewall filters (with single or multiple terms) and apply them to an interface. Table 5: Stateless Firewall Filter Configuration and Application Summary Filter Type Stateless firewall filter Configure by including the filter filter-name statement the [edit firewall] hierarchy level: filter filter-name. and routing instances.

hierarchy level by.Chapter 1: Introduction to Stateless Firewall Filters Table 5: Stateless Firewall Filter Configuration and Application Summary (continued) Filter Type Stateless firewall filter Configure at the [edit firewall family family-name] hierarchy level by including the following statement: filter filter-name. Copyright © 2011. hierarchy level by using the service-set statement to apply a service filter as an input or output filter to a service set: service { input { service-set service-set-name service-filter filter-name. Juniper Networks. The family-name can be any of the following protocol families: • • • • • • • Application Point Protocol family on a logical interface Apply at the [edit interfaces interface-name unit unit-number family family-name] Restrictions The protocol family bridge is supported only on MX Series routers. input-list [ filter-names ]. output-list [ filter-names ]. output filter-name. output. or output-list statements: filter { input filter-name. Routing Engine loopback interface Family inet or inet6 on a logical interface Apply at the [edit interfaces interface-name unit unit-number family (inet | inet6)] Supported only on Adaptive Services (AS) and Multiservices (MS) PICs. } any bridge ccc inet inet6 mpls vpls Stateless firewall filter Service filter Configure at the [edit firewall family (inet | inet6)] hierarchy level by including the following statement: service-filter service-filter-name. 13 . including the input. Inc. } } Configure a service set at the [edit services] hierarchy level by including the following statement: service-set service-set-name. } output { service-set service-set-name service-filter filter-name. input-list.

Inc. M320. Gigabit Ethernet intelligent queuing (IQ2) PICs on the M120.4 Firewall Filter and Policer Configuration Guide Table 5: Stateless Firewall Filter Configuration and Application Summary (continued) Filter Type Postservice filter Configure at the [edit firewall family (inet | inet6)] hierarchy level by including the following statement: service-filter service-filter-name. Simple filters can only be applied as input filters. Supported on the following platforms only: • Simple filter Configure at the [edit firewall family inet] hierarchy level by including the following statement: simple-filter filter-name Reverse packet forwarding (RPF) check filter Configured at the [edit firewall family (inet | inet6)] hierarchy level by including the following statement: filter filter-name. The filter is applied only if a service set is configured and selected. • Family inet or inet6 on a logical interface Apply at the [edit interfaces interface-name unit unit-number family (inet | inet6)] Supported on MX Series routers only. rpf-check { fail-filter filter-name. Application Point Family inet or inet6 on a logical interface Apply at the [edit interfaces interface-name unit unit-number family (inet | inet6)] Restrictions A postservice filter is applied to traffic returning to the services interface after service processing. hierarchy level by including the post-service-filter statement to apply a service filter as an input filter: service { input { post-service-filter filter-name.Junos OS 11. Definition of the Differentiated Services (DS) Field 14 Copyright © 2011. Enhanced Queuing Dense Port Concentrators (EQ DPC) on MX Series routers. and T Series routers. . } Related Documentation • • Stateless Firewall Filter Components on page 7 Supported Standards for Filtering on page 14 Supported Standards for Filtering The Junos OS supports the following RFCs related to filtering: • • • RFC 792. } } Family inet on a logical interface Apply at the [edit interfaces interface-name unit unit-number family inet] hierarchy level by including the following statement: simple-filter simple-filter-name. Version 6 (IPv6) RFC 2474. Internet Protocol. hierarchy level by including the following statement: rpf-check fail-filter filter-name to apply the stateless firewall filter as an RPF check filter. mode loose. Juniper Networks. Internet Control Message Protocol RFC 2460.

An Architecture for Differentiated Services RFC 2597. navigate through the configuration hierarchy. get help. Assured Forwarding PHB Group RFC 3246. Create a statement hierarchy. Juniper Networks. 15 . and commit or revert the changes that you make during the configuration session. You cannot use the edit command to change the value of identifiers. When you first log in to the device. Create a statement hierarchy and set identifier values. When you do. the device is in operational mode. You can use the edit command to simultaneously create a hierarchy and move to that new level in the hierarchy. The set command is similar to edit except that your current level in the hierarchy does not change. the CLI prompt changes from user@host> to user@host# and the hierarchy level appears in square brackets. Inc. Task Edit Your Configuration Enter configuration mode. An Expedited Forwarding PHB (Per-Hop Behavior) RFC 4291. You must explicitly enter configuration mode. Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification Standard Stateless Firewall Filter Overview on page 19 Service Filter Overview on page 227 Simple Filter Overview on page 249 Stateless Firewall Filters in Logical Systems Overview on page 261 Related Documentation • • • • Using the CLI Editor in Configuration Mode This topic describes some of the basic commands that you must use to enter configuration mode in the command-line interface (CLI) editor. IP Version 6 Addressing Architecture RFC 4443. set hierarchy-level value edit hierarchy-level value configure user@host> configure [edit] user@host# Command/Statement Example [edit] user@host# edit security zones security-zone myzone [edit security zones security-zone myzone] user@host# [edit] user@host# set security zones security-zone myzone [edit] user@host# Navigate the Hierarchy Copyright © 2011.Chapter 1: Introduction to Stateless Firewall Filters • • • • • RFC 2475.

You must navigate to the top of the hierarchy using the up or top commands before you can exit configuration mode. Juniper Networks. You must enter the rollback statement at the edit level in the hierarchy. Command/Statement edit hierarchy-level Example [edit] user@host# edit security zones [edit security zones] user@host# Navigate up one level in the hierarchy. . top [edit security zones] user@host# top [edit] user@host# Commit or Revert Changes Commit your configuration. up [edit security zones] user@host# up [edit security] user@host# Navigate to the top of the hierarchy. commit and-quit [edit] user@host# commit and-quit user@host> Exit configuration mode without committing your configuration. commit [edit] user@host# commit commit complete Roll back changes from the current session. exit [edit] user@host# exit The configuration has been changed but not committed Exit with uncommitted changes? [yes. Inc.no] (yes) Get Help 16 Copyright © 2011. When you run the rollback command before exiting your session or committing changes. Use the rollback command to revert all changes from the current configuration session.4 Firewall Filter and Policer Configuration Guide Task Navigate down to an existing hierarchy level. the software loads the most recently committed configuration onto the device.Junos OS 11. rollback [edit] user@host# rollback load complete Exit Configuration Mode Commit the configuration and exit configuration mode.

Chapter 1: Introduction to Stateless Firewall Filters Task Display a list of valid options for the current hierarchy level. Inc. Command/Statement ? Example [edit ] user@host# edit security zones ? Possible completions: <[Enter]> Execute this command > functional-zone Functional zone > security-zone Security zones | Pipe through a command [edit] Copyright © 2011. Juniper Networks. 17 .

Inc.4 Firewall Filter and Policer Configuration Guide 18 Copyright © 2011. Juniper Networks.Junos OS 11. .

or denial-of-service (DoS) attacks. You can configure a firewall filter to do the following: • Restrict traffic destined for the Routing Engine based on its source.CHAPTER 2 Standard Firewall Filter Overview • • • • • Standard Stateless Firewall Filter Overview on page 19 How Standard Firewall Filters Evaluate Packets on page 20 Guidelines for Configuring Standard Firewall Filters on page 21 Guidelines for Applying Standard Firewall Filters on page 26 Understanding How to Use Standard Firewall Filters on page 29 Standard Stateless Firewall Filter Overview Firewall filters provide a means of protecting your router from excessive traffic transiting the router to a network destination or destined for the Routing Engine. Juniper Networks. Address special circumstances associated with fragmented packets destined for the Routing Engine. Otherwise. and application. Firewall filters that control local packets can also protect your router from external incidents. you must configure the filter to accommodate fragments that do not contain packet header information. Because the device evaluates every packet against a firewall filter (including fragments). 19 . the filter discards all but the first fragment of a fragmented packet. Stateless Firewall Filter Types on page 6 Guidelines for Configuring Standard Firewall Filters on page 21 Guidelines for Applying Standard Firewall Filters on page 26 Understanding How to Use Standard Firewall Filters on page 29 • • Related Documentation • • • • Copyright © 2011. protocol. Inc. Limit the traffic rate of packets destined for the Routing Engine to protect against flood.

• • If the packet matches all the conditions in a term. For example.Junos OS 11. the policy framework software evaluates a packet as follows: • • If the packet matches all the conditions. it is discarded. Firewall Filters That Contain Multiple Terms For a standard stateless firewall filter that consists of multiple terms.4 Firewall Filter and Policer Configuration Guide How Standard Firewall Filters Evaluate Packets This topic covers the following information: • • • • • Firewall Filters That Contain a Single Term on page 20 Firewall Filters That Contain Multiple Terms on page 20 Firewall Filter Terms That Do Not Contain Any Match Conditions on page 21 Firewall Filter Terms That Do Not Contain Any Actions on page 21 Firewall Filter Default Action on page 21 Firewall Filters That Contain a Single Term For a standard stateless firewall filter that consists of a single term. Juniper Networks. If the packet does not match all the conditions. the device checks for a value of 0x22 in the 2-byte field that is two bytes after the IP packet header. and any subsequent terms in the filter are not used. the packet is accepted. If the packet matches all the conditions and no actions are specified. the evaluation continues to the next term. Inc. There is no implied protocol match. . the policy framework software evaluates a packet against the terms in the filter sequentially. the actions are taken. until either the packet matches all the conditions in one of the terms or there are no more terms in the filter. If the actions include the next term action. if you specify a match of destination-port ssh. it compares only the header fields specified in the match condition. the actions in that term are performed. • 20 Copyright © 2011. Unlike service filters and simple filters. • NOTE: When the device compares the stateless firewall filter match conditions to a packet. standard stateless firewall filters support the next term action. beginning with the first term in the filter. The protocol field of the packet is not checked. evaluation of the packet ends at this term of the filter. which is neither a terminating action nor a nonterminating action but a flow control action.: • If the actions do not include the next term action.

evaluation of the packet proceeds to the next term in the filter. which is equivalent to including the following example term explicit_discard as the final term in the standard stateless firewall filter: term explicit_discard { then discard. Juniper Networks. Inc. and if the packet matches the conditions in the term. if a packet matches none of the terms in a standard stateless firewall filter. } By default. Firewall Filter Terms That Do Not Contain Any Match Conditions For standard stateless filters with a single term and for standard stateless firewall filters with multiple terms. your candidate configuration results in a commit error. If you configure a standard filter that exceeds this limit. Related Documentation • • • • How Service Filters Evaluate Packets on page 228 How Simple Filters Evaluate Packets on page 249 Guidelines for Configuring Standard Firewall Filters on page 21 Understanding How to Use Standard Firewall Filters on page 29 Guidelines for Configuring Standard Firewall Filters This topic covers the following information: • • • • • • Statement Hierarchy for Configuring Standard Firewall Filters on page 22 Standard Firewall Filter Protocol Families on page 22 Standard Firewall Filter Names and Options on page 23 Standard Firewall Filter Terms on page 23 Standard Firewall Filter Match Conditions on page 24 Standard Firewall Filter Actions on page 25 Copyright © 2011. the packet is discarded. the packet is accepted. Firewall Filter Terms That Do Not Contain Any Actions If a standard stateless firewall filter term does not contain any actions. if a term does not specify any match conditions. • A maximum of 1024 next term actions are supported per standard stateless firewall filter configuration. the actions are taken on any packet evaluated.Chapter 2: Standard Firewall Filter Overview • If the packet does not match all the conditions in the term. Firewall Filter Default Action Each standard stateless firewall filter has an implicit discard action at the end of the filter. Evaluation of the packet continues until either the packet matches a term without next term action or until the end of the filter is reached. 21 .

physical-interface-filter. include one of the following statements to specify the protocol family for which you want to filter traffic: • • family any—To filter protocol-independent traffic. term term-name { filter filter-name. family inet—To filter Internet Protocol version 4 (IPv4) traffic. protocol (tcp | udp) { match conditions. Juniper Networks. firewall { family family-name { filter filter-name { accounting-profile name. } term term-name { from { match-conditions. the family inet statement is optional. 22 Copyright © 2011. } } } then { actions. you must allow the output tunnel traffic through the firewall filter applied to input traffic on the interface that is the next-hop interface toward the tunnel destination. Under the firewall statement. interface-specific. .4 Firewall Filter and Policer Configuration Guide Statement Hierarchy for Configuring Standard Firewall Filters To configure a standard firewall filter.Junos OS 11. For an IPv4 standard firewall filter. Standard Firewall Filter Protocol Families A standard firewall filter configuration is specific to a particular protocol family. ip-version ipv4 { match-conditions. The firewall filter affects only the packets exiting the router by way of the tunnel. you can include the following statements. Inc. } } } } } You can include the firewall configuration at one of the following hierarchy levels: • • [edit] [edit logical-systems logical-system-name] NOTE: For stateless firewall filtering.

To configure an IPv4 firewall filter. and hyphens (-) and be up to 64 characters long. By default.Chapter 2: Standard Firewall Filter Overview • • • • • family inet6—To filter Internet Protocol version 6 (IPv6) traffic. When included at this hierarchy level. family mpls—To filter MPLS traffic. numbers. the filter filter-name statement is used to nest firewall filters. The order in which you specify terms within a firewall filter configuration is important. Standard Firewall Filter Names and Options Under the family family-name statement. To include spaces in the name. numbers. you can include filter filter-name statements to create and name standard firewall filters. the following statements are optional: • • • accounting-profile interface-specific physical-interface-filter Standard Firewall Filter Terms Under the filter filter-name statement. • At the [edit firewall family family-name filter filter-name term term-name] hierarchy level. family ccc—To filter Layer 2 circuit cross-connection (CCC) traffic. Juniper Networks. The filter name can contain letters. the filter filter-name statement is not valid in the same term as from or then statements. Inc. The term name can contain letters. enclose the entire name in quotation marks (“ ”). To include spaces in the name. Copyright © 2011. family vpls—To filter virtual private LAN service (VPLS) traffic. and hyphens (-) and can be up to 64 characters long. At the [edit firewall family family-name filter filter-name] hierarchy level. new terms are always added to the end of the existing filter. You must specify a unique name for each term within a firewall filter. You can use the insert configuration mode command to reorder the terms of a firewall filter. you can configure the filter at the [edit firewall] hierarchy level without including the family inet statement. family bridge—To filter Layer 2 bridging traffic for MX Series 3D Universal Edge Routers only. enclose the entire name in quotation marks (“ ”). • • You must configure at least one term in a firewall filter. because the [edit firewall] and [edit firewall family inet] hierarchy levels are equivalent. Firewall filter terms are evaluated in the order in which they are configured. The family family-name statement is required only to specify a protocol family other than IPv4. you can include term term-name statements to create and name filter terms. 23 .

see “Standard Firewall Filter Match Conditions for Layer 2 CCC Traffic” on page 73. see “Standard Firewall Filter Match Conditions for MPLS-Tagged IPv4 Traffic” on page 64. see “Standard Firewall Filter Match Conditions for VPLS Traffic” on page 66. . VPLS [edit firewall family vpls filter filter-name term term-name] For the complete list of match conditions. see “Standard Firewall Filter Match Conditions for MPLS-Tagged IPv4 Traffic” on page 64. see “Standard Firewall Filter Match Conditions for MPLS Traffic” on page 62. MPLS [edit firewall family mpls filter filter-name term term-name] For the complete list of match conditions. IPv4 addresses in MPLS flows [edit firewall family mpls filter filter-name term term-name ip-version ipv4 ] For the complete list of match conditions. For MPLS-tagged IPv4 traffic. IPv4 [edit firewall family inet filter filter-name term term-name] For the complete list of match conditions. you specify the term’s IPv4 address-specific match conditions under the ip-version ipv4 statement and the term’s IPv4 port-specific match conditions under the protocol (tcp | udp) statement. see “Standard Firewall Filter Match Conditions for IPv4 Traffic” on page 48. see “Standard Firewall Filter Match Conditions for IPv6 Traffic” on page 57. Table 6 on page 24 describes the types of traffic for which you can configure standard stateless firewall filters. see “Standard Firewall Filter Match Conditions for Protocol-Independent Traffic” on page 47. Table 6: Standard Firewall Filter Match Conditions by Protocol Family Traffic Type Protocolindependent Hierarchy Level at Which Match Conditions Are Specified [edit firewall family any filter filter-name term term-name] For the complete list of match conditions. Inc.Junos OS 11. With the exception of MPLS-tagged IPv4 traffic. you specify the term’s match conditions under the from statement. Layer 2 CCC [edit firewall family ccc filter filter-name term term-name] For the complete list of match conditions.4 Firewall Filter and Policer Configuration Guide Standard Firewall Filter Match Conditions Standard firewall filter match conditions are specific to the type of traffic being filtered. 24 Copyright © 2011. Juniper Networks. IPv6 [edit firewall family inet6 filter filter-name term term-name] For the complete list of match conditions. IPv4 ports in MPLS flows [edit firewall family mpls filter filter-name term term-name ip-version ipv4 protocol (tcp | udp)] For the complete list of match conditions.

Copyright © 2011. however. or sending information to a remote host using the system log functionality). You can specify only one terminating action in a standard firewall filter. see “Standard Firewall Filter Match Conditions for Layer 2 Bridging Traffic” on page 75. but any additional terms are used to examine the packet. within a term. use the syntax for text representations described in RFC 2373. Inc. logging information about the packet header. sampling the packet data. If you specify an IPv6 address in a match condition (the address. Juniper Networks. You can. or source-address match conditions). Standard Firewall Filter Actions Under the then statement for a standard stateless firewall filter term. See “Standard Firewall Filter Nonterminating Actions” on page 82. destination-address. IP Version 6 Addressing Architecture. Comment See “Standard Firewall Filter Terminating Actions” on page 81. you can specify the actions to be taken on a packet that matches the term. Table 7: Standard Firewall Filter Action Categories Type of Action Terminating Description Halts all evaluation of a firewall filter for a specific packet. and no additional terms are used to examine the packet. Table 7 on page 25 summarizes the types of actions you can specify in a standard stateless firewall filter term. For example. you can specify accept with count and syslog. see “IPv6 Overview” and “IPv6 Standards” in the Junos OS Routing Protocols Configuration Guide. specify one terminating action with one or more nonterminating actions in a single term. The router performs the specified action. 25 . For more information about IPv6 addresses.Chapter 2: Standard Firewall Filter Overview Table 6: Standard Firewall Filter Match Conditions by Protocol Family (continued) Traffic Type Layer 2 Bridging (MX Series routers only) Hierarchy Level at Which Match Conditions Are Specified [edit firewall family bridge filter filter-name term term-name] For the complete list of match conditions. Nonterminating Performs other functions on a packet (such as incrementing a counter.

Applying a Firewall Filter to a Router’s Physical Interfaces When you apply a standard firewall filter to a physical interface on the router. You can apply a firewall filter to a single interface or to multiple interfaces on the router. use the next term in the filter to evaluate the packet. the matching packet is not evaluated against subsequent terms in the firewall filter. Inc. For example. Juniper Networks. Otherwise. lo0. However. your candidate configuration results in a commit error. Related Documentation • • Guidelines for Applying Standard Firewall Filters on page 26 Understanding How to Use Standard Firewall Filters on page 29 Guidelines for Applying Standard Firewall Filters This topic covers the following information: • • • Applying Standard Firewall Filters Overview on page 26 Statement Hierarchy for Applying Standard Firewall Filters on page 27 Restrictions on Applying Standard Firewall Filters on page 27 Applying Standard Firewall Filters Overview You can apply a standard stateless firewall filter to a physical interface on the router or to the loopback interface on the router. The next term action forces the continued evaluation of the firewall filter.4 Firewall Filter and Policer Configuration Guide Table 7: Standard Firewall Filter Action Categories (continued) Type of Action Flow control Description For standard stateless firewall filters only. rather than terminate the filter. Comment You cannot configure the next term action with a terminating action in the same filter term. you can configure the next term action with another nonterminating action in the same filter term. the filter evaluates all data packet that pass through that interface. If the next term action is included. . when you configure a term with the nonterminating action count. is the interface to the Routing Engine and carries no data packets. the term’s action changes from an implicit discard to an implicit accept. When you apply a standard firewall filter to the loopback interface. the next term action directs the router to perform configured actions on the packet and then. 26 Copyright © 2011.Junos OS 11. A maximum of 1024 next term actions are supported per standard stateless firewall filter configuration. the filter evaluates the local packets received or transmitted by the Routing Engine. If you configure a standard filter that exceeds this limit. Applying a Firewall Filter to the Router’s Loopback Interface The router’s loopback interface. the matching packet is evaluated against the next term in the firewall filter.

Inc. output-list [ filter-names ]. interfaces { interface-name { unit logical-unit-number { family family-name { . On M Series routers. and MX Series routers. } } } } } You can include the interface configuration at one of the following hierarchy levels: • • [edit] [edit logical-systems logical-system-name] Restrictions on Applying Standard Firewall Filters • • • • Number of Input and Output Filters Per Logical Interface on page 28 MPLS and Layer 2 CCC Firewall Filters in Lists on page 28 Layer 2 CCC Firewall Filters on MX Series Routers on page 28 Protocol-Independent Firewall Filters on the Loopback Interface on page 28 Copyright © 2011. regardless of the sum of traffic on the multiple interfaces. you can configure standard stateless firewall filters and service filters that. output filter-name. if you apply a firewall filter to multiple interfaces. On these routers.. Juniper Networks. except the M120 and M320 routers. the filter acts on the sum of traffic entering or exiting those interfaces. act on the individual traffic streams entering or exiting each interface.forwarding components. or output-list filter-name statements in the filter stanza for the logical interface protocol family. input-list [ filter-names ].. interfaces are distributed among multiple packet. 27 . M320. see “Interface-Specific Firewall Filter Instances Overview” on page 177. M120. output filter-name. On T Series. configure the input filter-name. filter { group group-number. input filter-name.Chapter 2: Standard Firewall Filter Overview Applying a Firewall Filter to Multiple Interfaces You can use the same standard firewall filter one or more times. Statement Hierarchy for Applying Standard Firewall Filters To apply a standard stateless firewall filter to a logical interface. For more information. when applied to multiple interfaces. input-list filter-name.

• Output filters—Although you can use the same filter multiple times. On MX Series routers. you cannot apply a Layer 2 CCC stateless firewall filter (a firewall filter configured at the [edit firewall filter family ccc] hierarchy level) as an output filter.4 Firewall Filter and Policer Configuration Guide Number of Input and Output Filters Per Logical Interface Input filters—Although you can use the same filter multiple times. include the input filter-name statement in the filter stanza. To specify an ordered list of firewall filters to be used to evaluate packets received on the interface. Related Documentation • • Guidelines for Configuring Standard Firewall Filters on page 21 Understanding How to Use Standard Firewall Filters on page 29 28 Copyright © 2011. Protocol-Independent Firewall Filters on the Loopback Interface Protocol-independent firewall filters—stateless firewall filters configured at the [edit firewall family any] hierarchy level— are not supported on the router loopback interface (lo0). you can apply only one input filter or one input filter list to an interface. You can specify up to 16 firewall filters in a filter output list. you can apply only one output filter or one output filter list to an interface. include the output filter-name statement in the filter stanza. include the output-list [ filter-names ] statement in the filter stanza. Juniper Networks. • MPLS and Layer 2 CCC Firewall Filters in Lists The input-list filter-names and output-list filter-names statements for firewall filters for the ccc and mpls protocol families are supported on all interfaces with the exception of the following: • • • Management interfaces and internal Ethernet interfaces (fxp or em0) Loopback interfaces (lo0) USB modem interfaces (umd) Layer 2 CCC Firewall Filters on MX Series Routers On MX Series routers only. To specify an ordered list of firewall filters to be used to evaluate packets transmitted on the interface. • To specify a single firewall filter to be used to evaluate packets received on the interface. include the input-list [ filter-names ] statement in the filter stanza. • To specify a single firewall filter to be used to evaluate packets transmitted on the interface. Inc. firewall filters configured for the family ccc statement can be applied only as input filters. You can specify up to 16 firewall filters for the filter input list.Junos OS 11. .

Doing so ensures that the filter is automatically inherited on every loopback interface. you can use a standard stateless firewall filter that specifies which protocols and services. The loopback interface carries local packets only. Applying this type of filter to the loopback interface ensures that the local packets are from a trusted source and protects the processes running on the Routing Engine from an external attack. Juniper Networks. you can configure one physical loopback interface. you include the apply-groups statement. which are also called denial-of-service (DoS) attacks. Copyright © 2011. including lo0 and other loopback interfaces. it is important to apply a filter to it so the Routing Engine is protected. which runs and monitors all the control protocols. To protect the processes and resources owned by the Routing Engine. • Applying the appropriate firewall filters to the Routing Engine protects against these types of attacks. lo0. A router without this kind of protection is vulnerable to TCP and ICMP flood attacks. For example: • A TCP flood attack of SYN packets initiating connection requests can overwhelm the device until it can no longer process legitimate connection requests. The loopback interface is the interface to the Routing Engine. Standard firewall filters applied to the loopback interface affect the local packets destined for or transmitted from the Routing Engine. NOTE: When you create an additional loopback interface. We recommend that when you apply a filter to the loopback interface. and one or more addresses on the interface. Trusted Sources The typical use of a standard stateless firewall filter is to protect the Routing Engine processes and resources from malicious or untrusted packets.Chapter 2: Standard Firewall Filter Overview Understanding How to Use Standard Firewall Filters This topic covers the following information: • • Using Standard Firewall Filters to Affect Local Packets on page 29 Using Standard Firewall Filters to Affect Data Packets on page 30 Using Standard Firewall Filters to Affect Local Packets On a router. Inc. are allowed to reach the Routing Engine. or applications. An ICMP flood can overload the device with so many echo requests (ping requests) that it expends all its resources responding and can no longer process valid network traffic. also resulting in denial of service. 29 . Flood Prevention You can create standard stateless firewall filters that limit certain TCP and ICMP traffic destined for the Routing Engine. resulting in denial of service.

you can apply firewall filters router transit interfaces . To protect the network as a whole from unauthorized access and other threats at specific interfaces.4 Firewall Filter and Policer Configuration Guide Using Standard Firewall Filters to Affect Data Packets Standard firewall filters that you apply to your router’s transit interfaces evaluate only the user data packets that transit the router from one interface directly to another as they are being forwarded from a source to a destination. . Juniper Networks. Inc. Related Documentation • • • How Standard Firewall Filters Evaluate Packets on page 20 Guidelines for Configuring Standard Firewall Filters on page 21 Guidelines for Applying Standard Firewall Filters on page 26 30 Copyright © 2011.Junos OS 11.

535. a match occurs for source ports values from 1024 through 65. In the following example. a match occurs if the packet source port number is 25: [edit firewall family inet filter filter1 term term1 from] user@host# set source-port 25 Matching on a Range of Numeric Values You can specify a firewall filter match condition based on whether a particular packet field value falls within a specified range of numeric values. inclusive: [edit firewall family inet filter filter2 term term1 from] user@host# set source-port 1024-65535 Copyright © 2011.CHAPTER 3 Standard Firewall Filter Match Conditions Overview • • • • Firewall Filter Match Conditions Based on Numbers or Text Aliases on page 31 Firewall Filter Match Conditions Based on Bit-Field Values on page 32 Firewall Filter Match Conditions Based on Address Fields on page 37 Firewall Filter Match Conditions Based on Address Classes on page 45 Firewall Filter Match Conditions Based on Numbers or Text Aliases This topic covers the following information: • • • • Matching on a Single Numeric Value on page 31 Matching on a Range of Numeric Values on page 31 Matching on a Text Alias for a Numeric Value on page 32 Matching on a List of Numeric Values or Text Aliases on page 32 Matching on a Single Numeric Value You can specify a firewall filter match condition based on whether a particular packet field value is a specified numeric value. In the following example. 31 . Juniper Networks. Inc.

[edit firewall family inet filter filter3 term term1 from] user@host# set source-port [ smtp ftp-data 25 1024-65535 ] Related Documentation • • • • Guidelines for Configuring Standard Firewall Filters on page 21 Firewall Filter Match Conditions Based on Bit-Field Values on page 32 Firewall Filter Match Conditions Based on Address Fields on page 37 Firewall Filter Match Conditions Based on Address Classes on page 45 Firewall Filter Match Conditions Based on Bit-Field Values • • • • • • • • • Match Conditions for Bit-Field Values on page 32 Match Conditions for Common Bit-Field Values or Combinations on page 33 Logical Operators for Bit-Field Values on page 34 Matching on a Single Bit-Field Value or Text Alias on page 35 Matching on Multiple Bit-Field Values or Text Aliases on page 35 Matching on a Negated Bit-Field Value on page 36 Matching on the Logical OR of Two Bit-Field Values on page 36 Matching on the Logical AND of Two Bit-Field Values on page 36 Grouping Bit-Field Match Conditions on page 36 Match Conditions for Bit-Field Values Table 8 on page 33 lists the firewall filter match conditions that are based on whether certain bit fields in a packet are set or not set. 32 Copyright © 2011. the text aliassmtp corresponds to the numeric value 25. The second and third columns list the types of traffic for which the match condition is supported. 25. In the following example. a match occurs if the packet source port number is any of the following values: 20 (which corresponds to the text aliases ftp-data). . Juniper Networks. a match occurs if the packet source port number is 25. or any value from 1024 through 65535. For the source-port and destination-port match conditions.4 Firewall Filter and Policer Configuration Guide Matching on a Text Alias for a Numeric Value You can specify a firewall filter match condition based on whether a particular packet field value is a numeric value that you specify by using a text string as an alias for the numeric value. In the following example. Inc.Junos OS 11. [edit firewall family inet filter filter3 term term1 from] user@host# set source-port smtp Matching on a List of Numeric Values or Text Aliases You can specify a firewall filter match condition based on whether a particular packet field value matches any one of multiple numeric values or text aliases that you specify within square brackets and delimited by spaces.

In the previous example. You can use text synonyms to specify some common bit-field matches. 33 . Juniper Networks. select the synonym from the appropriate list. Hexadecimal values or text aliases for the low-order 6 bits of the 8-bit TCP flags field in the TCP header. you can specify tcp-initial as the same match condition. If you are using the CLI.Chapter 3: Standard Firewall Filter Match Conditions Overview Table 8: Binary and Bit-Field Match Conditions for Firewall Filters Protocol Families for Standard Stateless Firewall Filters family inet Bit-Field Match Condition fragment-flags flags Match Values Hexadecimal values or text aliases for the three-bit IP fragmentation flags field in the IP header. use the first-fragment match condition. ProtocolFamilies for Service Filters family inet fragment-offset value family inet family inet tcp-flags value † family inet family inet6 family vpls family bridge family inet family inet6 † The Junos OS does not automatically check the first fragment bit when matching TCP flags for IPv4 traffic. NOTE: Some of the numeric range and bit-field match conditions allow you to specify a text synonym. Match Conditions for Common Bit-Field Values or Combinations Table 9 on page 34 describes firewall filter match conditions that are based on whether certain commonly used values or combinations of bit fields in a packet are set or not set. To check the first fragment bit for IPv4 traffic only. Inc. type a question mark (?) after the from statement. For a complete list of synonyms: • If you are using the J-Web interface. • Copyright © 2011. Hexadecimal values or text aliases for the 13-bit fragment offset field in the IP header.

2 ! match-condition 3 match-condition-1 & match-condition-2 or match-condition-1 + match-condition-2 34 Copyright © 2011. Logical AND—A match occurs if both match conditions are true. Juniper Networks. from highest precedence to lowest precedence. Alias for the bit-field match condition tcp-flags "(ack | rst)". meaning that the operations are processed from left to right. Table 10: Bit-Field Logical Operators Precedence Order 1 Bit-Field Logical Operator (complex-match-condition) Description Grouping—The complex match condition is evaluated before any operators outside the parentheses are applied. Inc. ProtocolFamilies for Service Filters family inet is-fragment family inet family inet tcp-established family inet family inet6 — tcp-initial family inet family inet6 — Logical Operators for Bit-Field Values Table 10 on page 34 lists the logical operators you can apply to single bit-field values when specifying stateless firewall filter match conditions. Text alias for the bit-field match condition fragment-offset 0 except. The operators are listed in order. Operations are left-associative. which indicates the first packet of a TCP connection. Alias for the bit-field match condition tcp-flags "(!ack & syn)". which indicates an established TCP session. but not an established TCP session. which indicates the first fragment of a fragmented packet.4 Firewall Filter and Policer Configuration Guide Table 9: Bit-Field Match Conditions for Common Combinations ProtocolFamilies for Standard Stateless Firewall Filters family inet Match Condition first-fragment Description Text alias for the bit-field match condition fragment-offset 0. Negation—A match occurs if the match condition is false. but not the first packet of a TCP connection.Junos OS 11. which indicates a trailing fragment of a fragmented packet. .

Inc. you can specify a decimal value. • Numeric value to specify a single bit—You can specify a single bit-field match condition by using a numeric value that has one bit set. In the following example. specify the number with the prefix b. you can specify firewall filter match conditions based on whether a particular bit in the packet field is set or not set. To specify a binary value. match-condition-2 Matching on a Single Bit-Field Value or Text Alias For the fragment-flags and tcp-flags bit-match conditions. specifies that a match occurs on TCP packets other than the first packet of a connection: [edit firewall family inet filter reset_or_not_initial_packet term term6 from] Copyright © 2011. • Numeric values to specify multiple set bits—When you specify a numeric value whose binary representation has more than one set bit. Depending on the match condition. 35 . You specify these matches as a single keyword.Chapter 3: Standard Firewall Filter Match Conditions Overview Table 10: Bit-Field Logical Operators (continued) Precedence Order 4 Bit-Field Logical Operator match-condition-1 | match-condition-2 Description Logical OR—A match occurs if either match condition is true. In the following example. In the following example. or a hexadecimal value. the value is treated as a logical AND of the set bits. specify the number with the prefix 0x. a match occurs if the RST bit in the TCP flags field is set: [edit firewall family inet filter filter_tcp_rst_number term term1 from] user@host# set tcp-flags 0x04 • Text alias to specify a single bit—You generally specify a single bit-field match condition by using a text alias enclosed in double-quotation marks (“ ”). the two match conditions are the same. In the following example. a binary value. Juniper Networks. a match occurs if the RST bit in the TCP flags field is set: [edit firewall family inet filter filter_tcp_rst_alias term term1 from] user@host# set tcp-flags “rst” Matching on Multiple Bit-Field Values or Text Aliases You can specify a firewall filter match condition based on whether a particular set of bits in a packet field are set. To specify a hexadecimal value. which is an alias for “(ack | rst)”. the tcp-established condition. or match-condition-1 . A match occurs if either bit 0x01 or 0x02 is not set: [edit firewall family inet filter reset_or_not_initial_packet term term5 from] user@host# set tcp-flags “!0x3” user@host# set tcp-flags “!(0x01 & 0x02)” • Text aliases that specify common bit-field matches—You can use text aliases to specify some common bit-field matches.

Related Documentation • Guidelines for Configuring Standard Firewall Filters on page 21 36 Copyright © 2011. a match occurs if the packet is a TCP reset or if the packet is not the initial packet in the TCP session: [edit firewall family inet filter reset_or_not_initial_packet term term4 from] user@host# set tcp-flags “!(syn & !ack) | rst” In a TCP session. . either the SYN flag is not set or the ACK flag is set. the SYN flag is set only in the initial packet sent. Inc. a match occurs if the packet is not the initial packet in a TCP session: [edit firewall family inet filter not_initial_packet term term3 from] user@host# set tcp-flags "!syn | ack" In a TCP session.Junos OS 11. a match occurs if the RST bit in the TCP flags field is not set: [edit firewall family inet filter filter_tcp_rst term term1 from] user@host# set tcp-flags “!rst” Matching on the Logical OR of Two Bit-Field Values You can use the logical OR operator (| or .) to specify that a match occurs if a bit field matches either of two bit-field values specified. In the following example. the SYN flag is set and the ACK flag is not set. while the ACK flag is set in all packets sent after the initial packet. while the ACK flag is set in all packets sent after the initial packet. the SYN flag is set only in the initial packet sent. In the following example. In the following example. the SYN flag is set only in the initial packet sent. a match occurs if the packet is the initial packet in a TCP session: [edit firewall family inet filter initial_packet term term2 from] user@host# set tcp-flags “syn & !ack” In a TCP session. In the following example. Grouping Bit-Field Match Conditions You can use the logical grouping notation to specify that the complex match condition inside the parentheses is evaluated before any operators outside the parentheses are applied. while the ACK flag is set in all packets sent after the initial packet. Juniper Networks. In a packet that is not the initial packet in a TCP session. the SYN flag is not set and the ACK field is set. In a packet that is not the initial packet in a TCP session.4 Firewall Filter and Policer Configuration Guide user@host# set tcp-established Matching on a Negated Bit-Field Value To negate a match. Matching on the Logical AND of Two Bit-Field Values You can use the logical AND operator (& or +) to specify that a match occurs if a bit field matches both of two bit-field values specified. In a packet that is an initial packet in a TCP session. precede the value with an exclamation point.

• Implied Match on the ’0/0 except’ Address for Firewall Filter Match Conditions Based on Address Fields on page 37 Matching an Address Field to a Subnet Mask or Prefix on page 37 Matching an Address Field to an Excluded Value on page 38 Matching Either IP Address Field to a Single Value on page 42 Matching an Address Field to Noncontiguous Prefixes on page 42 Matching an Address Field to a Prefix List on page 44 • • • • • Implied Match on the ’0/0 except’ Address for Firewall Filter Match Conditions Based on Address Fields Every firewall filter match condition based on a set of addresses or address prefixes is associated with an implicit match on the address 0.0.0/8: [edit firewall family inet filter filter_on_dst_addr term term1 from] user@host# set destination-address 10. you can specify a subnet mask value rather than a prefix length.0. IPv4 Subnet Mask Notation For an IPv4 address. Matching an Address Field to a Subnet Mask or Prefix You can specify a single match condition to match a source address or destination address that falls within a specified address prefix.0/8 Copyright © 2011.0.0. a match occurs if a destination address matches the prefix 10.0. use the notation prefix/prefix-length.10/255.255 Prefix Notation To specify the address prefix. For example: [edit firewall family inet filter filter_on_dst_addr term term3 from] user@host# set address 10. 37 .0. Juniper Networks. Inc. In the following example.0/0 except (for IPv4 or VPLS traffic) or 0:0:0:0:0:0:0:0/0 except (for IPv6 traffic).0.0.Chapter 3: Standard Firewall Filter Match Conditions Overview • • • Firewall Filter Match Conditions Based on Numbers or Text Aliases on page 31 Firewall Filter Match Conditions Based on Address Fields on page 37 Firewall Filter Match Conditions Based on Address Classes on page 45 Firewall Filter Match Conditions Based on Address Fields You can configure firewall filter match conditions that evaluate packet address fields—IPv4 source and destination addresses. IPv6 source and destination addresses.0. or media access control (MAC) source and destination addresses—against specified addresses or prefix values. As a result.0. any packet whose specified address field does not match any of the specified addresses or address prefixes fails to match the entire term.

. The following example illustrates the default prefix value: [edit firewall family vpls filter filter_on_dst_mac_addr term term1 from] user@host# set destination-mac-address 01:00:0c:cc:cc:cd user@host# show destination-address { 01:00:0c:cc:cc:cd/48. The following example illustrates the default prefix value: [edit firewall family inet6 filter filter_on_dst_addr term term1 from] user@host# set destination-address ::10 user@host# show destination-address { ::10/128.0. the prefix length defaults to /48. or Layer 2 bridging packet. } Matching an Address Field to an Excluded Value For the address-field match conditions.0. you can include the except keyword to specify that a match occurs for an address field that does not match the specified address or prefix.Junos OS 11. the prefix length defaults to /32. the prefix length defaults to /128. } Default Prefix Length for MAC Addresses If you do not specify /prefix-length for a media access control (MAC) address of a VPLS. } Default Prefix Length for IPv6 Addresses If you do not specify /prefix-length for an IPv6 address.4 Firewall Filter and Policer Configuration Guide Default Prefix Length for IPv4 Addresses If you do not specify /prefix-length for an IPv4 address. Juniper Networks. Excluding IP Addresses in IPv4 or IPv6 Traffic For the following IPv4 and IPv6 match conditions. The following example illustrates the default prefix value: [edit firewall family inet filter filter_on_dst_addr term term2 from] user@host# set destination-address 10 user@host# show destination-address { 10.0/32. Inc. 38 Copyright © 2011. • source-address address except—A match occurs if the source IP address does not match the specified address or prefix. you can include the except keyword to specify that a match occurs for an IP address field that does not match the specified IP address or prefix: • address address except—A match occurs if either the source IP address or the destination IP address does not match the specified address or prefix. Layer 2 CCC.

you can include the except keyword to specify that a match occurs for an IP address field that does not match the specified IP address or prefix: • ip-address address except—A match occurs if either the source IP address or the destination IP address does not match the specified address or prefix. a match occurs for any IPv4 destination addresses that fall under the 192.0/24 except user@host# show destination-address { 0.0/0 user@host# set destination-address 10. 39 . a match occurs for any IPv4 destination address that does not fall within the prefix 10.1.0. } In the following example.168.0/16 except.10.10.1.Chapter 3: Standard Firewall Filter Match Conditions Overview • destination-address address except—A match occurs if the destination IP address does not match the specified address or prefix.0/24 except. except for addresses that fall under 192.0. • source-ip-address address except—A match occurs if the source IP address does not match the specified address or prefix.1. } Excluding IP Addresses in VPLS or Layer 2 Bridging Traffic For the following VPLS and Layer 2 bridging match conditions on MX Series routers only.1.168. All other addresses implicitly do not match this condition.168.0/8 prefix.0/0.1. 192. Copyright © 2011. In the following example. 10.1.0/16 except user@host# set 192.168.0.0.0/8 user@host# show destination-address { 192.0/8.0. Inc.0.168.10.0. Juniper Networks.168.0/16. [edit firewall family inet filter filter_on_dst_addr term term1 from] user@host# set 192. • destination-ip-address address except—A match occurs if the destination IP address does not match the specified address or prefix.0/24: [edit firewall family inet filter filter_on_dst_addr term term24 from] user@host# set destination-address 0.

2.1.0.1. . Excluding All Addresses Requires an Explicit Match on the ’0/0’ Address If you specify a firewall filter match condition that consists of one or more address-exception match conditions (address match conditions that use the except keyword) but no matchable address match conditions. include an explicit match of 0/0 so that the term contain a matchable address. } } } } } Excluding MAC Addresses in VPLS or Layer 2 Bridging Traffic For the following VPLS or Layer 2 bridging traffic match conditions. To configure a firewall filter term of address-exception match conditions to match any address that is not in the prefix list.0/255. 55. the from-trusted-addresses term fails to discard matching traffic. a match occurs if the source IP address falls within the exception range of 55.255. • destination-mac-address address except—A match occurs if either the destination MAC address does not match the specified address or prefix.4 Firewall Filter and Policer Configuration Guide In the following example for filtering VPLS traffic on an MX Series router. you can include the except keyword to specify that a match occurs for a MAC address field that does not match the specified MAC address or prefix: • source-mac-address address except—A match occurs if the source MAC address does not match the specified address or prefix.168.Junos OS 11. Juniper Networks.0/255.1.0.0.122. } 40 Copyright © 2011. For the following example firewall filter for IPv4 traffic. packets that do not match any of the configured prefixes fails the overall match operation.0/8: [edit] firewall { family vpls { filter fvpls { term 1 { from { ip-address { 55.0.0 and the destination IP address matches 55. } } then { count from-55/8.0/24. discard. Inc.255. and the INTRUDERS-COUNT counter is missing from the output of the show firewall operational mode command: [edit] user@host# show policy-options prefix-list TRUSTED-ADDRESSES { 10. 192.0.0/24.0/8.0.0.0 except.0.

} protocol icmp. } With the addition of the 0. TRUSTED-ADDRESSES except. 41 .0. } } term all { then accept.0. and the INTRUDERS-COUNT counter displays in the output of the show firewall operational mode command: [edit] user@host# run show firewall Filter: protect-RE Counters: Name Bytes Packets Copyright © 2011.0/0 source prefix address to the match condition. include an explicit match of 0/0 in the set of match conditions: [edit firewall family inet filter protect-RE] user@host# show term from-trusted-addresses from { source-prefix-list { 0. } protocol icmp.0/0. Inc. the from-trusted-addresses term discards matching traffic. } then { count VALID-COUNT. Juniper Networks.0. accept. discard. } } term other-icmp { from { protocol icmp. } [edit] user@host# run show firewall Filter: protect-RE Counters: Name VALID-COUNT Filter: __default_bpdu_filter__ Bytes 2770 Packets 70 To cause a filter term of address-exception match conditions to match any address that is not in the prefix list. } then { count INTRUDERS-COUNT.0.Chapter 3: Standard Firewall Filter Match Conditions Overview [edit firewall family inet filter protect-RE] user@host# show term from-trusted-addresses { from { source-prefix-list { TRUSTED-ADDRESSES except.

Instead of creating separate filter terms that specify the same address for the source-address and destination-address match conditions. Matching Either IP Address Field in IPv4 or IPv6 Traffic For IPv4 or IPv6 traffic. A match occurs if either the source IP address or the destination IP address matches the specified address or prefix. Inc.4 Firewall Filter and Policer Configuration Guide VALID-COUNT INTRUDERS-COUNT Filter: __default_bpdu_filter__ 2770 420 70 5 Matching Either IP Address Field to a Single Value For IPv4 and IPv6 traffic and for VPLS and Layer 2 bridging traffic on MX Series routers only. a match occurs if both the source IP address and the destination IP address match the specified value before the exception applies. you cannot also specify the ip-address match condition.Junos OS 11. the prefixes under the source-address or destination-address match condition do not need to be adjacent or neighboring to one another. Juniper Networks.0. In a firewall filter term that specifies either the source-address or the destination-address match condition. The prefixes do not need to be contiguous. A match occurs if either the source IP address or the destination IP address matches the specified address or prefix. Matching Either IP Address Field in VPLS or Layer 2 Bridging Traffic For VPLS or Layer 2 bridging traffic on MX Series routers only. That is.0. specify a single match condition to match the IP source or destination address field to any prefix specified. In the following example. a match occurs if a destination address matches either the 10. Matching an Address Field to Noncontiguous Prefixes For IPv4 traffic only. you can use a single match condition to match a single address or prefix value to either the source or destination IP address field. If you use the except keyword with the ip-address match condition.0.0/8 prefix or the 192. you can use a single match condition to specify the same address or prefix value as the match for either the source or destination IP address field. you can use a single match condition to specify the same address or prefix value as the match for either the source or destination IP address field. you use only the ip-address match condition.168. a match occurs if both the source IP address and the destination IP address match the specified value before the exception applies. If you use the except keyword with the address match condition. . In a firewall filter term that specifies either the source-ip-address or the destination-ip-address match condition. Instead of creating separate filter terms that specify the same address for the source-ip-address and destination-ip-address match conditions. you cannot also specify the address match condition.0/32 prefix: [edit firewall family inet filter filter_on_dst_addr term term5 from] 42 Copyright © 2011. you use only the address match condition.

which means that any prefix that does not match any prefix included in the match condition is explicitly considered not to match.168. it matches the implicit 0.0.16. an explicit mismatch occurs.16. } The order in which you specify the prefixes within the match condition is not significant.168.3—This address does not match any of the prefixes included in the source-address condition.0.0.2.254. Because the prefixes are order-independent and use longest-match rules.0/0 except at the end of the list of prefixes configured under the source-address match condition.1. # ignored } Within the source-address match condition.3.0.2—This address matches the 172. The 172.16.0.16.3.2. if there is one.3.0/10—both are the same type.0.0.2.0/32 user@host# show destination-address { destination-address 10. Suppose the following source IP address are evaluated by this firewall filter: • Source IP address 172. longer prefixes subsume shorter ones as long as they are the same type (whether you specify except or not).0/16 value is ignored because it falls under the address 172.16.16.Chapter 3: Standard Firewall Filter Match Conditions Overview user@host# set destination-address 10. and thus the action in the then statement is taken. 192.0/24 except.2—This address matches the 172.0.0/8 user@host# set destination-address 192. two addresses are ignored.2 except.0/10.1.0.0. Source IP address 10.2. The next term in the filter is evaluated.0.16. and is considered to be a mismatch.2.2. includes the except keyword).168.168. • • Copyright © 2011.0/32.192/26 except.1.0. Packets are evaluated against all the prefixes in the match condition to determine whether a match occurs.16.1.2 except value is ignored because it is subsumed by the implicit 0.0/8.2. longest-match rules are used to determine whether a match occurs. Source IP address 172. If there are no more terms. Instead.2. Because this prefix is negated (that is.16. # ignored 10.0/24.16. 172.168. This is because anything that would match the longer prefix would also match the shorter one.0/24 statement is ignored because it falls under the address 172. 43 . Inc. If prefixes overlap. Juniper Networks.0/10 prefix. the packet is discarded. 172. The 172. The 10. 192.16.0/10.1.0.0/24 prefix. which is the same type.0/0 except match value. destination-address 192. A match condition of noncontiguous prefixes includes an implicit 0/0 except statement. Consider the following example: [edit firewall family inet filter filter_on_src_addr term term1 from] source-address { 172.0. 192.0.

Junos OS 11.4 Firewall Filter and Policer Configuration Guide

The 10.2.2.2 except statement is ignored because it is subsumed by the implicit 0.0.0.0/0 except statement at the end of the list of prefixes configured under the source-address match condition.

BEST PRACTICE: When a firewall filter term includes the from address address match condition and a subsequent term includes the from source-address address match condition for the same address, packets might be processed by the latter term before they are evaluated by any intervening terms. As a result, packets that should be rejected by the intervening terms might be accepted instead, or packets that should be accepted might be rejected instead. To prevent this from occurring, we recommend that you do the following. For every firewall filter term that contains the from address address match condition, replace that term with two separate terms: one that contains the from source-address address match condition, and another that contains the from destination-address address match condition.

Matching an Address Field to a Prefix List
You can define a list of IPv4 or IPv6 address prefixes for use in a routing policy statement or in a stateless firewall filter match condition that evaluates packet address fields. To define a list of IPv4 or IPv6 address prefixes, include the prefix-list prefix-list statement.
prefix-list name { ip-addresses; apply-path path; }

You can include the statement at the following hierarchy levels:
• •

[edit policy-options] [edit logical-systems logical-system-name policy-options]

After you have defined a prefix list, you can use it when specifying a firewall filter match condition based on an IPv4 or IPv6 address prefix.
[edit firewall family family-name filter filter-name term term-name] from { source-prefix-list { prefix-lists; } destination-prefix-list { prefix-lists; } }

Related Documentation

• •

Guidelines for Configuring Standard Firewall Filters on page 21 Firewall Filter Match Conditions Based on Numbers or Text Aliases on page 31

44

Copyright © 2011, Juniper Networks, Inc.

Chapter 3: Standard Firewall Filter Match Conditions Overview

• •

Firewall Filter Match Conditions Based on Bit-Field Values on page 32 Firewall Filter Match Conditions Based on Address Classes on page 45

Firewall Filter Match Conditions Based on Address Classes
For IPv4 and IPv6 traffic only, you can use class-based firewall filter conditions to match packet fields based on source class or destination class.
• • •

Source-Class Usage on page 45 Destination-Class Usage on page 45 Guidelines for Applying SCU or DCU Firewall Filters to Output Interfaces on page 45

Source-Class Usage
A source class is a set of source prefixes grouped together and given a class name. To configure a firewall filter term that matches an IP source address field to one or more source classes, use the source-class class-name match condition under the [edit firewall family (inet | inet6) filter filter-name term term-name from] hierarchy level. Source-class usage (SCU) enables you to monitor the amount of traffic originating from a specific prefix. With this feature, usage can be tracked and customers can be billed for the traffic they receive.

Destination-Class Usage
A destination class is a set of destination prefixes grouped together and given a class name. To configure a firewall filter term that matches an IP destination address field to one or more destination classes, use the destination-class class-name match condition at the [edit firewall family (inet | inet6) filter filter-name term term-name from] hierarchy level. Destination-class usage (DCU) enables you can track how much traffic is sent to a specific prefix in the core of the network originating from one of the specified interfaces. Note, however, that DCU limits your ability to keep track of traffic moving in the reverse direction. It can account for all traffic that arrives on a core interface and heads toward a specific customer, but it cannot count traffic that arrives on a core interface from a specific prefix.

Guidelines for Applying SCU or DCU Firewall Filters to Output Interfaces
When applying a SCU or DCU firewall filter to an interface, keep the following guidelines in mind:

Output interfaces—Class-based firewall filter match conditions work only for firewall filters that you apply to output interfaces. This is because the SCU and DCU are determined after route lookup occurs.

Copyright © 2011, Juniper Networks, Inc.

45

Junos OS 11.4 Firewall Filter and Policer Configuration Guide

Input interfaces—Although you can specify a source class and destination class for an input firewall filter, the counters are incremented only if the firewall filter is applied on the output interface. Output interfaces for tunnel traffic—SCU and DCU are not supported on the interfaces you configure as the output interface for tunnel traffic for transit packets exiting the router through the tunnel. Guidelines for Configuring Standard Firewall Filters on page 21 Standard Firewall Filter Match Conditions for IPv4 Traffic on page 48 Standard Firewall Filter Match Conditions for IPv6 Traffic on page 57
Junos OS Source Class Usage Feature Guide

Related Documentation

• • • • • • •

Firewall Filter Match Conditions Based on Numbers or Text Aliases on page 31 Firewall Filter Match Conditions Based on Bit-Field Values on page 32 Firewall Filter Match Conditions Based on Address Fields on page 37

46

Copyright © 2011, Juniper Networks, Inc.

CHAPTER 4

Standard Firewall Filter Match Conditions and Actions
• • • • • • • • • •

Standard Firewall Filter Match Conditions for Protocol-Independent Traffic on page 47 Standard Firewall Filter Match Conditions for IPv4 Traffic on page 48 Standard Firewall Filter Match Conditions for IPv6 Traffic on page 57 Standard Firewall Filter Match Conditions for MPLS Traffic on page 62 Standard Firewall Filter Match Conditions for MPLS-Tagged IPv4 Traffic on page 64 Standard Firewall Filter Match Conditions for VPLS Traffic on page 66 Standard Firewall Filter Match Conditions for Layer 2 CCC Traffic on page 73 Standard Firewall Filter Match Conditions for Layer 2 Bridging Traffic on page 75 Standard Firewall Filter Terminating Actions on page 81 Standard Firewall Filter Nonterminating Actions on page 82

Standard Firewall Filter Match Conditions for Protocol-Independent Traffic
You can configure a standard stateless firewall filter with match conditions for protocol-independent traffic (family any).

NOTE: Protocol-independent standard firewall filters—firewall filters configured at the [edit firewall family any] hierarchy level— are not supported on the router loopback interface (lo0).

Table 11 on page 48 describes the match-conditions you can configure at the [edit firewall family any filter filter-name term term-name from] hierarchy level.

Copyright © 2011, Juniper Networks, Inc.

47

Junos OS 11.4 Firewall Filter and Policer Configuration Guide

Table 11: Standard Firewall Filter Match Conditions for Protocol-Independent Traffic
Match Condition
forwarding-class class

Description
Match the forwarding class of the packet. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control. For information about forwarding classes and router-internal output queues, see the Junos OS Class of Service Configuration Guide.

forwarding-class-except class interface interface-name

Do not match on the forwarding class. For details, see the forwarding-class match condition.

Match the interface on which the packet was received. NOTE: If you configure this match condition with an interface that does not exist, the term does not match any packet.

interface-set interface-set-name

Match the interface on which the packet was received to the specified interface set. To define an interface set, include the interface-set statement at the [edit firewall] hierarchy level. For more information, see “Filtering Packets Received on an Interface Set Overview” on page 192.

packet-length bytes

Match the length of the received packet, in bytes. The length refers only to the IP packet, including the packet header, and does not include any Layer 2 encapsulation overhead. Do not match on the received packet length, in bytes. For details, see the packet-length match type.

packet-length-except bytes

Related Documentation

• • •

Guidelines for Configuring Standard Firewall Filters on page 21 Standard Firewall Filter Terminating Actions on page 81 Standard Firewall Filter Nonterminating Actions on page 82

Standard Firewall Filter Match Conditions for IPv4 Traffic
You can configure a standard stateless firewall filter with match conditions for Internet Protocol version 4 (IPv4) traffic (family inet). Table 12 on page 48 describes the match-conditions you can configure at the [edit firewall family inet filter filter-name term term-name from] hierarchy level.

Table 12: Standard Firewall Filter Match Conditions for IPv4 Traffic
Match Condition
address address address address except ah-spi spi-value

Description
Match the IPv4 source or destination address field. Do not match the IPv4 source or destination address field. (M Series routers, except M120 and M320) Match the IPsec authentication header (AH) security parameter index (SPI) value.

48

Copyright © 2011, Juniper Networks, Inc.

Chapter 4: Standard Firewall Filter Match Conditions and Actions

Table 12: Standard Firewall Filter Match Conditions for IPv4 Traffic (continued)
Match Condition
ah-spi-except spi-value destination-address address

Description
(M Series routers, except M120 and M320) Do not match the IPsec AH SPI value. Match the IPv4 destination address field. You cannot specify both the address and destination-address match conditions in the same term.

destination-address address except destination-class class-names

Do not match the IPv4 destination address field. For more information, see the destination-address field. Match one or more specified destination class names (sets of destination prefixes grouped together and given a class name). For more information, see “Firewall Filter Match Conditions Based on Address Classes” on page 45. Do not match one or more specified destination class names. For details, see the destination-class match condition. Match the UDP or TCP destination port field. You cannot specify both the port and destination-port match conditions in the same term. If you configure this match condition, we recommend that you also configure the protocol udp or protocol tcp match statement in the same term to specify which protocol is being used on the port. In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), ldp (646), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs (49), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), or xdmcp (177).

destination-class-except class-names destination-port number

destination-port-except number destination-prefix-list name

Do not match the UDP or TCP destination port field. For details, see the destination-port match condition. Match destination prefixes in the specified list. Specify the name of a prefix list defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level. Do not match destination prefixes in the specified list. For more information, see the destination-prefix-list match condition.

destination-prefix-list name except

Copyright © 2011, Juniper Networks, Inc.

49

Junos OS 11.4 Firewall Filter and Policer Configuration Guide

Table 12: Standard Firewall Filter Match Conditions for IPv4 Traffic (continued)
Match Condition
dscp number

Description
Match the Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant 6 bits of this byte form the DSCP. For more information, see the Junos OS Class of Service Configuration Guide. You can specify a numeric value from 0 through 63. To specify the value in hexadecimal form, include 0x as a prefix. To specify the value in binary form, include b as a prefix. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed):
• •

RFC 3246, An Expedited Forwarding PHB (Per-Hop Behavior), defines one code point: ef (46). RFC 2597, Assured Forwarding PHB Group, defines 4 classes, with 3 drop precedences in each class, for a total of 12 code points:
• • • •

af11 (10), af12 (12), af13 (14) af21 (18), af22 (20), af23 (22) af31 (26), af32 (28), af33 (30) af41 (34), af42 (36), af43 (38)

dscp-except number esp-spi spi-value

Do not match on the DSCP number. For more information, see the dscp match condition. Match the IPsec encapsulating security payload (ESP) SPI value. Match on this specific SPI value. You can specify the ESP SPI value in hexadecimal, binary, or decimal form. Match the IPsec ESP SPI value. Do not match on this specific SPI value. Match if the packet is the first fragment of a fragmented packet. Do not match if the packet is a trailing fragment of a fragmented packet. The first fragment of a fragmented packet has a fragment offset value of 0. This match condition is an alias for the bit-field match condition fragment-offset 0 match condition. To match both first and trailing fragments, you can use two terms that specify different match conditions: first-fragment and is-fragment.

esp-spi-except spi-value first-fragment

forwarding-class class

Match the forwarding class of the packet. Specify assured-forwarding, best-effort, expedited-forwarding, or network-control. For information about forwarding classes and router-internal output queues, see the Junos OS Class of Service Configuration Guide.

forwarding-class-except class fragment-flags number

Do not match the forwarding class of the packet. For details, see the forwarding-class match condition. (Ingress only) Match the three-bit IP fragmentation flags field in the IP header. In place of the numeric field value, you can specify one of the following keywords (the field values are also listed): dont-fragment (0x4), more-fragments (0x2), or reserved (0x8).

50

Copyright © 2011, Juniper Networks, Inc.

Chapter 4: Standard Firewall Filter Match Conditions and Actions

Table 12: Standard Firewall Filter Match Conditions for IPv4 Traffic (continued)
Match Condition
fragment-offset value

Description
Match the 13-bit fragment offset field in the IP header. The value is the offset, in 8-byte units, in the overall datagram message to the data fragment. Specify a numeric value, a range of values, or a set of values. An offset value of 0 indicates the first fragment of a fragmented packet. The first-fragment match condition is an alias for the fragment-offset 0 match condition. To match both first and trailing fragments, you can use two terms that specify different match conditions (first-fragment and is-fragment).

fragment-offset-except number icmp-code number

Do not match the 13-bit fragment offset field.

Match the ICMP message code field. If you configure this match condition, we recommend that you also configure the protocol icmp match condition in the same term. If you configure this match condition, you must also configure the icmp-type message-type match condition in the same term. An ICMP message code provides more specific information than an ICMP message type, but the meaning of an ICMP message code is dependent on the associated ICMP message type. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated:
• •

parameter-problem: ip-header-bad (0), required-option-missing (1) redirect: redirect-for-host (1), redirect-for-network (0), redirect-for-tos-and-host (3), redirect-for-tos-and-net (2) time-exceeded: ttl-eq-zero-during-reassembly (1), ttl-eq-zero-during-transit (0) unreachable: communication-prohibited-by-filtering (13), destination-host-prohibited (10), destination-host-unknown (7), destination-network-prohibited (9), destination-network-unknown (6), fragmentation-needed (4), host-precedence-violation (14), host-unreachable (1), host-unreachable-for-TOS (12), network-unreachable (0), network-unreachable-for-TOS (11), port-unreachable (3), precedence-cutoff-in-effect (15), protocol-unreachable (2), source-host-isolated (8), source-route-failed (5)

• •

icmp-code-except message-code icmp-type number

Do not match the ICMP message code field. For details, see the icmp-code match condition.

Match the ICMP message type field. If you configure this match condition, we recommend that you also configure the protocol icmp match condition in the same term. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): echo-reply (0), echo-request (8), info-reply (16), info-request (15), mask-request (17), mask-reply (18), parameter-problem (12), redirect (5), router-advertisement (9), router-solicit (10), source-quench (4), time-exceeded (11), timestamp (13), timestamp-reply (14), or unreachable (3).

icmp-type-except message-type

Do not match the ICMP message type field. For details, see the icmp-type match condition.

Copyright © 2011, Juniper Networks, Inc.

51

Junos OS 11.4 Firewall Filter and Policer Configuration Guide

Table 12: Standard Firewall Filter Match Conditions for IPv4 Traffic (continued)
Match Condition
interface interface-name

Description
Match the interface on which the packet was received. NOTE: If you configure this match condition with an interface that does not exist, the term does not match any packet.

interface-group group-number

Match the logical interface on which the packet was received to the specified interface group or set of interface groups. For group-number, specify a single value or a range of values from 0 through 255. To assign a logical interface to an interface group group-number, specify the group-number at the [interfaces interface-name unit number family family filter group] hierarchy level. For more information, see “Filtering Packets Received on a Set of Interface Groups Overview” on page 185.

interface-group-except group-number interface-set interface-set-name

Do not match the logical interface on which the packet was received to the specified interface group or set of interface groups. For details, see the interface-group match condition. Match the interface on which the packet was received to the specified interface set. To define an interface set, include the interface-set statement at the [edit firewall] hierarchy level. For more information, see “Filtering Packets Received on an Interface Set Overview” on page 192.

52

Copyright © 2011, Juniper Networks, Inc.

Chapter 4: Standard Firewall Filter Match Conditions and Actions

Table 12: Standard Firewall Filter Match Conditions for IPv4 Traffic (continued)
Match Condition
ip-options values

Description
Match the 8-bit IP option field, if present, to the specified value or list of values. In place of a numeric value, you can specify one of the following text synonyms (the option values are also listed): loose-source-route (131), record-route (7), router-alert (148), security (130), stream-id (136),strict-source-route (137), or timestamp (68). To match any value for the IP option, use the text synonym any. To match on multiple values, specify the list of values within square brackets ('[’ and ']’). To match a range of values, use the value specification [ value1-value2 ]. For example, the match condition ip-options [ 0-147 ] matches on an IP options field that contains the loose-source-route, record-route, or security values, or any other value from 0 through 147. However, this match condition does not match on an IP options field that contains only the router-alert value (148). For most interfaces, a filter term that specifies an ip-option match on one or more specific IP option values (a value other than any) causes packets to be sent to the Routing Engine so that the kernel can parse the IP option field in the packet header.

For a firewall filter term that specifies an ip-option match on one or more specific IP option values, you cannot specify the count, log, or syslog nonterminating actions unless you also specify the discard terminating action in the same term. This behavior prevents double-counting of packets for a filter applied to a transit interface on the router. Packets processed on the kernel might be dropped in case of a system bottleneck. To ensure that matched packets are instead sent to the Packet Forwarding Engine (where packet processing is implemented in hardware), use the ip-options any match condition.

The 10-Gigabit Ethernet Modular Port Concentrator (MPC), 60-Gigabit Ethernet MPC, 60-Gigabit Queuing Ethernet MPC, and 60-Gigabit Ethernet Enhanced Queuing MPC on MX Series routers are capable of parsing the IP option field of the IPv4 packet header. For interfaces configured on those MPCs, all packets that are matched using the ip-options match condition are sent to the Packet Forwarding Engine for processing.
ip-options-except values

Do not match the IP option field to the specified value or list of values. For details about specifying the values, see the ip-options match condition. Match if the packet is a trailing fragment of a fragmented packet. Do not match the first fragment of a fragmented packet. NOTE: To match both first and trailing fragments, you can use two terms that specify different match conditions (first-fragment and is-fragment).

is-fragment

Copyright © 2011, Juniper Networks, Inc.

53

Juniper Networks. If you configure this match condition. Do not match the prefixes of the source or destination address fields to the prefixes in the specified list. For information about the tri-color statement and for information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets. medium-low. net-control (0xe0). see the Junos OS Class of Service Configuration Guide. you can only configure the high and low levels. we recommend that you also configure the protocol udp or protocol tcp match statement in the same term to specify which protocol is being used on the port. in bytes. MX Series. Match the IP precedence field. see the port match condition. see the loss-priority match condition. see the prefix-list match condition. or decimal form. You can specify precedence in hexadecimal. For details. prefix-list name except 54 Copyright © 2011. internet-control (0xc0). flash (0x60). The prefix list is defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level. you can specify one of the following text synonyms (the field values are also listed): critical-ecp (0xa0). . In place of the numeric field value. or high. and MX Series routers. in bytes. or routine (0x00). For details. immediate (0x40). Do not match the length of the received packet. packet-length-except bytes port number port-except number Do not match the UDP or TCP source or destination port field. binary.4 Firewall Filter and Policer Configuration Guide Table 12: Standard Firewall Filter Match Conditions for IPv4 Traffic (continued) Match Condition loss-priority level Description Match the packet loss priority (PLP) level. M7i and M10i routers with the Enhanced CFEB (CFEB-E). If you configure this match condition. loss-priority-except level packet-length bytes Do not match the PLP level. For IP traffic on M320. medium-high.Junos OS 11. Match the length of the received packet. For details. you can specify one of the text synonyms listed under destination-port. The length refers only to the IP packet. flash-override (0x80). see the packet-length match type. you cannot configure the destination-port match condition or the source-port match condition in the same term. and does not include any Layer 2 encapsulation overhead. you must include the tri-color statement at the [edit class-of-service] hierarchy level to commit a PLP configuration with any of the four levels specified. Inc. Match the UDP or TCP source or destination port field. and T Series routers with Enhanced II Flexible PIC Concentrators (FPCs). In place of the numeric value. precedence ip-precedence-field prefix-list name Match the prefixes of the source or destination address fields to the prefixes in the specified list. This applies to all protocol families. priority (0x20). If the tri-color statement is not enabled. Specify a single level or multiple levels: low. For more information. including the packet header. Supported on M120 and M320 routers.

ipv6 (41). Do not match source prefixes in the specified list. udp (17). Specify the name of a prefix list defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level. To check this. ipip (4). Inc. Match the IPv4 address of the source node sending the packet. Do not match one or more specified source class names. see the source-port match condition. dstopts (60). In place of the numeric value. You cannot specify the port and source-port match conditions in the same term. you can specify one of the text synonyms listed with the destination-port number match condition. This is an alias for tcp-flags "(ack | rst)". egp (8). sctp (132). igmp (2). icmp6 (58). Juniper Networks. hop-by-hop (0). Match source prefixes in the specified list. icmpv6 (58). Match a packet received from a filter where a service-filter-hit action was applied. Match TCP packets of an established TCP session (packets other than the first packet of a connection). For more information. see the source-prefix-list match condition. Match one or more specified source class names (sets of source prefixes grouped together and given a class name). you can specify one of the following text synonyms (the field values are also listed): ah (51). icmp (1). see “Firewall Filter Match Conditions Based on Address Classes” on page 45. pim (103). For details. Match the UDP or TCP source port field. see the source-class match condition. see the source-address match condition. You cannot specify both the address and source-address match conditions in the same term. For more information. 55 . For details. tcp (6). ospf (89). rsvp (46). In place of the numeric value. or vrrp (112). we recommend that you also configure the protocol udp or protocol tcp match statement in the same term to specify which protocol is being used on the port. esp (50). source-class-except class-names source-port number source-port-except number source-prefix-list name Do not match the UDP or TCP source port field. fragment (44). If you configure this match condition for IPv4 traffic. source-prefix-list name except tcp-established Copyright © 2011. gre (47). service-filter-hit source-address address source-address address except source-class class-names Do not match the IPv4 address of the source node sending the packet.Chapter 4: Standard Firewall Filter Match Conditions and Actions Table 12: Standard Firewall Filter Match Conditions for IPv4 Traffic (continued) Match Condition protocol number Description Match the IP protocol type field. This match condition does not implicitly check that the protocol is TCP. For more information. specify the protocol tcp match condition.

Match the virtual local area network (VLAN) Ethernet type field of a VPLS packet.Junos OS 11. For number. If you configure this match condition. For details. This is an alias for tcp-flags "(!ack & syn)". You can string together multiple flags using the bit-field logical operators. M320. use the first-fragment match condition. . This match condition is supported only on M120. see the tcp-established and tcp-initial match conditions. MX Series. ttl number Match the IPv4 time-to-live number. Do not match the VLAN Ethernet type field of a VPLS packet.4 Firewall Filter and Policer Configuration Guide Table 12: Standard Firewall Filter Match Conditions for IPv4 Traffic (continued) Match Condition tcp-flags value Description Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header. tcp-initial Match the initial packet of a TCP connection. you can specify one or more values from 0 through 255. This condition does not implicitly check that the protocol is TCP. see the ttl match condition. For IPv4 traffic only. this match condition does not implicitly check whether the datagram contains the first fragment of a fragmented packet. Specify a TTL value or a range of TTL values. while the ACK flag is set in all packets sent after the initial packet. To check for this condition for IPv4 traffic only. Juniper Networks. we recommend that you also configure the protocol tcp match statement in the same term to specify that the TCP protocol is being used on the port. If you configure this match condition. Inc. To specify individual bit fields. ttl-except number vlan-ether-type value vlan-ether-type-except value Related Documentation • • • Guidelines for Configuring Standard Firewall Filters on page 21 Standard Firewall Filter Terminating Actions on page 81 Standard Firewall Filter Nonterminating Actions on page 82 56 Copyright © 2011. the SYN flag is set only in the initial packet sent. you can specify the following text synonyms or hexadecimal values: • • • • • • fin (0x01) syn (0x02) rst (0x04) push (0x08) ack (0x10) urgent (0x20) In a TCP session. we recommend that you also configure the protocol tcp match condition in the same term. and T Series routers. Do not match on the IPv4 TTL number. For combined bit-field match conditions.

sunrpc (111). socks (1080). Do not match one or more specified destination class names. pptp (1723). kpasswd (761). see the destination-class match condition. Match the UDP or TCP destination port field. tacacs-ds (65). netbios-dgm (138). krbupdate (760). For more information. smtp (25). The prefix list is defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level. biff (512). rkinit (2108). Table 13: Standard Firewall Filter Match Conditions for IPv6 Traffic Match Condition address address address address except destination-address address Description Match the IPv6 source or destination address field. who (513). exec (512). radius (1812). ntalk (518). we recommend that you also configure the next-header udp or next-header tcp match condition in the same term to specify which protocol is being used on the port. ident (113). talk (517). login (513). pop3 (110). krb-prop (754). mobileip-agent (434). domain (53). see the destination-port match condition. see “Firewall Filter Match Conditions Based on Address Classes” on page 45. Match the IPv6 destination address field. netbios-ssn (139). For more information. ssh (22). ldap (389). You cannot specify both the address and destination-address match conditions in the same term. ldp (646). Inc. 57 . Match one or more specified destination class names (sets of destination prefixes grouped together and given a class name). nntp (119). rip (520). snpp (444). ftp (21). bgp (179). printer (515). or xdmcp (177). cmd (514). Table 13 on page 57 describes the match-conditions you can configure at the [edit firewall family inet6 filter filter-name term term-name from] hierarchy level. Juniper Networks. finger (79). cvspserver (2401). For details. Do not match the IPv6 source or destination address field. see the destination-address field. snmptrap (162). If you configure this match condition.Chapter 4: Standard Firewall Filter Match Conditions and Actions Standard Firewall Filter Match Conditions for IPv6 Traffic You can configure a standard stateless firewall filter with match conditions for Internet Protocol version 6 (IPv6) traffic (family inet6). In place of the numeric value. msdp (639). eklogin (2105). dhcp (67). ekshell (2106). Match the prefix of the IPv6 destination address field. snmp (161). destination-class-except class-names destination-port number destination-port-except number destination-prefix-list prefix-list-name Do not match the UDP or TCP destination port field. you can specify one of the following text synonyms (the port numbers are also listed): afs (1483). netbios-ns (137). For details. nfsd (2049). kerberos-sec (88). https (443). bootps (67). ntp (123). imap (143). timed (525). kshell (544). tacacs (49). syslog (514). Copyright © 2011. telnet (23). bootpc (68). You cannot specify both the port and destination-port match conditions in the same term. radacct (1813). tftp (69). klogin (543). ftp-data (20). mobilip-mn (435). http (80). destination-address address except destination-class class-names Do not match the IPv6 destination address field.

router-advertisement (134). Specify assured-forwarding. unrecognized-option (2) time-exceeded: ttl-eq-zero-during-reassembly (1). best-effort. For details. Juniper Networks. you can specify one of the following text synonyms (the field values are also listed). or time-exceeded (3). we recommend that you also configure the next-header icmpv6 match condition in the same term. see the forwarding-class match condition. parameter-problem (4). For more information.Junos OS 11. and SRX650 devices only. icmp-type-except message-type Do not match the ICMP message type field. For details. see the destination-prefix-list match condition. port-unreachable (4) • • NOTE: For IPv6. SRX210. and SRX650 devices only. NOTE: For IPv6. Match the forwarding class of the packet. router-renumbering (138). we recommend that you also configure the next-header icmpv6 match condition in the same term. applies to SRX100. icmp-code-except message-code icmp-type message-type Do not match the ICMP message code field. 58 Copyright © 2011. but the meaning of an ICMP message code is dependent on the associated ICMP message type. membership-report (131). redirect (137). you must also configure the icmp-type message-type match condition in the same term. ttl-eq-zero-during-transit (0) destination-unreachable: administratively-prohibited (1). expedited-forwarding. For information about forwarding classes and router-internal output queues. packet-too-big (2). see the icmp-code match condition. or network-control. neighbor-solicit (135). neighbor-advertisement (136). If you configure this match condition. see the Junos OS Class of Service Configuration Guide. In place of the numeric value. Inc. Match the ICMP message type field. unrecognized-next-header (1). node-information-request (139). you can specify one of the following text synonyms (the field values are also listed): destination-unreachable (1). echo-request (128). forwarding-class-except class icmp-code message-code Do not match the forwarding class of the packet. SRX210. address-unreachable (3). applies to SRX100. SRX240. Match the ICMP message code field. In place of the numeric value. If you configure this match condition. The keywords are grouped by the ICMP type with which they are associated: • parameter-problem: ip6-header-bad (0). echo-reply (129). membership-query (130). no-route-to-destination (0). see the icmp-type match condition. router-solicit (133). node-information-reply (140). An ICMP message code provides more specific information than an ICMP message type. . membership-termination (132). If you configure this match condition. For details.4 Firewall Filter and Policer Configuration Guide Table 13: Standard Firewall Filter Match Conditions for IPv6 Traffic (continued) Match Condition destination-prefix-list prefix-list-name except forwarding-class class Description Do not match the prefix of the IPv6 destination address field. SRX240.

To assign a logical interface to an interface group group-number. SRX240. ospf (89). ipip (4). see “Filtering Packets Received on an Interface Set Overview” on page 192. Inc. Match the interface on which the packet was received to the specified interface set. NOTE: If you configure this match condition with an interface that does not exist. interface-group group-number Match the logical interface on which the packet was received to the specified interface group or set of interface groups. medium-low. sctp (132). specify a single value or a range of values from 0 through 255. gre (47). you can only configure the high and low levels. dstops (60). For details. Match the 8-bit IP protocol field that identifies the type of header immediately following the IPv6 header. applies to SRX100. no-next-header (59). For group-number. MX Series. esp (50). or vrrp (112). ipv6 (41). you must include the tri-color statement at the [edit class-of-service] hierarchy level to commit a PLP configuration with any of the four levels specified.Chapter 4: Standard Firewall Filter Match Conditions and Actions Table 13: Standard Firewall Filter Match Conditions for IPv6 Traffic (continued) Match Condition interface interface-name Description Match the interface on which the packet was received. see the interface-group match condition. Copyright © 2011. For information about the tri-color statement and for information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets. To define an interface set. loss-priority level Match the packet loss priority (PLP) level. tcp (6). For details. rsvp (46). loss-priority-except level next-header header-type Do not match the PLP level. SRX210. Specify a single level or multiple levels: low. pim (103). igmp (2). M7i and M10i routers with the Enhanced CFEB (CFEB-E). In place of the numeric value. the term does not match any packet. For more information. For IP traffic on M320. NOTE: For IPv6. and SRX650 devices only. and T Series routers with Enhanced II Flexible PIC Concentrators (FPCs). see the loss-priority match condition. Juniper Networks. include the interface-set statement at the [edit firewall] hierarchy level. and MX Series routers. 59 . For more information. If the tri-color statement is not enabled. you can specify one of the following text synonyms (the field values are also listed): ah (51). see the Junos OS Class of Service Configuration Guide. routing (43). udp (17). interface-group-except group-number interface-set interface-set-name Do not match the logical interface on which the packet was received to the specified interface group or set of interface groups. This applies to all protocol families. medium-high. see “Filtering Packets Received on a Set of Interface Groups Overview” on page 185. egp (8). specify the group-number at the [interfaces interface-name unit number family family filter group] hierarchy level. fragment (44). icmpv6 (58). hop-by-hop (0). or high. icmp (1). Supported on M120 and M320 routers.

If you configure this match condition. see the next-header match type. If you configure this match condition. For more information. SRX210. SRX240. SRX210. see the port match condition. packet-length-except bytes Do not match the length of the received packet. The prefix list is defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level. For more information.Junos OS 11. Match a packet received from a filter where a service-filter-hit action was applied. For details. we recommend that you also configure the next-header udp or next-header tcp match condition in the same term to specify which protocol is being used on the port. see the prefix-list match condition. you cannot configure the destination-port match condition or the source-port match condition in the same term. Match the UDP or TCP source or destination port field. You cannot specify both the address and source-address match conditions in the same term. see “Firewall Filter Match Conditions Based on Address Classes” on page 45. see the source-address match condition. NOTE: For IPv6. Inc. For more information. For details. Juniper Networks. In place of the numeric value. Match the prefixes of the source or destination address fields to the prefixes in the specified list. Match the length of the received packet. Match one or more specified source class names (sets of source prefixes grouped together and given a class name). For details. NOTE: For IPv6. in bytes. see the packet-length match type. For details. Do not match one or more specified source class names. and SRX650 devices only.4 Firewall Filter and Policer Configuration Guide Table 13: Standard Firewall Filter Match Conditions for IPv6 Traffic (continued) Match Condition next-header-except header-type packet-length bytes Description Do not match the 8-bit IP protocol field that identifies the type of header immediately following the IPv6 header. and SRX650 devices only. SRX240. Do not match the prefixes of the source or destination address fields to the prefixes in the specified list. port number port-except number Do not match the UDP or TCP source or destination port field. The length refers only to the IP packet. in bytes. and does not include any Layer 2 encapsulation overhead. including the packet header. prefix-list prefix-list-name prefix-list prefix-list-name except service-filter-hit source-address address source-address address except source-class class-names Do not match the IPv6 address of the source node sending the packet. source-class-except class-names 60 Copyright © 2011. . applies to SRX100. Match the IPv6 address of the source node sending the packet. you can specify one of the text synonyms listed under destination-port. applies to SRX100. see the source-class match condition.

the SYN flag is set only in the initial packet sent. Inc. source-port-except number source-prefix-list name Do not match the UDP or TCP source port field. You can string together multiple flags using the bit-field logical operators. To check this. see the tcp-established and tcp-initial match conditions. For details. see the source-port match condition. NOTE: For IPv6. applies to SRX100. Match the IPv6 address prefix of the packet source field.Chapter 4: Standard Firewall Filter Match Conditions and Actions Table 13: Standard Firewall Filter Match Conditions for IPv6 Traffic (continued) Match Condition source-port number Description Match the UDP or TCP source port field. You cannot specify the port and source-port match conditions in the same term. while the ACK flag is set in all packets sent after the initial packet. To specify individual bit fields. Juniper Networks. applies to SRX100. we recommend that you also configure the next-header tcp match condition in the same term to specify that the TCP protocol is being used on the port. specify the protocol tcp match condition. see the source-prefix-list match condition. SRX210. If you configure this match condition. For more information. Do not match the IPv6 address prefix of the packet source field. If you configure this match condition. Match TCP packets other than the first packet of a connection. SRX210. source-prefix-list name except tcp-established tcp-flags flags Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header. This is a text synonym for tcp-flags "(ack | rst)" (0x14). we recommend that you also configure the next-header tcp match condition in the same term. For combined bit-field match conditions. and SRX650 devices only. SRX240. Copyright © 2011. Specify a prefix list name defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level. SRX240. In place of the numeric value. you can specify the following text synonyms or hexadecimal values: • • • • • • fin (0x01) syn (0x02) rst (0x04) push (0x08) ack (0x10) urgent (0x20) In a TCP session. NOTE: For IPv6. 61 . you can specify one of the text synonyms listed with the destination-port number match condition. If you configure this match condition. and SRX650 devices only. NOTE: This condition does not implicitly check that the protocol is TCP. we recommend that you also configure the next-header udp or next-header tcp match condition in the same term to specify which protocol is being used on the port.

NOTE: If you specify an IPv6 address in a match condition (the address. You can specify a numeric value from 0 through 63. NOTE: For IPv6. applies to SRX100. traffic-class number Match the 8-bit field that specifies the class-of-service (CoS) priority of the packet. For more information about IPv6 addresses. destination-address. or source-address match conditions). This field was previously used as the type-of-service (ToS) field in IPv4. SRX210. for a total of 12 code points: • • • • af11 (10). include 0x as a prefix. 62 Copyright © 2011. . For details. Juniper Networks. you can specify one of the following text synonyms (the field values are also listed): • • RFC 3246. see the traffic-class match description. use the syntax for text representations described in RFC 2373. af13 (14) af21 (18). and SRX650 devices only. af23 (22) af31 (26). defines 4 classes. af22 (20). SRX240. af43 (38) traffic-class-exception number Do not match the 8-bit field that specifies the CoS priority of the packet. we recommend that you also configure the next-header tcp match condition in the same term. An Expedited Forwarding PHB (Per-Hop Behavior). Inc. af12 (12).4 Firewall Filter and Policer Configuration Guide Table 13: Standard Firewall Filter Match Conditions for IPv6 Traffic (continued) Match Condition tcp-initial Description Match the initial packet of a TCP connection. To specify the value in hexadecimal form. af33 (30) af41 (34). To specify the value in binary form. Related Documentation • • • Guidelines for Configuring Standard Firewall Filters on page 21 Standard Firewall Filter Terminating Actions on page 81 Standard Firewall Filter Nonterminating Actions on page 82 Standard Firewall Filter Match Conditions for MPLS Traffic You can configure a standard stateless firewall filter with match conditions for MPLS traffic (family mpls). This is a text synonym for tcp-flags "(!ack & syn)". defines one code point: ef (46). This condition does not implicitly check that the protocol is TCP. RFC 2597. see “IPv6 Overview” and “IPv6 Standards” in the Junos OS Routing Protocols Configuration Guide. Assured Forwarding PHB Group. af32 (28). If you configure this match condition. with 3 drop precedences in each class. In place of the numeric value. include b as a prefix. IP Version 6 Addressing Architecture.Junos OS 11. af42 (36).

Juniper Networks. For number. 63 . To define an interface set. Table 14 on page 63 describes the match-conditions you can configure at the [edit firewall family mpls filter filter-name term term-name from] hierarchy level. Interface on which the packet was received. Table 14: Standard Firewall Filter Match Conditions for MPLS Traffic Match Condition exp number Description Experimental (EXP) bit number or range of bit numbers in the MPLS header. Do not match on the EXP bit number or range of bit numbers in the MPLS header. and USB modem interfaces (umd). ip-version number (Interfaces on Enhanced Scaling flexible PIC concentrators [FPCs] on supported T Series routers only) Inner IP version. see “Filtering Packets Received on an Interface Set Overview” on page 192. best-effort. include the interface-set statement at the [edit firewall] hierarchy level. binary. Inc. Copyright © 2011. expedited-forwarding. You can configure a match condition that matches packets based on the interface on which they were received. or network-control. match on the text synonym ipv4. NOTE: If you configure this match condition with an interface that does not exist. For more information.Chapter 4: Standard Firewall Filter Match Conditions and Actions NOTE: The input-list filter-names and output-list filter-names statements for firewall filters for the mpls protocol family are supported on all interfaces with the exception of management interfaces and internal Ethernet interfaces (fxp or em0). or network-control. To match MPLS-tagged IPv4 packets. Specify assured-forwarding. Specify assured-forwarding. the term does not match any packet. Forwarding class. you can specify one or more values from 0 through 7. best-effort. For number. or hexadecimal format. exp-except number forwarding-class class forwarding-class-except class interface interface-name interface-set interface-set-name Match the interface on which the packet was received to the specified interface set. you can specify one or more values from 0 through 7 in decimal. expedited-forwarding. loopback interfaces (lo0). Do not match on the forwarding class.

the router management interface (fxp0 or em0).Junos OS 11. or high. Specify a single level or multiple levels: low. you can configure a standard firewall filter that matches Internet Protocol version 4 (IPv4) packet header fields in MPLS traffic (family mpls). see the Junos OS Class of Service Configuration Guide. Inc. For information about the tri-color statement and for information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets. Related Documentation • • • Guidelines for Configuring Standard Firewall Filters on page 21 Standard Firewall Filter Terminating Actions on page 81 Standard Firewall Filter Nonterminating Actions on page 82 Standard Firewall Filter Match Conditions for MPLS-Tagged IPv4 Traffic This topic covers the following information: • • • Matching on IPv4 Packet Header Address or Port Fields in MPLS Flows on page 64 IP Address Match Conditions for MPLS Traffic on page 65 IP Port Match Conditions for MPLS Traffic on page 65 Matching on IPv4 Packet Header Address or Port Fields in MPLS Flows To support network-based service in a core network. and MX Series routers. or USB modem interfaces (umd). For details. . The feature is not supported for the router loopback interface (lo0). you can only configure the high and low levels. If the tri-color statement is not enabled. and T Series routers with Enhanced II Flexible PIC Concentrators (FPCs). M7i and M10i routers with the Enhanced CFEB (CFEB-E). see the loss-priority match condition. medium-low. MX Series. loss-priority-except level Do not match the PLP level. Supported on M120 and M320 routers. For IP traffic on M320. you must include the tri-color statement at the [edit class-of-service] hierarchy level to commit a PLP configuration with any of the four levels specified. You can configure match conditions based on IPv4 addresses and IPv4 port numbers in the header. The firewall filter can match IPv4 packets as an inner payload of an MPLS packet that has a single MPLS label or up to five MPLS labels stacked together. This applies to all protocol families. medium-high. Juniper Networks. Standard firewall filters based on MPLS-tagged IPv4 headers are supported for interfaces on Enhanced Scaling flexible PIC concentrators (FPCs) on supported T Series routers only. 64 Copyright © 2011.4 Firewall Filter and Policer Configuration Guide Table 14: Standard Firewall Filter Match Conditions for MPLS Traffic (continued) Match Condition loss-priority level Description Match the packet loss priority (PLP) level.

Match the 32-bit IPv4 address of the source node sending the packet. fragment (44). • IP Address Match Conditions for MPLS Traffic Table 15 on page 65 describes the IP address-specific match-conditions you can configure at the [edit firewall family mpls filter filter-name term term-name from ip-version ipv4] hierarchy level. Juniper Networks. In place of the numeric value. esp (50). hop-by-hop (0). specify the match condition at the [edit firewall family mpls filter filter-name term term-name from ip-version ipv4] hierarchy level. sctp (132). Table 15: IP Address-Specific Firewall Filter Match Conditions for MPLS Traffic Match Condition destination-address address Description Match the 32-bit IPv4 address of the destination node to receive the packet. icmp6 (58). igmp (2). you can specify one of the following text synonyms (the field values are also listed): ah (51). specify the match condition at the [edit firewall family mpls filter filter-name term term-name from ip-version ipv4 protocol (udp | tcp)] hierarchy level. To match an MPLS-tagged IPv4 packet on the source or destination port field in the IPv4 header. you use the ip-version ipv4 match condition to specify that the term is to match packets based on inner IP fields: • To match an MPLS-tagged IPv4 packet on the source or destination address field in the IPv4 header.Chapter 4: Standard Firewall Filter Match Conditions and Actions To configure a stateless firewall filter term that matches on address or port fields in the IPv4 header of packets in an MPLS flow. tcp (6). ospf (89). ipv6 (41). icmp (1). Match the IP protocol type field. rsvp (46). udp (17). 65 . icmpv6 (58). destination-address address except protocol number source-address address source-address address except IP Port Match Conditions for MPLS Traffic Table 16 on page 66 describes the IP port-specific match-conditions you can configure at the [edit firewall family mpls filter filter-name term term-name from ip-version ipv4 protocol (udp | tcp )] hierarchy level. Do not match the 32-bit IPv4 address of the source node sending the packet. Inc. gre (47). Copyright © 2011. dstopts (60). pim (103). Do not match the 32-bit IPv4 address of the destination node to receive the packet. or vrrp (112). egp (8). ipip (4).

pop3 (110). ftp (21). bootpc (68). nfsd (2049). kpasswd (761). eklogin (2105). mobileip-agent (434). All conditions in the from statement must match for the action to be taken. snmptrap (162). domain (53). pptp (1723). syslog (514). exec (512). ident (113). nntp (119). In place of the numeric value. ssh (22). because a packet must match all the conditions in a term for a match to occur. netbios-ssn (139). printer (515). ldp (646). that term matches all packets. ntp (123). The order in which you specify match conditions is not important. bgp (179). Related Documentation • • • Guidelines for Configuring Standard Firewall Filters on page 21 Standard Firewall Filter Terminating Actions on page 81 Standard Firewall Filter Nonterminating Actions on page 82 Standard Firewall Filter Match Conditions for VPLS Traffic In the from statement in the VPLS filter term. socks (1080). In place of the numeric value. login (513). finger (79). radacct (1813). 66 Copyright © 2011. you can specify numeric ranges. a match occurs if one of the values in the list matches the packet. kerberos-sec (88). mobilip-mn (435). When a condition defines a list of values. For example. snmp (161).4 Firewall Filter and Policer Configuration Guide Table 16: IP Port-Specific Firewall Filter Match Conditions for MPLS Traffic Match Condition destination-port number Description Match on the UDP or TCP destination port field. ldap (389). An individual condition in a from statement can contain a list of values. radius (1812).Junos OS 11. If you specify no match conditions in a term. timed (525). who (513). ntalk (518). dhcp (67). telnet (23). krb-prop (754). tftp (69). you specify conditions that the packet must match for the action in the then statement to be taken. imap (143). cvspserver (2401). bootps (67). Inc. klogin (543). biff (512). rip (520). tacacs (49). ekshell (2106). You can also specify multiple source addresses or destination addresses. krbupdate (760). . you can specify one of the text synonyms listed with the destination-port match condition. netbios-dgm (138). tacacs-ds (65). Juniper Networks. talk (517). snpp (444). netbios-ns (137). kshell (544). In place of the numeric field. sunrpc (111). msdp (639). http (80). or xdmcp (177). smtp (25). you can specify one of the following text synonyms (the port numbers are also listed): afs (1483). source-port number Match on the TCP or UDP source port field. you can specify one of the text synonyms listed under destination-port. ftp-data (20). rkinit (2108). destination-port-except number Do not match on the UDP or TCP destination port field. source-port-except number Do not match on the TCP or UDP source port field. cmd (514). https (443).

bgp (179). the negated match condition for forwarding-class is forwarding-class-except. or xdmcp (177). if there is one. snmp (161).Chapter 4: Standard Firewall Filter Match Conditions and Actions Individual conditions in a from statement can be negated. In place of the numeric value. and the next term in the filter is evaluated. rkinit (2108). syslog (514). kshell (544). destination-prefix-list name except (MX Series routers only) Do not match destination prefixes in the specified list. ident (113). krbupdate (760). snpp (444). klogin (543). You cannot specify both the port and destination-port match conditions in the same term. who (513). ntalk (518). see the destination-prefix-list match condition. cmd (514). it is immediately considered not to match the from statement. pop3 (110). NOTE: Not all match conditions for VPLS traffic are supported on all routing platforms. pptp (1723). A number of match conditions for VPLS traffic are supported only on MX Series 3D Universal Edge Routers. cvspserver (2401). Specify the name of a prefix list defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level. http (80). ftp-data (20). bootpc (68). smtp (25). ldp (646). exec (512). timed (525). biff (512). IPv6 addresses included in a VPLS prefix list will be discarded. ldap (389). tacacs (49). mobilip-mn (435). Copyright © 2011. tftp (69). eklogin (2105). kpasswd (761). https (443). When you negate a condition. Inc. netbios-ssn (139). imap (143). nfsd (2049). you can specify one of the following text synonyms (the port numbers are also listed): afs (1483). 67 . krb-prop (754). For example. radacct (1813). msdp (639). destination-port-except number destination-prefix-list name (MX Series routers only) Do not match on the TCP or UDP destination port field. domain (53). bootps (67). dhcp (67). You can configure a standard firewall filter with match conditions for Virtual Private LAN Service (VPLS) traffic (family vpls). If there are no more terms. If a packet matches a negated condition. login (513). radius (1812). the packet is discarded. ntp (123). netbios-ns (137). printer (515). talk (517). Table 17 on page 67 describes the match-conditions you can configure at the [edit firewall family vpls filter filter-name term term-name from] hierarchy level. snmptrap (162). ekshell (2106). mobileip-agent (434). rip (520). (MX Series routers only) Match destination prefixes in the specified list. (MX Series routers only) Match the UDP or TCP destination port field. you are defining an explicit mismatch. telnet (23). tacacs-ds (65). Juniper Networks. For more information. Table 17: Standard Firewall Filter Match Conditions for VPLS Traffic Match Condition destination-mac-address address destination-port number Description Match the destination media access control (MAC) address of a VPLS packet. NOTE: VPLS prefix lists support only IPv4 addresses. socks (1080). sunrpc (111). ftp (21). kerberos-sec (88). finger (79). nntp (119). You cannot specify both the port and destination-port match conditions in the same term. netbios-dgm (138). ssh (22).

see the dscp match condition. Do not match the forwarding class. pppoe-discovery (0x8863). best-effort. with 3 drop precedences in each class. forwarding-class class Match the forwarding class. forwarding-class-except class 68 Copyright © 2011. You can specify decimal or hexadecimal values from 0 through 65535 (0xFFFF). Match the 2-octet IEEE 802. Assured Forwarding PHB Group.4 Firewall Filter and Policer Configuration Guide Table 17: Standard Firewall Filter Match Conditions for VPLS Traffic (continued) Match Condition dscp number Description (MX Series routers only) Match the Differentiated Services code point (DSCP). appletalk (0x809B). af42 (36). Juniper Networks. expedited-forwarding. oam (0x8902). af33 (30). see the forwarding-class match condition. In place of the numeric value. arp (0x0806). af43 (38) dscp-except number ether-type values (MX Series routers only) Do not match on the DSCP. defines one code point: ef (46). Specify assured-forwarding. see the ether-type match condition. ether-type-except values Do not match the 2-octet Length/EtherType field to the specified value or list of values. The most significant 6 bits of this byte form the DSCP. you can specify one of the following text synonyms (the field values are also listed): • • RFC 3246.3 Length/EtherType field to the specified value or list of values. For details about specifying the values. for a total of 12 code points: af11 (10). af22 (20). af13 (14). af31 (26). For more information. af23 (22). defines 4 classes. To specify the value in hexadecimal form. mpls-multicast (0x8848). include 0x as a prefix. A value from 0 through 1500 (0x05DC) specifies the length of an Ethernet Version 1 frame. Inc. af41 (34). include b as a prefix. In place of the numeric value. ipv6 (0x86DD). ppp (0x880B). see the Junos OS Class of Service Configuration Guide. RFC 2597. af32 (28). You can specify a numeric value from 0 through 63. For details. af21 (18). To specify the value in binary form. A value from 1536 (0x0600) through 65535 specifies the EtherType (nature of the MAC client protocol) of an Ethernet Version 2 frame. For details. or sna (0x80D5). or network-control. The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. mpls-unicast (0x8847). pppoe-session (0x8864). you can specify one of the following text synonyms (the hexadecimal values are also listed): aarp (0x80F3). . ipv4 (0x0800). af12 (12). An Expedited Forwarding PHB (Per-Hop Behavior).Junos OS 11.

ip-protocol icmp6. no-route-to-destination (0). unrecognized-option (2) time-exceeded: ttl-eq-zero-during-reassembly (1). If you configure this match condition. An ICMP message code provides more specific information than an ICMP message type. Juniper Networks. If you configure this match condition. you can specify one of the following text synonyms (the field values are also listed). If you configure this match condition. but the meaning of an ICMP message code is dependent on the associated ICMP message type. An ICMP message code provides more specific information than an ICMP message type. see the icmp-code match condition. or next-header icmpv6 match condition in the same term. or ip-protocol icmpv6 match condition in the same term. administratively-prohibited (1). we recommend that you also configure the ip-protocol icmp. For details. ttl-eq-zero-during-transit (0) destination-unreachable: address-unreachable (3). port-unreachable (4) • • icmp-code-except number (MX Series routers only) Do not match on the ICMP code field. see the icmp-code match condition. In place of the numeric value. Inc. you can specify one of the following text synonyms (the field values are also listed). (MX Series routers only) Match the ICMP message code field. no-route-to-destination (0). In place of the numeric value. ttl-eq-zero-during-transit (0) destination-unreachable: address-unreachable (3). administratively-prohibited (1). unrecognized-next-header (1). you must also configure the icmp-type message-type match condition in the same term. unrecognized-next-header (1). unrecognized-option (2) time-exceeded: ttl-eq-zero-during-reassembly (1). Copyright © 2011. For details. 69 . we recommend that you also configure the next-header icmp.Chapter 4: Standard Firewall Filter Match Conditions and Actions Table 17: Standard Firewall Filter Match Conditions for VPLS Traffic (continued) Match Condition icmp-code message-code Description Match the ICMP message code field. The keywords are grouped by the ICMP type with which they are associated: • parameter-problem: ip6-header-bad (0). If you configure this match condition. but the meaning of an ICMP message code is dependent on the associated ICMP message type. port-unreachable (4) • • icmp-code-except message-code icmp-code number Do not match the ICMP message code field. next-header icmp6. The keywords are grouped by the ICMP type with which they are associated: • parameter-problem: ip6-header-bad (0). you must also configure the icmp-type message-type match condition in the same term.

ip-address address ip-destination-address address ip-precedence ip-precedence-field (MX Series routers only) 32-bit address that supports the standard syntax for IPv4 addresses. you can specify one of the following text synonyms (the field values are also listed): critical-ecp (0xa0). or routine (0x00).4 Firewall Filter and Policer Configuration Guide Table 17: Standard Firewall Filter Match Conditions for VPLS Traffic (continued) Match Condition icmp-type number Description (MX Series routers only) Match the ICMP message type field. internet-control (0xc0). interface interface-name interface-group group-number Match the logical interface on which the packet was received to the specified interface group or set of interface groups. (MX Series routers only) Do not match on the IP precedence field. icmp-type-except number (MX Series routers only) Do not match the ICMP message type field. NOTE: If you configure this match condition with an interface that does not exist. see the icmp-type match condition. For more information. packet-too-big (2). echo-request (128). Juniper Networks. we recommend that you also configure the ip-protocol icmp. neighbor-solicit (135). interface-group-except group-name interface-set interface-set-name Do not match the logical interface on which the packet was received to the specified interface group or set of interface groups. For details. see the interface-group match condition. specify a single value or a range of values from 0 through 255. In place of the numeric field value. node-information-reply (140). you can specify one of the following text synonyms (the field values are also listed): destination-unreachable (1). redirect (137). For more information. If you configure this match condition. Match the interface on which the packet was received to the specified interface set. To assign a logical interface to an interface group group-number. Inc. echo-reply (129). . You can configure a match condition that matches packets based on the interface on which they were received. see “Filtering Packets Received on a Set of Interface Groups Overview” on page 185. Interface on which the packet was received. In place of the numeric value. or ip-protocol icmpv6 match condition in the same term. priority (0x20). ip-protocol icmp6. membership-report (131). parameter-problem (4). the term does not match any packet. router-advertisement (134). (MX Series routers only) 32-bit address that is the final destination node address for the packet. To define an interface set. router-solicit (133). immediate (0x40). or time-exceeded (3). membership-query (130). net-control (0xe0). For details.Junos OS 11. specify the group-number at the [interfaces interface-name unit number family family filter group] hierarchy level. router-renumbering (138). see “Filtering Packets Received on an Interface Set Overview” on page 192. include the interface-set statement at the [edit firewall] hierarchy level. flash-override (0x80). For group-number. flash (0x60). neighbor-advertisement (136). (MX Series routers only) IP precedence field. ip-precedence-except ip-precedence-field 70 Copyright © 2011. node-information-request (139). membership-termination (132).

(MX Series routers only) Do not match on the VLAN identifier used for MAC learning. Supported on M120 and M320 routers. see the Junos OS Class of Service Configuration Guide.1Q VLAN tags or the outer tag in a dual-tag frame with 802.Chapter 4: Standard Firewall Filter Match Conditions and Actions Table 17: Standard Firewall Filter Match Conditions for VPLS Traffic (continued) Match Condition ip-protocol number ip-protocol-except number ip-source-address address learn-vlan-1p-priority number Description (MX Series routers only) IP protocol field.1p learned VLAN priority bits in the provider VLAN tag (the only tag in a single-tag frame with 802. (MX Series routers only) IP address of the source node sending the packet. (MX Series routers only) Match on the IEEE 802. see the learn-vlan-1p-priority match condition. port number (MX Series routers only) TCP or UDP source or destination port. loss-priority-except level Do not match on the packet loss priority level. Specify a single level or multiple levels: low. For IP traffic on M320. see the Junos OS Class of Service Configuration Guide. M7i and M10i routers with the Enhanced CFEB (CFEB-E). or high. port-except number Copyright © 2011. medium-low. Juniper Networks. or high. For information about the tri-color statement and about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets. Compare with the user-vlan-1p-priority match condition. medium-high. (MX Series routers only) Do not match on the IP protocol field.1p learned VLAN priority bits. and T Series routers with Enhanced II Flexible PIC Concentrators (FPCs). you must include the tri-color statement at the [edit class-of-service] hierarchy level to commit a PLP configuration with any of the four levels specified. and MX Series routers. (MX Series routers only) Do not match on the TCP or UDP source or destination port. learn-vlan-1p-priority-except number learn-vlan-id number learn-vlan-id-except number loss-priority level (MX Series routers only) Do not match on the IEEE 802. You cannot specify both the port match condition and either the destination-port or source-port match condition in the same term. You cannot specify both the port match condition and either the destination-port or source-port match condition in the same term. If the tri-color statement is not enabled. medium-high.1Q VLAN tags). 71 . For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets. (MX Series routers only) VLAN identifier used for MAC learning. you can only configure the high and low levels. This applies to all protocol families. medium-low. Inc. Specify a single level or multiple levels: low. Specify a single value or multiple values from 0 through 7. For details. MX Series. Packet loss priority (PLP) level.

72 Copyright © 2011. traffic-type type-name (MX Series routers only) Traffic type. To specify individual bit fields. NOTE: VPLS prefix lists support only IPV4 addresses. unknown-unicast. you can specify the following text synonyms or hexadecimal values: • • • • • • fin (0x01) syn (0x02) rst (0x04) push (0x08) ack (0x10) urgent (0x20) In a TCP session. Specify a prefix list name defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level. Specify the name of a prefix list defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level. You cannot specify the port and source-port match conditions in the same term. multicast. see the destination-prefix-list match condition. If you configure this match condition for IPv6 traffic. source-mac-address address source-port number source-port-except number source-prefix-list name source-prefix-list name except tcp-flags flags (MX Series routers only) Do not match the source prefixes in the specified prefix list. prefix-list name except (MX Series routers only) Do not match the destination or source prefixes in the specified list. Inc. IPV6 addresses included in a VPLS prefix list will be discarded. see the source-prefix-list match condition. . For more information.Junos OS 11.4 Firewall Filter and Policer Configuration Guide Table 17: Standard Firewall Filter Match Conditions for VPLS Traffic (continued) Match Condition prefix-list name Description (MX Series routers only) Match the destination or source prefixes in the specified list. You can string together multiple flags using the bit-field logical operators. or known-unicast. Juniper Networks. Source MAC address of a VPLS packet. NOTE: VPLS prefix lists support only IPV4 addresses. You cannot specify the port and source-port match conditions in the same term. (MX Series routers only) Do not match on the TCP or UDP source port field. (MX Series routers only) Match the source prefixes in the specified prefix list. Specify broadcast. while the ACK flag is set in all packets sent after the initial packet. For more information. (MX Series routers only) TCP or UDP source port field. the SYN flag is set only in the initial packet sent. IPV6 addresses included in a VPLS prefix list will be discarded. Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header. we recommend that you also configure the next-header tcp match condition in the same term to specify that the TCP protocol is being used on the port.

The following restrictions apply to firewall filters for Layer 2 CCC traffic: • The input-list filter-names and output-list filter-names statements for firewall filters for the ccc protocol family are supported on all interfaces with the exception of management interfaces and internal Ethernet interfaces (fxp or em0). • Table 18 on page 74 describes the match-conditions you can configure at the [edit firewall family ccc filter filter-name term term-name from] hierarchy level. Inc. Juniper Networks. Specify broadcast. On MX Series routers only. Compare with the learn-vlan-1p-priority match condition.1p user priority bits. Do not match on the VLAN Ethernet type field of a VPLS packet. (MX Series routers only) Match the first VLAN identifier that is part of the payload. see the user-vlan-1p-priority match condition. or known-unicast. (MX Series routers only) Do not match on the first VLAN identifier that is part of the payload. loopback interfaces (lo0). On MX Series routers. For details. (MX Series routers only) Match on the IEEE 802.1p user priority bits in the customer VLAN tag (the inner tag in a dual-tag frame with 802. firewall filters configured for the family ccc statement can be applied only as input filters. VLAN Ethernet type field of a VPLS packet. Copyright © 2011.1Q VLAN tags). you cannot apply a Layer 2 CCC stateless firewall filter (a firewall filter configured at the [edit firewall filter family ccc] hierarchy level) as an output filter. user-vlan-1p-priority-except number user-vlan-id number user-vlan-id-except number vlan-ether-type value vlan-ether-type-except value (MX Series routers only) Do not match on the IEEE 802. Related Documentation • • • Guidelines for Configuring Standard Firewall Filters on page 21 Standard Firewall Filter Terminating Actions on page 81 Standard Firewall Filter Nonterminating Actions on page 82 Standard Firewall Filter Match Conditions for Layer 2 CCC Traffic You can configure a standard stateless firewall filter with match conditions for Layer 2 circuit cross-connect (CCC) traffic (family ccc). unknown-unicast.Chapter 4: Standard Firewall Filter Match Conditions and Actions Table 17: Standard Firewall Filter Match Conditions for VPLS Traffic (continued) Match Condition traffic-type-except type-name user-vlan-1p-priority number Description (MX Series routers only) Do not match on the traffic type. and USB modem interfaces (umd). 73 . multicast. Specify a single value or multiple values from 0 through 7.

expedited-forwarding. (MX Series routers only) Match on the IEEE 802. Juniper Networks. forwarding-class-except class interface-group group-number interface-group-except number learn-vlan-1p-priority number Do not match the logical interface on which the packet was received to the specified interface group or set of interface groups.4 Firewall Filter and Policer Configuration Guide Table 18: Standard Firewall Filter Match Conditions for Layer 2 CCC Traffic Match Condition destination-mac-address address Description (MX Series routers only) Match the destination media access control (MAC) address of a virtual private LAN service (VPLS) packet. or network-control. see the learn-vlan-1p-priority match condition. best-effort. forwarding-class class Forwarding class. Match the logical interface on which the packet was received to the specified interface group or set of interface groups. or network-control. see the interface-group match condition. The use of a control word is enabled by default for Layer 2 VPN routing instances to support the emulated virtual circuit (VC) encapsulation for Layer 2 circuits. learn-vlan-1p-priority-except number (MX Series routers only) Do not match on the IEEE 802.Junos OS 11. see “Filtering Packets Received on a Set of Interface Groups Overview” on page 185.1p learned VLAN priority bits in the provider VLAN tag (the only tag in a single-tag frame with 802. You must explicitly disable the use of a control word for traffic flowing out over a Layer 2 circuit. Specify a single value or multiple values from 0 through 7. see “Disabling the Control Word for Layer 2 VPNs” in the Junos OS VPNs Configuration Guide. . Compare with the user-vlan-1p-priority match condition. To explicitly disable the use of a control word for Layer 2 VPNs.1Q VLAN tags). To assign a logical interface to an interface group group-number. For details. 74 Copyright © 2011. specify a single value or a range of values from 0 through 255. Inc. To have packets correctly evaluated by this match condition when applied to egress traffic flowing over a CCC circuit from a logical interface on an I-chip DPC in a Layer 2 virtual private network (VPN) routing instance. For more information.1p learned VLAN priority bits. Specify assured-forwarding. specify the group-number at the [interfaces interface-name unit number family family filter group] hierarchy level. expedited-forwarding. you must make a configuration change to the Layer 2 VPN routing instance. For details.1Q VLAN tags or the outer tag in a dual-tag frame with 802. For group-number. include the no-control-word statement at either of the following hierarchy levels: • • [edit routing-instances routing-instance-name protocols l2vpn] [edit logical-systems logical-system-name routing-instances routing-instance-name protocols l2vpn] For more information. Specify assured-forwarding. best-effort. Do not match on the forwarding class.

see the Junos OS Class of Service Configuration Guide. and T Series routers with Enhanced II Flexible PIC Concentrators (FPCs). medium-low.Chapter 4: Standard Firewall Filter Match Conditions and Actions Table 18: Standard Firewall Filter Match Conditions for Layer 2 CCC Traffic (continued) Match Condition loss-priority level Description Packet loss priority (PLP) level. medium-high. Juniper Networks. Specify a single level or multiple levels: low. This applies to all protocol families. For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets. and MX Series routers. Table 19 on page 75 describes the match-conditions you can configure at the [edit firewall family bridge filter filter-name term term-name from] hierarchy level. medium-high. Table 19: Standard Firewall Filter Match Conditions for Layer 2 Bridging (MX Series 3D Universal Edge Routers Only) Match Condition destination-mac-address address Description Destination media access control (MAC) address of a Layer 2 packet in a bridging environment. M7i and M10i routers with the Enhanced CFEB (CFEB-E). you can only configure the high and low levels. user-vlan-1p-priority number (MX Series routers only) Match on the IEEE 802. For IP traffic on M320. medium-low. Supported on M120 and M320 routers. 75 . Compare with the learn-vlan-1p-priority match condition. Specify a single level or multiple levels: low. you must include the tri-color statement at the [edit class-of-service] hierarchy level to commit a PLP configuration with any of the four levels specified. For information about the tri-color statement and for information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets. Copyright © 2011. see the Junos OS Class of Service Configuration Guide. For details. Related Documentation • • • Guidelines for Configuring Standard Firewall Filters on page 21 Standard Firewall Filter Terminating Actions on page 81 Standard Firewall Filter Nonterminating Actions on page 82 Standard Firewall Filter Match Conditions for Layer 2 Bridging Traffic On MX Series routers only. MX Series.1p user priority bits.1p user priority bits in the customer VLAN tag (the inner tag in a dual-tag frame with 802.1Q VLAN tags). user-vlan-1p-priority-except number (MX Series routers only) Do not match on the IEEE 802. Specify a single value or multiple values from 0 through 7. If the tri-color statement is not enabled. Inc. or high. loss-priority-except level Do not match on the packet loss priority level. you can configure a standard stateless firewall filter with match conditions for Layer 2 bridging traffic (family bridge). see the user-vlan-1p-priority match condition. or high.

af31 (26). pppoe-session (0x8864). defines 4 classes. af12 (12). forwarding class class Forwarding class.Junos OS 11. include b as a prefix. for a total of 12 code points: af11 (10). Assured Forwarding PHB Group.3 Length/EtherType field to the specified value or list of values. af21 (18). RFC 2597. The most significant 6 bits of this byte form the DSCP. For more information. A value from 0 through 1500 (0x05DC) specifies the length of an Ethernet Version 1 frame. expedited-forwarding. or network-control. You cannot specify both the port and destination-port match conditions in the same term. best-effort. you can specify one of the following text synonyms (the hexadecimal values are also listed): aarp (0x80F3). You can specify decimal or hexadecimal values from 0 through 65535 (0xFFFF). ppp (0x880B). pppoe-discovery (0x8863). see the Junos OS Class of Service Configuration Guide. defines one code point: ef (46).4 Firewall Filter and Policer Configuration Guide Table 19: Standard Firewall Filter Match Conditions for Layer 2 Bridging (MX Series 3D Universal Edge Routers Only) (continued) Match Condition destination-port number Description TCP or UDP destination port field. af43 (38) dscp-except number ether-type value Do not match on the DSCP number. with 3 drop precedences in each class. af42 (36). see the ether-type match condition. Juniper Networks. ipv4 (0x0800). A value from 1536 (0x0600) through 65535 specifies the EtherType (nature of the MAC client protocol) of an Ethernet Version 2 frame. arp (0x0806). af13 (14). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. You can specify a numeric value from 0 through 63. expedited-forwarding. af22 (20). In place of the numeric value. An Expedited Forwarding PHB (Per-Hop Behavior). see the dscp-except match condition. To specify the value in binary form. af32 (28). oam (0x8902). mpls-multicast (0x8848). Match the 2-octet IEEE 802. To specify the value in hexadecimal form. appletalk (0x809B). For details about specifying the values. af41 (34). ether-type-except value Do not match the 2-octet IEEE 802. af33 (30).3 Length/EtherType field to the specified value or list of values. For more information. sna (0x80D5). ipv6 (0x86DD). Specify assured-forwarding. Differentiated Services code point (DSCP). you can specify one of the following text synonyms (the field values are also listed): • • dscp number RFC 3246. forwarding-class-except class 76 Copyright © 2011. In place of the numeric value. Ethernet type field of a Layer 2 packet environment. mpls-unicast (0x8847). Specify assured-forwarding. . Inc. include 0x as a prefix. af23 (22). best-effort. or network-control.

NOTE: If you configure this match condition with an interface that does not exist. node-information-reply (140). An ICMP message code provides more specific information than an ICMP message type. no-route-to-destination (0). or ip-protocol icmpv6 match condition in the same term. see “Filtering Packets Received on a Set of Interface Groups Overview” on page 185. In place of the numeric value. the term does not match any packet. we recommend that you also configure the ip-protocol icmp. router-renumbering (138). specify a single value or a range of values from 0 through 255. For details. To assign a logical interface to an interface group group-number. If you configure this match condition. neighbor-advertisement (136). router-solicit (133). specify the group-number at the [interfaces interface-name unit number family family filter group] hierarchy level. interface-group group-number Match the logical interface on which the packet was received to the specified interface group or set of interface groups. we recommend that you also configure the ip-protocol icmp. If you configure this match condition. you can specify one of the following text synonyms (the field values are also listed): destination-unreachable (1). administratively-prohibited (1). membership-termination (132). neighbor-solicit (135). icmp-type-except message-type interface interface-name Do not match the ICMP message type field. or ip-protocol icmpv6 match condition in the same term. parameter-problem (4). The keywords are grouped by the ICMP type with which they are associated: • parameter-problem: ip6-header-bad (0). For more information. Inc. echo-reply (129). If you configure this match condition. see the icmp-type match condition. You can configure a match condition that matches packets based on the interface on which they were received. you must also configure the icmp-type message-type match condition in the same term. In place of the numeric value. see the icmp-code match condition. unrecognized-next-header (1). For group-number. 77 . membership-report (131). packet-too-big (2). Interface on which the packet was received. Juniper Networks. router-advertisement (134). Copyright © 2011. redirect (137). Match the ICMP message type field. you can specify one of the following text synonyms (the field values are also listed). ip-protocol icmp6. or time-exceeded (3). echo-request (128).Chapter 4: Standard Firewall Filter Match Conditions and Actions Table 19: Standard Firewall Filter Match Conditions for Layer 2 Bridging (MX Series 3D Universal Edge Routers Only) (continued) Match Condition icmp-code message-code Description Match the ICMP message code field. but the meaning of an ICMP message code is dependent on the associated ICMP message type. membership-query (130). unrecognized-option (2) time-exceeded: ttl-eq-zero-during-reassembly (1). node-information-request (139). ip-protocol icmp6. ttl-eq-zero-during-transit (0) destination-unreachable: address-unreachable (3). For details. port-unreachable (4) • • icmp-code-except message-code icmp-type message-type Do not match the ICMP message code field.

(Supported with PBB) Match the Internet service identifier priority code point. (MX Series routers only) Match on the IEEE 802.1Q VLAN tags). ip-address address ip-destination-address address ip-precedence ip-precedence-field 32-bit address that supports the standard syntax for IPv4 addresses. include the interface-set statement at the [edit firewall] hierarchy level. flash-override (0x80). net-control (0xe0). IP address of the source node sending the packet. learn-vlan-1p-priority-except value learn-vlan-dei number (MX Series routers only) Do not match on the IEEE 802. Compare with the user-vlan-1p-priority match condition. flash (0x60). 78 Copyright © 2011. Do not match on the IP precedence field. you can specify one of the following text synonyms (the field values are also listed): critical-ecp (0xa0). (Supported with PBB) Do not match the Internet service identifier DEI bit. (Supported with Provider Backbone Bridging [PBB]) Match internet service identifier. priority (0x20).1Q VLAN tags or the outer tag in a dual-tag frame with 802. see the interface-group match condition. Specify a single value or multiple values from 0 through 7. see “Filtering Packets Received on an Interface Set Overview” on page 192. Match the interface on which the packet was received to the specified interface set. see the learn-vlan-1p-priority match condition. For details. or routine (0x00).1p learned VLAN priority bits in the provider VLAN tag (the only tag in a single-tag frame with 802. Inc. ip-precedence-except ip-precedence-field ip-protocol number ip-source-address address isid number isid-dei number isid-dei-except number isid-priority-code-point number isid-priority-code-point-except number learn-vlan-1p-priority value IP protocol field. For more information.Junos OS 11. For details. Juniper Networks. In place of the numeric field value. (Supported with PBB) Match the Internet service identifier drop eligibility indicator (DEI) bit. internet-control (0xc0). 32-bit address that is the final destination node address for the packet. (Supported with PBB) Do not match the Internet service identifier priority code point. IP precedence field. immediate (0x40). To define an interface set.4 Firewall Filter and Policer Configuration Guide Table 19: Standard Firewall Filter Match Conditions for Layer 2 Bridging (MX Series 3D Universal Edge Routers Only) (continued) Match Condition interface-group-except number interface-set interface-set-name Description Do not match the logical interface on which the packet was received to the specified interface group or set of interface groups.1p learned VLAN priority bits. . (Supported with bridging) Match user virtual LAN (VLAN) identifier DEI bit.

VLAN identifier used for MAC learning. Supported on M120 and M320 routers. medium-low. Source MAC address of a Layer 2 packet. MX Series. or high. loss-priority-except level Do not match on the packet loss priority level. Inc. 79 . This applies to all protocol families. medium-high. Juniper Networks. source-mac-address address source-port number Copyright © 2011. see the Junos OS Class of Service Configuration Guide. medium-high. Do not match on the VLAN identifier used for MAC learning. port number TCP or UDP source or destination port. and T Series routers with Enhanced II Flexible PIC Concentrators (FPCs). or high. TCP or UDP source port field. medium-low. You cannot specify the port and source-port match conditions in the same term. Packet loss priority (PLP) level. If the tri-color statement is not enabled. Specify a single level or multiple levels: low. For information about the tri-color statement and for information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets. For IP traffic on M320. you can only configure the high and low levels. You cannot specify both the port match condition and either the destination-port or source-port match conditions in the same term. M7i and M10i routers with the Enhanced CFEB (CFEB-E). Specify a single level or multiple levels: low. For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets. you must include the tri-color statement at the [edit class-of-service] hierarchy level to commit a PLP configuration with any of the four levels specified. see the Junos OS Class of Service Configuration Guide. and MX Series routers.Chapter 4: Standard Firewall Filter Match Conditions and Actions Table 19: Standard Firewall Filter Match Conditions for Layer 2 Bridging (MX Series 3D Universal Edge Routers Only) (continued) Match Condition learn-vlan-dei-except number learn-vlan-id number learn-vlan-id-except number loss-priority level Description (Supported with bridging) Do not match user VLAN identifier DEI bit.

Do not match on the VLAN Ethernet type field of a Layer 2 bridging packet. see the user-vlan-1p-priority match condition. Specify a single value or multiple values from 0 through 7. Specify broadcast. (MX Series routers only) Match on the IEEE 802.1p user priority bits in the customer VLAN tag (the inner tag in a dual-tag frame with 802. Juniper Networks. you can specify the following text synonyms or hexadecimal values: • • • • • • fin (0x01) syn (0x02) rst (0x04) push (0x08) ack (0x10) urgent (0x20) In a TCP session.1Q VLAN tags). . For details.Junos OS 11. To specify individual bit fields. Compare with the learn-vlan-1p-priority match condition. unknown-unicast. while the ACK flag is set in all packets sent after the initial packet. You can string together multiple flags using the bit-field logical operators. (MX Series routers only) Match the first VLAN identifier that is part of the payload. the SYN flag is set only in the initial packet sent. user-vlan-1p-priority-except value user-vlan-id number user-vlan-id-except number vlan-ether-type value vlan-ether-type-except value (MX Series routers only) Do not match on the IEEE 802. Do not match on the traffic type. VLAN Ethernet type field of a Layer 2 bridging packet. multicast.4 Firewall Filter and Policer Configuration Guide Table 19: Standard Firewall Filter Match Conditions for Layer 2 Bridging (MX Series 3D Universal Edge Routers Only) (continued) Match Condition tcp-flags flags Description Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header. Configuring the tcp-flags match condition requires that you configure the next-header-tcp match condition. Inc. Related Documentation • • • Guidelines for Configuring Standard Firewall Filters on page 21 Standard Firewall Filter Terminating Actions on page 81 Standard Firewall Filter Nonterminating Actions on page 82 80 Copyright © 2011. (MX Series routers only) Do not match on the first VLAN identifier that is part of the payload.1p user priority bits. traffic-type type traffic-type-except type user-vlan-1p-priority value Traffic type. or known-unicast.

Table 20: Terminating Actions for Standard Firewall Filters Terminating Action accept Description Accept the packet.Chapter 4: Standard Firewall Filter Match Conditions and Actions Standard Firewall Filter Terminating Actions Standard stateless firewall filters support different sets of terminating actions for each protocol family. you can configure the next term action with another nonterminating action in the same filter term. 81 . However. Protocols • • • • • • • family any family inet family inet6 family mpls family vpls family ccc family bridge family any family inet family inet6 family mpls family vpls family ccc family bridge family inet family inet6 discard Discard a packet silently. Table 20 on page 81 describes the terminating actions you can specify in a standard firewall filter term. Juniper Networks. Inc. without sending an Internet Control Message Protocol (ICMP) message. NOTE: You cannot configure the next term action with a terminating action in the same filter term. • • • • • • • logical-system logical-system-name Direct the packet to the specified logical system. Discarded packets are available for logging and sampling. • • Copyright © 2011.

precedence-cutoff. port-unreachable. beyond-scope. is returned. or tcp-reset. NOTE: For IPv6. SRX240. • • family inet family inet6 family inet family inet6 topology topology-name Direct the packet to the specified topology. 82 Copyright © 2011.4 Firewall Filter and Policer Configuration Guide Table 20: Terminating Actions for Standard Firewall Filters (continued) Terminating Action reject message-type Description Reject the packet and return an ICMPv4 or ICMPv6 message: • Protocols • • family inet family inet6 If no message-type is specified. NOTE: You cannot configure the next term action with a terminating action in the same filter term. The message-type can be one of the following values: address-unreachable. fragmentation-needed. protocol-unreachable. • • Related Documentation • • Guidelines for Configuring Standard Firewall Filters on page 21 Standard Firewall Filter Nonterminating Actions on page 82 Standard Firewall Filter Nonterminating Actions Standard stateless firewall filters support different sets of nonterminating actions for each protocol family. Table 21 on page 83 describes the nonterminating actions you can configure for a standard firewall filter term. If tcp-reset is specified as the message-type. no-route. host-unknown. . • • NOTE: Rejected packets can be sampled or logged if you configure the sample or syslog action. that message is returned. source-host-isolated. bad-host-tos. SRX210. host-unreachable. the administratively-prohibited message. routing-instance routing-instance-name Direct the packet to the specified routing instance.Junos OS 11. Otherwise. host-prohibited. If any other message-type is specified. network-unknown. Inc. you can configure the next term action with another nonterminating action in the same filter term. which has a value of 13. precedence-violation. network-prohibited. applies to SRX100. Juniper Networks. a destination unreachable message is returned by default. and SRX650 devices only. bad-network-tos. tcp-reset is returned only if the packet is a TCP packet. network-unreachable. However. source-route-failed. administratively-prohibited.

60-Gigabit Ethernet Queuing MPC. include b as a prefix.Chapter 4: Standard Firewall Filter Match Conditions and Actions Table 21: Nonterminating Actions for Standard Firewall Filters Nonterminating Action count counter-name Description Count the packet in the named counter. medium drop precedence af23—Assured forwarding class 2. SRX240. these actions are not supported on Enhanced III Flexible PIC Concentrators (FPCs) on M320 routers. Inc. low drop precedence af22—Assured forwarding class 2. However. medium drop precedence af43—Assured forwarding class 4. To specify the value in hexadecimal form. high drop precedence af21—Assured forwarding class 2. Protocol Families • • • • • • • family any family inet family inet6 family mpls family vpls family ccc family bridge dscp value Set the IPv4 Differentiated Services code point (DSCP) bit. and SRX650 devices only. Juniper Networks. low drop precedence af42—Assured forwarding class 4. 83 . include 0x as a prefix. To specify the value in binary form. be or 0. medium drop precedence af33—Assured forwarding class 3. low drop precedence af32—Assured forwarding class 3. low drop precedence af12—Assured forwarding class 1. and 60-Gigabit Ethernet Enhanced Queuing MPC on MX Series routers. high drop precedence af41—Assured forwarding class 4. The default DSCP value is best effort. applies to SRX100. NOTE: For IPv6. You can also specify on the following text synonyms: • • • • • • • • • • • • • • • • • • • • • • family inet af11—Assured forwarding class 1. You can specify a numerical value from 0 through 63. medium drop precedence af13—Assured forwarding class 1. 60-Gigabit Ethernet MPC. that is. SRX210. high drop precedence af31—Assured forwarding class 3. Copyright © 2011. high drop precedence be—Best effort cs0—Class selector 0 cs1—Class selector 1 cs2—Class selector 2 cs3—Class selector 3 cs4—Class selector 4 cs5—Class selector 5 cs6—Class selector 6 cs7—Class selector 7 ef—Expedited forwarding NOTE: The actions dscp 0 or dscp be are supported only on T Series and M320 routers and on the 10-Gigabit Ethernet Modular Port Concentrators (MPC).

. For information about the tri-color statement and for information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets. family inet log Log the packet header information in a buffer within the Packet Forwarding Engine. Inc. SRX240. and MX Series routers. family inet load-balance group-name Use the specified load-balancing group. Supported on M120 and M320 routers. For more information about selective stateless packet-based services. M7i and M10i routers with the Enhanced CFEB (CFEB-E). These two nonterminating actions are mutually exclusive.4 Firewall Filter and Policer Configuration Guide Table 21: Nonterminating Actions for Standard Firewall Filters (continued) Nonterminating Action forwarding-class class-name Description Classify the packet to the named forwarding class: • • • • • Protocol Families • • • • • • • family any family inet family inet6 family mpls family vpls family ccc family bridge forwarding-class-name assured-forwarding best-effort expedited-forwarding network-control ipsec-sa ipsec-sa Use the specified IPsec security association. NOTE: This action is not supported on MX Series routers. applies to SRX100. NOTE: This action is not supported on MX Series routers. You cannot also configure the three-color-policer nonterminating action for the same firewall filter term. you must include the tri-color statement at the [edit class-of-service] hierarchy level to commit a PLP configuration with any of the four levels specified. NOTE: For IPv6. SRX210. family inet Updates a bit field in the packet key buffer. MX Series. If the tri-color statement is not enabled. which specifies traffic that will bypass flow-based forwarding. you can only configure the high and low levels. Packets with the packet-mode action modifier follow the packet-based forwarding path and bypass flow-based forwarding completely. This applies to all protocol families. see the Junos OS Class of Service Configuration Guide. and T Series routers with Enhanced II Flexible PIC Concentrators (FPCs). and SRX650 devices only. Juniper Networks. family any 84 Copyright © 2011. see the Junos OS Security Configuration Guide. You can access this information by issuing the show firewall log command at the command-line interface (CLI). • • family inet family inet6 loss-priority (high | medium-high | medium-low | low) Set the packet loss priority (PLP) level.Junos OS 11. For IP traffic on M320. • • • • • • • family any family inet family inet6 family mpls family vpls family ccc family bridge next-hop-group group-name packet-mode Use the specified next-hop group.

• • family inet family inet6 syslog Log the packet to the system log file. applies to SRX100.Chapter 4: Standard Firewall Filter Match Conditions and Actions Table 21: Nonterminating Actions for Standard Firewall Filters (continued) Nonterminating Action policer policer-name Description Name of policer to use to rate-limit traffic. see ”Configuring Service Packet Counting” in the Junos OS Subscriber Access Configuration Guide. Packets that are sent from the Routing Engine to the Packet Forwarding Engine are not sampled. Inc. NOTE: For IPv6. M320 routers configured with Enhanced III FPCs. NOTE: The Junos OS does not sample packets originating from the router. For more information. The count is applied to a specific named counter (__junos-dyn-service-counter) that RADIUS can obtain. 85 . NOTE: For IPv6. applies to SRX100. SRX210. then only the transit packets going through that interface are sampled. Supported on M120 routers. • • family inet family inet6 Copyright © 2011. see “Configuring Firewall Filter Bypass” in the Junos OS Subscriber Access Configuration Guide. SRX240. Indicate to subsequent filters in the chain that the packet was already processed. • • • • • prefix-action action-name sample Count or police packets based on the specified action name. Protocol Families • • • • • • • family any family inet family inet6 family mpls family vpls family ccc family bridge family inet family inet6 family vpls family ccc family bridge port-mirror Port-mirror the packet based on the specified family. SRX240. For more information. SRX210. • • family inet family inet6 service-filter-hit (Only if the service-filter-hit flag is marked by a previous filter in the current type of chained filters) Direct the packet to the next type of filters. • • • family inet family inet6 family mpls service-accounting Count the packet for service accounting. family inet Sample the packet. Juniper Networks. and SRX650 devices only. This action. and MX Series routers only. helps to streamline filter processing. If you configure a filter and apply it to the output side of an interface. coupled with the service-filter-hit match condition in receiving filters. and SRX650 devices only.

You can specify a numerical value from 0 through 63.4 Firewall Filter and Policer Configuration Guide Table 21: Nonterminating Actions for Standard Firewall Filters (continued) Nonterminating Action three-color-policer (single-rate | two-rate) policer-name Description Police the packet using the specified single-rate or two-rate three-color-policer. include b as a prefix. and 60-Gigabit Ethernet Enhanced Queuing MPC on MX Series routers. medium drop precedence af13—Assured forwarding class 1. To specify the value in binary form. . Related Documentation • Guidelines for Configuring Standard Firewall Filters on page 21 86 Copyright © 2011. medium drop precedence af43—Assured forwarding class 4. low drop precedence af32—Assured forwarding class 3. 60-Gigabit Ethernet MPC. low drop precedence af12—Assured forwarding class 1. Inc. high drop precedence af21—Assured forwarding class 2. 60-Gigabit Ethernet Queuing MPC. you can specify one of the following text synonyms: • • • • • • • • • • • • • • • • • • • • • • family inet6 af11—Assured forwarding class 1. medium drop precedence af33—Assured forwarding class 3. high drop precedence be—Best effort cs0—Class selector 0 cs1—Class selector 1 cs2—Class selector 2 cs3—Class selector 3 cs4—Class selector 4 cs5—Class selector 5 cs6—Class selector 6 cs7—Class selector 7 ef—Expedited forwarding NOTE: The actions traffic-class 0 or traffic-class be are supported only on T Series and M320 routers and on the 10-Gigabit Ethernet Modular Port Concentrator (MPC). Protocol Families • • • • • • family inet family inet6 family mpls family vpls family ccc family bridge traffic-class value Specify the traffic-class code point. include 0x as a prefix. these actions are not supported on Enhanced III Flexible PIC Concentrators (FPCs) on M320 routers. high drop precedence af41—Assured forwarding class 4. low drop precedence af42—Assured forwarding class 4. However. These two actions are mutually exclusive. low drop precedence af22—Assured forwarding class 2. high drop precedence af31—Assured forwarding class 3. medium drop precedence af23—Assured forwarding class 2. The default traffic-class value is best effort. You cannot also configure the loss-priority action for the same firewall filter term. be or 0. that is. In place of the numeric value. To specify the value in hexadecimal form. Juniper Networks.Junos OS 11.

Juniper Networks. 87 .Chapter 4: Standard Firewall Filter Match Conditions and Actions • Standard Firewall Filter Terminating Actions on page 81 Copyright © 2011. Inc.

Junos OS 11. .4 Firewall Filter and Policer Configuration Guide 88 Copyright © 2011. Juniper Networks. Inc.

Inc. 89 . Juniper Networks.CHAPTER 5 Standard Firewall Filter Configuration • • • • • • • • • • • • • • • Standard Firewall Filters That Match Packets on page 89 Standard Firewall Filters That Count Packets on page 100 Standard Firewall Filters That Act on Packets on page 111 Standard Firewall Filters for Trusted Sources on page 118 Standard Firewall Filters That Prevent IP Packet Flooding on page 143 Standard Firewall Filters That Handle Fragmented Packets on page 152 Standard Firewall Filters That Set Rate Limits on page 157 Multiple Standard Firewall Filters Applied as a List on page 161 Multiple Standard Firewall Filters in a Nested Configuration on page 170 Interface-Specific Firewall Filter Instances on page 177 Filtering Packets Received on a Set of Interface Groups on page 185 Filtering Packets Received on an Interface Set on page 192 Filter-Based Forwarding on page 199 Accounting for Standard Firewall Filters on page 211 Logging of Stateless Firewall Filter Activity on page 218 Standard Firewall Filters That Match Packets • • • • Example: Configuring a Filter to Match on IPv6 Flags on page 89 Example: Configuring a Filter to Match on Port and Protocol Fields on page 91 Example: Configuring a Filter to Match on Two Unrelated Criteria on page 94 Example: Configuring a Filter to Limit TCP Access to a Port Based On a Prefix List on page 97 Example: Configuring a Filter to Match on IPv6 Flags This example shows how to configure a filter to match on IPv6 TCP flags. • • Requirements on page 90 Overview on page 90 Copyright © 2011.

and J Series security devices and in M Series. enter the show firewall filter tcpfilt command. MX Series. If you are done configuring the device. [edit firewall family inet6 filter tcpfilt] user@host# edit term 1 4. Define the source address match conditions for the term. Include the family statement at the firewall hierarchy level. [edit firewall family inet6 filter tcpfilt term 1] user@host top [edit] user@host# commit Verification To confirm that the configuration is working properly. [edit] user@host# edit firewall family inet6 2. .Junos OS 11. [edit firewall family inet6] user@host# edit filter tcpfilt 3. commit the configuration. Inc. SRX240. you configure a filter to match on IPv6 TCP flags. [edit firewall family inet6 filter tcpfilt term 1] user@host# set then count tcp_syn_pkt log accept 6. Define the actions for the term. and T Series routing devices. Juniper Networks. Define the first term for the filter. specifying inet6 as the protocol family. You can use this example to configure IPv6 TCP flags in the SRX100. Overview In this example. 90 Copyright © 2011. [edit firewall family inet6 filter tcpfilt term 1] user@host# set from next-header tcp tcp-flags syn 5. SRX210. Create the stateless firewall filter. Configuration Step-by-Step Procedure To configure a filter to match on IPv6 TCP flags: 1.4 Firewall Filter and Policer Configuration Guide • • Configuration on page 90 Verification on page 90 Requirements No special configuration beyond device initialization is required before configuring this example. SRX650.

All other packets are rejected. remove any line breaks. Inc. and then paste the commands into the CLI at the [edit] hierarchy level: set firewall family inet filter filter1 term term1 from protocol-except tcp set firewall family inet filter filter1 term term1 from protocol-except udp set firewall family inet filter filter1 term term1 then accept set firewall family inet filter filter1 term term2 from address 192. Juniper Networks.168.0/16 set firewall family inet filter filter1 term term2 then reject set firewall family inet filter filter1 term term3 from destination-port ssh set firewall family inet filter filter1 term term3 from destination-port telnet set firewall family inet filter filter1 term term3 then accept set firewall family inet filter filter1 term term4 then reject set interfaces ge-0/0/1 unit 0 family inet address 10.1. see “Using the CLI Editor in Configuration Mode” on page 15. copy the following configuration commands into a text file. you configure a stateless firewall filter that accepts all IPv4 packets except for TCP and UDP packets. For information about navigating the CLI. • • • • Requirements on page 91 Overview on page 91 Configuration on page 91 Verification on page 94 Requirements No special configuration beyond device initialization is required before configuring this example. 91 . • • • Configure the Stateless Firewall Filter on page 92 Apply the Stateless Firewall Filter to a Logical Interface on page 92 Confirm and Commit Your Candidate Configuration on page 93 CLI Quick Configuration To quickly configure this example.3/30 set interfaces ge-0/0/1 unit 0 family inet filter input filter1 Copyright © 2011.2. TCP and UDP packets are accepted if destined for the SSH port or the Telnet port. Configuration The following example requires you to navigate various levels in the configuration hierarchy. Overview In this example.Chapter 5: Standard Firewall Filter Configuration Example: Configuring a Filter to Match on Port and Protocol Fields This example shows how to configure a standard stateless firewall filter to match on destination port and protocol fields.0.

Configure a term to accept all traffic except for TCP and UDP packets.168/16 prefix.2.3/30 3.168. Configure a term to reject packets to or from the 192.0. [edit interfaces ge-0/0/1 unit 0 family inet] user@host# set address 10. Configure a term to accept packets destined for either the SSH port or the Telnet port. Create the IPv4 stateless firewall filter. [edit firewall family inet filter filter1] user@host# set term term2 from address 192. Configure the logical interface to which you will apply the stateless firewall filter. [edit firewall family inet filter filter1] user@host# set term term4 then reject Apply the Stateless Firewall Filter to a Logical Interface Step-by-Step Procedure To apply the stateless firewall filter to a logical interface: 1. Configure the interface address for the logical interface.4 Firewall Filter and Policer Configuration Guide Configure the Stateless Firewall Filter Step-by-Step Procedure To configure the stateless firewall filter filter1: 1. [edit] user@host# edit firewall family inet filter filter1 2. Juniper Networks. [edit interfaces ge-0/0/1 unit 0 family inet] user@host# set filter input filter1 92 Copyright © 2011.Junos OS 11. [edit firewall family inet filter filter1] user@host# set term term1 from protocol-except tcp user@host# set term term1 from protocol-except udp user@host# set term term1 then accept 3.0/16 user@host# set term term2 then reject 4. [edit] user@host# edit interfaces ge-0/0/1 unit 0 family inet 2. Inc.1. Apply the stateless firewall filter to the logical interface. Configure the last term to reject all packets. . [edit firewall family inet filter filter1] user@host# set term term3 from destination-port ssh user@host# set term term3 from destination-port telnet user@host# set term term3 then accept 5.

} } term term3 { from { destination-port [ssh telnet].Chapter 5: Standard Firewall Filter Configuration Confirm and Commit Your Candidate Configuration Step-by-Step Procedure To confirm and then commit your candidate configuration: 1. } Copyright © 2011. } } term term2 { from { address 192. [edit] user@host# show firewall family inet { filter filter1 { term term1 { from { protocol-except [tcp udp]. [edit] user@host# show interfaces ge-0/0/1 { unit 0 { family inet { filter { input filter1. 93 . } then { accept. Confirm the configuration of the interface by entering the show interfaces configuration mode command. } } } } 2. If the command output does not display the intended configuration. } } term term4 { then { reject. Inc. If the command output does not display the intended configuration. Juniper Networks. repeat the instructions in this example to correct the configuration. repeat the instructions in this example to correct the configuration.168/16. Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command. } then { reject. } then { accept.

commit your candidate configuration.108/16. [edit] user@host# commit Verification To confirm that the configuration is working properly. enter the show firewall filter filter1 operational mode command. If you are done configuring the device.1.Junos OS 11. Overview In this example. Configuration The following example requires you to navigate various levels in the configuration hierarchy. and send an administratively-prohibited ICMP message for all packets that do not match. • • • • Requirements on page 94 Overview on page 94 Configuration on page 94 Verification on page 96 Requirements No special configuration beyond device initialization is required before configuring this example. To configure this example.3/30. Related Documentation • • • Understanding How to Use Standard Firewall Filters on page 29 Example: Configuring a Filter to Match on IPv6 Flags on page 89 Example: Configuring a Filter to Match on Two Unrelated Criteria on page 94 Example: Configuring a Filter to Match on Two Unrelated Criteria This example shows how to configure a standard stateless firewall filter to match on two unrelated criteria. perform the following tasks: • • Configuring the IPv4 Firewall Filter on page 95 Applying the IPv4 Firewall Filter to a Logical Interface on page 96 94 Copyright © 2011. you use a standard stateless firewall filter to match IPv4 packets that are either OSPF packets or packets that come from an address in the prefix 10. Inc.2. see “Using the CLI Editor in Configuration Mode” on page 15. Juniper Networks. . } } } 3. For information about navigating the CLI.4 Firewall Filter and Policer Configuration Guide address 10.

Configure the second term to accept packets from any IPv4 address in a particular prefix. set firewall family inet filter ospf_or_131 term protocol_match from protocol ospf set firewall family inet filter ospf_or_131 term address-match from source-address 10.3/30 set interfaces ge-0/0/1 unit 0 family inet filter input ospf_or_131 Configuring the IPv4 Firewall Filter Step-by-Step Procedure To configure the IPv4 firewall filter: 1. Because this is the last term in the filter.0.0/16. Configure the first term to accept OSPF packets. 95 . If the command output does not display the intended configuration.1. and then paste the commands into the CLI at the [edit] hierarchy level.0/16 set interfaces ge-0/0/1 unit 0 family inet address 10. Inc. Because another term follows this term. remove any line breaks. [edit] user@host# show firewall family inet { filter ospf_or_131 { term protocol_match { from { protocol ospf.Chapter 5: Standard Firewall Filter Configuration CLI Quick Configuration To quickly configure this example.0.0. } } } Copyright © 2011.108.108. Results Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command. } } term address_match { from { source-address { 10. [edit] user@host# edit firewall family inet filter ospf_or_131 2.2. Enable configuration of the IPv4 firewall filter. repeat the instructions in this procedure to correct the configuration. packets that do not match this condition are evaluated by the next term. copy the following configuration commands into a text file. Juniper Networks. 3.0/16 Packets that match this condition are accepted by default. [edit firewall family inet filter ospf_or_131] user@host# set term protocol_match from protocol ospf Packets that match the condition are accepted by default. packets that do not match this condition are discarded by default.108. [edit firewall family inet filter ospf_or_131] user@host# set term address_match from source-address 10.

Enable configuration of a logical interface.3/30 3. [edit interfaces ge-0/0/1 unit 0 family inet] user@host# set filter input ospf_or_131 Results Confirm the configuration of the interface by entering the show interfaces configuration mode command. . [edit interfaces ge-0/0/1 unit 0 family inet] user@host# set address 10.1. Inc. } } } If you are done configuring the device. enter the show firewall filter ospf_or_131 operational mode command.Junos OS 11. enter commit from configuration mode.3/30. Verification To confirm that the configuration is working properly. repeat the instructions in this procedure to correct the configuration. Apply the IPv4 firewall filter to the logical interface. [edit] user@host# edit interfaces ge-0/0/1 unit 0 family inet 2.2. Related Documentation • • • Understanding How to Use Standard Firewall Filters on page 29 Example: Configuring a Filter to Match on IPv6 Flags on page 89 Example: Configuring a Filter to Match on Port and Protocol Fields on page 91 96 Copyright © 2011. If the command output does not display the intended configuration. [edit] user@host# show interfaces ge-0/0/1 { unit 0 { family inet { filter { input ospf_or_131.2. } address 10.4 Firewall Filter and Policer Configuration Guide } } Applying the IPv4 Firewall Filter to a Logical Interface Step-by-Step Procedure To apply the stateless firewall filter to a logical interface: 1. Configure an IP address for the logical interface.1. Juniper Networks.

remove any line breaks.Chapter 5: Standard Firewall Filter Configuration Example: Configuring a Filter to Limit TCP Access to a Port Based On a Prefix List This example shows how to configure a standard stateless firewall filter that limits certain TCP and Internet Control Message Protocol (ICMP) traffic destined for the Routing Engine: • • • • Requirements on page 97 Overview on page 97 Configuration on page 97 Verification on page 99 Requirements No special configuration beyond device initialization is required before configuring this example. Overview In this example. change any details necessary to match your network configuration. you create a stateless firewall filter that blocks all TCP connection attempts to port 179 from all requesters except the specified BGP peers. • Configure the Filter on page 98 CLI Quick Configuration To quickly configure this example. paste them into a text file.1/32 Copyright © 2011. The stateless firewall filter filter_bgp179 matches all packets from the source prefix list plist_bgp179 to the destination port number 179. 97 . Inc. For information about navigating the CLI. set policy-options prefix-list plist_bgp179 apply-path "protocols bgp group <*> neighbor <*>" set firewall family inet filter filter_bgp179 term 1 from source-address 0.0. Juniper Networks.0.0/0 set firewall family inet filter filter_bgp179 term 1 from source-prefix-list plist_bgp179 except set firewall family inet filter filter_bgp179 term 1 from destination-port bgp set firewall family inet filter filter_bgp179 term 1 then reject set firewall family inet filter filter_bgp179 term 2 then accept set interfaces lo0 unit 0 family inet filter input filter_bgp179 set interfaces lo0 unit 0 family inet address 127. see “Using the CLI Editor in Configuration Mode” on page 15. and then copy and paste the commands into the CLI at the [edit] hierarchy level. The source prefix list plist_bgp179 specifies the list of source prefixes that contain allowed BGP peers.0.0. copy the following commands. Configuration The following example requires you to navigate various levels in the configuration hierarchy.

and show policy-options commands. [edit firewall family inet filter filter_bgp179] user@host# set term term1 from source-address 0.0. repeat the instructions in this example to correct the configuration. confirm your configuration by entering the show firewall.0. } } } 98 Copyright © 2011. Inc. } source-prefix-list { plist_bgp179 except.0. } destination-port bgp.0. [edit firewall family inet filter filter_bgp179] user@host# set term term2 then accept • Apply the firewall filter to the loopback interface.0/0 user@host# set term term1 from source-prefix-list bgp179 except user@host# set term term1 from destination-port bgp user@host# set term term1 then reject • Define the other filter term to accept all packets.0. [edit policy-options prefix-list plist_bgp179] user@host# set apply-path "protocols bgp group <*> neighbor <*>" • Define the filter term that rejects TCP connection attempts to port 179 from all requesters except the specified BGP peers.0/0. } then { reject. show interfaces . } } term 2 { then { accept. [edit interfaces lo0 unit 0 family inet] user@host# set filter input filter_bgp179 user@host# set address 127.0.1/32 Results From configuration mode. user@host# show firewall family inet { filter filter_bgp179 { term 1 { from { source-address { 0. Juniper Networks.4 Firewall Filter and Policer Configuration Guide Configure the Filter Step-by-Step Procedure To configure the filter: • Expand the prefix list bgp179 to include all prefixes pointed to by the BGP peer group defined by protocols bgp group <*> neighbor <*>.Junos OS 11. . If the output does not display the intended configuration.

for every BGP-enabled device in the network.Chapter 5: Standard Firewall Filter Configuration } user@host# show interfaces lo0 { unit 0 { family inet { filter { input filter_bgp179.0. 99 .0. enter commit from configuration mode. Generation: 145. using the appropriate interface names and addresses for each BGP-enabled device. } address 127. Inc. } } } user@host# show policy-options prefix-list plist_bgp179 { apply-path "protocols bgp group <*> neighbor <*>". Under the Protocol inet section of the command output section. and include the detail option. Verification Confirm that the configuration is working properly.0 (Index 321) (SNMP ifIndex 16) (Generation 130) Flags: SNMP-Traps Encapsulation: Unspecified Traffic statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Local statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Transit statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps Protocol inet.0.0. Use the show interfaces statistics operational mode command for logical interface lo0. } If you are done configuring the device. Displaying the Firewall Filter Applied to the Loopback Interface Purpose Verify that the firewall filter filter_bgp179 is applied to the IPv4 input traffic at logical interface lo0.1/32. the Input Filters field displays the name of the stateless firewall filter applied to the logical interface in the input direction: [edit] user@host> show interfaces statistics lo0. Juniper Networks. Repeat the procedure.0 detail Logical interface lo0. where appropriate. Route table: 0 Action Copyright © 2011. MTU: Unlimited.

and these are counted. all packets that passed though the first term (that is.0/24 except causes this address to be considered a mismatch. and this address is passed to the next term in the filter. Flags: Primary Destination: Unspecified. Inc. and rejected.0/0 matches all other packets.168. logged. packets whose address matches 192. .168. you use a stateless firewall filter to reject all addresses except 192. Broadcast: Unspecified.1.5. Juniper Networks. Topology In the first term. The match condition address 0. Overview In this example. Local: 127. • • • • Requirements on page 100 Overview on page 100 Configuration on page 101 Verification on page 103 Requirements No special configuration beyond device initialization is required before configuring this example.0. the match condition address 192.0.0. In the second term.0/24. Generation: 138 Related Documentation • • • Understanding How to Use Standard Firewall Filters on page 29 Firewall Filter Match Conditions Based on Address Fields on page 37 Example: Configuring a Stateless Firewall Filter to Protect Against TCP and ICMP Floods on page 143 Example: Configuring a Filter to Accept Packets Based on IPv6 TCP Flags on page 149 “prefix-list” in the Junos OS Routing Policy Configuration Guide • • Standard Firewall Filters That Count Packets • • • Example: Configuring a Filter to Count Accepted and Rejected Packets on page 100 Example: Configuring a Filter to Count and Discard IP Options Packets on page 103 Example: Configuring a Filter to Count IP Options Packets on page 106 Example: Configuring a Filter to Count Accepted and Rejected Packets This example shows how to configure a firewall filter to count packets. and accepted.0/24) are counted.5.Junos OS 11.0. 100 Copyright © 2011.4 Firewall Filter and Policer Configuration Guide Flags: Sendbcast-pkt-to-re Input Filters: filter_bgp179 Addresses.168. logged.5.

0/24 prefix.5. Create the stateless firewall filter fire1. [edit] user@host# edit firewall family inet filter fire1 2.5.5.168. Juniper Networks. perform the following tasks: • • • Configure the Stateless Firewall Filter on page 101 Apply the Stateless Firewall Filter to a Logical Interface on page 102 Confirm and Commit Your Candidate Configuration on page 102 CLI Quick Configuration To quickly configure this example. set firewall family inet filter fire1 term 1 from address 192.2. and reject all other packets.3/30 Configure the Stateless Firewall Filter Step-by-Step Procedure To configure the stateless firewall filter fire1: 1. Configure the next term to count. Configure the first term to reject all addresses except those to or from the 192. To configure this example.0/0 set firewall family inet filter fire1 term 1 then count reject_pref1_1 set firewall family inet filter fire1 term 1 then log set firewall family inet filter fire1 term 1 then reject set firewall family inet filter fire1 term 2 then count reject_pref1_2 set firewall family inet filter fire1 term 2 then log set firewall family inet filter fire1 term 2 then accept set interfaces ge-0/0/1 unit 0 family inet filter input fire1 set interfaces ge-0/0/1 unit 0 family inet address 10.0.168.0/24 except user@host# set term 1 from address 0. remove any line breaks.0.1. copy the following configuration commands into a text file.0/0 user@host# set term 1 then count reject_pref1_1 user@host# set term 1 then log user@host# set term 1 then reject 3. For information about navigating the CLI.0/24 except set firewall family inet filter fire1 term 1 from address 0. log. 101 . [edit firewall family inet filter fire1] user@host# set term 2 then count reject_pref1_2 user@host# set term 2 then log user@host# set term 2 then accept Copyright © 2011. see “Using the CLI Editor in Configuration Mode” on page 15. Inc.0/24 prefix and then count.Chapter 5: Standard Firewall Filter Configuration Configuration The following example requires you to navigate various levels in the configuration hierarchy. [edit firewall family inet filter fire1] user@host# set term 1 from address 192.5. and then paste the commands into the CLI at the [edit] hierarchy level.168. and accept packets in the 192.168.0.0. log.

Configure the logical interface to which you will apply the stateless firewall filter. [edit interfaces ge-0/0/1 unit 0 family inet] user@host# set address 10. } } then { count reject_pref1_1. Configure the interface address for the logical interface. If the command output does not display the intended configuration.3/30 3. reject. [edit interfaces ge-0/0/1 unit 0 family inet] user@host# set filter input fire1 Confirm and Commit Your Candidate Configuration Step-by-Step Procedure To confirm and then commit your candidate configuration: 1.Junos OS 11.4 Firewall Filter and Policer Configuration Guide Apply the Stateless Firewall Filter to a Logical Interface Step-by-Step Procedure To apply the stateless firewall filter to a logical interface: 1. } } term 2 { then { count reject_pref1_2.0/0. accept. .0.0/24 except. Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command. [edit] user@host# show firewall family inet { filter fire1 { term 1 { from { address { 192.1. repeat the instructions in this example to correct the configuration.0. } } } } 102 Copyright © 2011. 0.2. log. Inc.168.5. log. [edit] user@host# edit interfaces ge-0/0/1 unit 0 family inet 2. Apply the stateless firewall filter to the logical interface. Juniper Networks.

} } } 3. • • • • Requirements on page 103 Overview on page 104 Configuration on page 104 Verification on page 106 Requirements No special configuration beyond device initialization is required before configuring this example. commit your candidate configuration.2. } address 10. Inc. Juniper Networks.Chapter 5: Standard Firewall Filter Configuration 2. If you are done configuring the device. You can also display the log and individual counters separately by using the following forms of the command: • • • show firewall counter reject_pref1_1 show firewall counter reject_pref1_2 show firewall log Related Documentation • • • Understanding How to Use Standard Firewall Filters on page 29 Example: Configuring a Filter to Count IP Options Packets on page 106 Example: Configuring a Filter to Count and Discard IP Options Packets on page 103 Example: Configuring a Filter to Count and Discard IP Options Packets This example shows how to configure a standard stateless firewall to count packets. Copyright © 2011.3/30. [edit] user@host# show interfaces ge-0/0/1 { unit 0 { family inet { filter { input fire1. [edit] user@host# commit Verification To confirm that the configuration is working properly. enter the show firewall filter fire1 operational mode command. 103 .1. repeat the instructions in this example to correct the configuration. Confirm the configuration of the interface by entering the show interfaces configuration mode command. If the command output does not display the intended configuration.

set firewall family inet filter block_ip_options term 10 from ip-options any set firewall family inet filter block_ip_options term 10 then count option_any set firewall family inet filter block_ip_options term 10 then discard set firewall family inet filter block_ip_options term 999 then accept set interfaces ge-0/0/1 unit 0 family inet filter input block_ip_options set interfaces ge-0/0/1 unit 0 family inet address 10. Inc. For information about navigating the CLI. Juniper Networks. 60-Gigabit Queuing Ethernet MPC. perform the following tasks: • • • Configure the Stateless Firewall Filter on page 104 Apply the Stateless Firewall Filter to a Logical Interface on page 105 Confirm and Commit Your Candidate Configuration on page 105 CLI Quick Configuration To quickly configure this example. you use a standard stateless firewall filter to count and discard packets that include any IP option value but accept all other packets.4 Firewall Filter and Policer Configuration Guide Because the filter term matches on any IP option value.3/30 Configure the Stateless Firewall Filter Step-by-Step Procedure To configure the stateless firewall filter: 1. 60-Gigabit Ethernet MPC. or 60-Gigabit Ethernet Enhanced Queuing MPC on an MX Series router. see “Using the CLI Editor in Configuration Mode” on page 15.1. [edit] user@host# edit firewall family inet filter block_ip_options 2. and then paste the commands into the CLI at the [edit] hierarchy level. [edit firewall family inet filter block_ip_options] user@host# set term 10 from ip-options any user@host# set term 10 then count option_any user@host# set term 10 then discard 104 Copyright © 2011. copy the following configuration commands into a text file. . Configure the first term to count and discard packets that include any IP options header fields. remove any line breaks.Junos OS 11. Overview In this example. Configuration The following example requires you to navigate various levels in the configuration hierarchy. Create the stateless firewall filter block_ip_options.2. The IP option header field is an optional field in IPv4 headers only. The ip-options and ip-options-except match conditions are supported for standard stateless firewall filters and service filters only. the filter term can use the count nonterminating action without the discard terminating action or (alternatively) without requiring an interface on a 10-Gigabit Ethernet Modular Port Concentrator (MPC). To configure this example.

[edit] user@host# show firewall family inet { filter block_ip_options { term 10 { from { ip-options any. Juniper Networks. Apply the stateless firewall filter to the logical interface. If the command output does not display the intended configuration. [edit interfaces ge-0/0/1 unit 0 family inet] user@host# set filter input block_ip_options Confirm and Commit Your Candidate Configuration Step-by-Step Procedure To confirm and then commit your candidate configuration: 1. [edit firewall family inet filter block_ip_options] user@host# set term 999 then accept Apply the Stateless Firewall Filter to a Logical Interface Step-by-Step Procedure To apply the stateless firewall filter to a logical interface: 1. If the command output does not display the intended configuration.1. Configure the interface address for the logical interface. repeat the instructions in this example to correct the configuration. } } } 2. } } term 999 { then accept. 105 . [edit] user@host# show interfaces ge-0/0/1 { Copyright © 2011. discard. repeat the instructions in this example to correct the configuration.2. Configure the logical interface to which you will apply the stateless firewall filter. Confirm the configuration of the interface by entering the show interfaces configuration mode command. Inc. Configure the other term to accept all other packets. Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command.3/30 3. [edit] user@host# edit interfaces ge-0/0/1 unit 0 family inet 2.Chapter 5: Standard Firewall Filter Configuration 3. [edit interfaces ge-0/0/1 unit 0 family inet] user@host# set address 10. } then { count option_any.

log. and syslog nonterminating actions on packets that match a specific ip-option value without having to also use the discard terminating action.3/30. If you are done configuring the device. enter the show firewall filter block_ip_options operational mode command.1. } address 10. [edit] user@host# commit Verification To confirm that the configuration is working properly. 60-Gigabit Queuing Ethernet MPC. you use a stateless firewall filter to count IP options packets but not block any traffic. . Related Documentation • • • Understanding How to Use Standard Firewall Filters on page 29 Example: Configuring a Filter to Count Accepted and Rejected Packets on page 100 Example: Configuring a Filter to Count IP Options Packets on page 106 Example: Configuring a Filter to Count IP Options Packets This example shows how use a stateless firewall filter to count individual IP options packets: • • • • Requirements on page 106 Overview on page 106 Configuration on page 107 Verification on page 111 Requirements This example uses an interface on a 10-Gigabit Ethernet Modular Port Concentrator (MPC). } } } 3. or 60-Gigabit Ethernet Enhanced Queuing MPC on an MX Series router. This interface enables you to apply an IPv4 firewall filter (standard or service filter) that can use the count. commit your candidate configuration.2. enter the show firewall count option_any form of the command. 60-Gigabit Ethernet MPC. the filter logs packets that have loose or strict source routing. To display the count of discarded packets separately. No special configuration beyond device initialization is required before configuring this example. Overview In this example.4 Firewall Filter and Policer Configuration Guide unit 0 { family inet { filter { input block_ip_options.Junos OS 11. Juniper Networks. Inc. Also. 106 Copyright © 2011.

Inc. To configure this example. The ip-options and ip-options-except match conditions are supported for standard stateless firewall filters and service filters only. see “Using the CLI Editor in Configuration Mode” on page 15. perform the following tasks: • • • Configure the Stateless Firewall Filter on page 108 Apply the Stateless Firewall Filter to a Logical Interface on page 109 Confirm and Commit Your Candidate Configuration on page 109 CLI Quick Configuration To quickly configure this example. Configuration The following example requires you to navigate various levels in the configuration hierarchy.Chapter 5: Standard Firewall Filter Configuration The IP option header field is an optional field in IPv4 headers only. copy the following configuration commands into a text file. 107 . For information about navigating the CLI.2.3/30 set interfaces ge-0/0/1 unit 0 family inet filter input ip_options_filter Copyright © 2011. remove any line breaks. set firewall family inet filter ip_options_filter term match_strict_source from ip-options strict-source-route set firewall family inet filter ip_options_filter term match_strict_source then count strict_source_route set firewall family inet filter ip_options_filter term match_strict_source then log set firewall family inet filter ip_options_filter term match_strict_source then accept set firewall family inet filter ip_options_filter term match_loose_source from ip-options loose-source-route set firewall family inet filter ip_options_filter term match_loose_source then count loose_source_route set firewall family inet filter ip_options_filter term match_loose_source then log set firewall family inet filter ip_options_filter term match_loose_source then accept set firewall family inet filter ip_options_filter term match_record from ip-options record-route set firewall family inet filter ip_options_filter term match_record then count record_route set firewall family inet filter ip_options_filter term match_record then accept set firewall family inet filter ip_options_filter term match_timestamp from ip-options timestamp set firewall family inet filter ip_options_filter term match_timestamp then count timestamp set firewall family inet filter ip_options_filter term match_timestamp then accept set firewall family inet filter ip_options_filter term match_router_alert from ip-options router-alert set firewall family inet filter ip_options_filter term match_router_alert then count router_alert set firewall family inet filter ip_options_filter term match_router_alert then accept set firewall family inet filter ip_options_filter term match_all then accept set interfaces ge-0/0/1 unit 0 family inet address 10. and then paste the commands into the CLI at the [edit] hierarchy level.1. Juniper Networks.

[edit firewall family inet filter ip_option_filter] user@host# set term match_strict_source from ip-options strict_source_route user@host# set term match_strict_source then count strict_source_route user@host# set term match_strict_source then log user@host# set term match_strict_source then accept 3. and accept packets with the loose-source-route IP optional header field. [edit] user@host# edit firewall family inet filter ip_options_filter 2. Create the last term to accept any packet without incrementing any counters. [edit firewall family inet filter ip_option_filter] user@host# set term match_loose_source from ip-options loose-source-route user@host# set term match_loose_source then count loose_source_route user@host# set term match_loose_source then log user@host# set term match_loose_source then accept 4. Configure the next term to count and accept packets with the router-alert IP optional header field. .4 Firewall Filter and Policer Configuration Guide Configure the Stateless Firewall Filter Step-by-Step Procedure To configure the stateless firewall filter ip_option_filter: 1. [edit firewall family inet filter ip_option_filter] user@host# set term match_router_alert from ip-options router-alert user@host# set term match_router_alert then count router_alert user@host# set term match_router_alert then accept 7.Junos OS 11. Configure the first term to count. Inc. [edit firewall family inet filter ip_option_filter] user@host# set term match_timestamp from ip-options timestamp user@host# set term match_timestamp then count timestamp user@host# set term match_timestamp then accept 6. Configure the next term to count. and accept packets with the strict_source_route IP optional header field. Configure the next term to count and accept packets with the timestamp IP optional header field. [edit firewall family inet filter ip_option_filter] user@host# set term match_all then accept 108 Copyright © 2011. Configure the next term to count and accept packets with the record-route IP optional header field. Juniper Networks. Create the stateless firewall filter ip_option_filter. log. log. [edit firewall family inet filter ip_option_filter] user@host# set term match_record from ip-options record-route user@host# set term match_record then count record_route user@host# set term match_record then accept 5.

Inc. Apply the stateless firewall filter to the logical interface. Configure the logical interface to which you will apply the stateless firewall filter.2.3/30 3. 109 . log. } } term match_loose_source { from { ip-options loose-source-route. } } term match_record { from { ip-options record-route.Chapter 5: Standard Firewall Filter Configuration Apply the Stateless Firewall Filter to a Logical Interface Step-by-Step Procedure To apply the stateless firewall filter to a logical interface: 1. [edit interfaces ge-0/0/1 unit 0 family inet] user@host# set filter input ip_options_filter Confirm and Commit Your Candidate Configuration Step-by-Step Procedure To confirm and then commit your candidate configuration: 1. [edit interfaces ge-0/0/1 unit 0 family inet] user@host# set address 10. If the command output does not display the intended configuration. Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command. repeat the instructions in this example to correct the configuration. } then { count strict_source_route.1. Configure the interface address for the logical interface. Copyright © 2011. [edit] user@host# show firewall family inet { filter ip_options_filter { term match_strict_source { from { ip-options strict-source-route. } then { count record_route. } then { count loose_source_route. log. accept. accept. Juniper Networks. [edit] user@host# edit interfaces ge-0/0/1 unit 0 family inet 2.

Confirm the configuration of the interface by entering the show interfaces configuration mode command. If you are done configuring the device. accept. Inc. } } term match_router_alert { from { ip-options router-alert. Juniper Networks.3/30. [edit] user@host# commit 110 Copyright © 2011. repeat the instructions in this example to correct the configuration. [edit] user@host# show interfaces ge-0/0/1 { unit 0 { family inet { filter { input ip_option_filter. . commit your candidate configuration. } address 10.4 Firewall Filter and Policer Configuration Guide accept. accept. } } } 3. } } } 2. If the command output does not display the intended configuration.1. } then { count timestamp.Junos OS 11.2. } } term match_timestamp { from { ip-options timestamp. } then { count router_alert. } } term match_all { then accept.

you use a stateless firewall filter to match packets on DSCP bit patterns.Chapter 5: Standard Firewall Filter Configuration Verification To confirm that the configuration is working properly. and the DSCP is set to 0. If the DSCP is 2. the packet is classified to the best-effort forwarding class. You can also display the log and individual counters separately by using the following forms of the command: • • • • • • show firewall counter strict_source_route show firewall counter loose_source_route show firewall counter record_route show firewall counter timestamp show firewall counter router_alert show firewall log Related Documentation • • • Understanding How to Use Standard Firewall Filters on page 29 Example: Configuring a Filter to Count Accepted and Rejected Packets on page 100 Example: Configuring a Filter to Count and Discard IP Options Packets on page 103 Standard Firewall Filters That Act on Packets • • Example: Configuring a Filter to Set the DSCP Bit to Zero on page 111 Example: Configuring a Filter to Count and Sample Accepted Packets on page 114 Example: Configuring a Filter to Set the DSCP Bit to Zero This example shows how to configure a standard stateless firewall filter based on the Differentiated Services code point (DSCP). If the DSCP is 3. 111 . Overview In this example. • • • • Requirements on page 111 Overview on page 111 Configuration on page 112 Verification on page 114 Requirements No special configuration beyond device initialization is required before configuring this example. the packet is classified to the best-effort forwarding class. Juniper Networks. enter the show firewall filter ip_option_filter operational mode command. Inc. Copyright © 2011.

Configure the other term to match a packet with a DSCP of 3 and classify the packet to the best-effort forwarding class. see “Using the CLI Editor in Configuration Mode” on page 15. [edit firewall filter filter1] user@host# set term 2 from dscp 3 user@host# set term 2 then forwarding-class best-effort Apply the Stateless Firewall Filter to a Logical Interface Step-by-Step Procedure To apply the stateless firewall filter to the logical interface corresponding to the VPN routing and forwarding (VRF) instance: 1. For information about navigating the CLI. . change the DSCP to 0. Configure the first term to match a packet with a DSCP of 2. Create the stateless firewall filter. Inc. and then paste the commands into the CLI at the [edit] hierarchy level. perform the following tasks: • • • Configure the Stateless Firewall Filter on page 112 Apply the Stateless Firewall Filter to a Logical Interface on page 112 Confirm and Commit Your Candidate Configuration on page 113 CLI Quick Configuration To quickly configure this example. and classify the packet to the best-effort forwarding class. Juniper Networks. copy the following configuration commands into a text file.4 Firewall Filter and Policer Configuration Guide Configuration The following example requires you to navigate various levels in the configuration hierarchy. [edit] user@host# edit firewall filter filter1 2. Configure the logical interface to which you will apply the stateless firewall filter. [edit] user@host# edit interfaces so-0/1/0 unit 0 family inet 112 Copyright © 2011. [edit firewall filter filter1] user@host# set term 1 from dscp 2 user@host# set term 1 then forwarding-class best-effort user@host# set term 1 then dscp 0 3.Junos OS 11. set firewall filter filter1 term 1 from dscp 2 set firewall filter filter1 term 1 then forwarding-class best-effort set firewall filter filter1 term 1 then dscp 0 set firewall filter filter1 term 2 from dscp 3 set firewall filter filter1 term 2 then forwarding-class best-effort set interfaces so-0/1/0 unit 0 family inet filter input filter1 Configure the Stateless Firewall Filter Step-by-Step Procedure To configure the stateless firewall filter filter1: 1. To configure this example. remove any line breaks.

If you are done configuring the device. } } } 2. Juniper Networks. [ input filter1] user@host# set filter input filter1 Confirm and Commit Your Candidate Configuration Step-by-Step Procedure To confirm and then commit your candidate configuration: 1. } then { forwarding-class best-effort. } } term term2 { from { dscp 3. Confirm the configuration of the interface by entering the show interfaces configuration mode command. [edit] user@host# show firewall filter filter1 { term term1 { from { dscp 2. If the command output does not display the intended configuration. Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command. [edit] user@host# show interfaces so-0/1/0 { unit 0 { family inet { filter input filter1. commit your candidate configuration. repeat the instructions in this example to correct the configuration.Chapter 5: Standard Firewall Filter Configuration 2. } } } 3. Inc. 113 . dscp 0. repeat the instructions in this example to correct the configuration. Apply the stateless firewall filter to the logical interface. } then { forwarding-class best-effort. If the command output does not display the intended configuration. [edit] user@host# commit Copyright © 2011.

To log the rejected packets. Overview In this example. enter the following operational mode commands: • show class-of-service—Displays the entire class-of-service (CoS) configuration. Inc. use an RPF check fail filter. NOTE: When you enable reverse path forwarding (RPF) on an interface with an input filter for firewall log and count. Before you begin. .4 Firewall Filter and Policer Configuration Guide Verification To confirm that the configuration is working properly. including system-chosen defaults. Related Documentation • • Understanding How to Use Standard Firewall Filters on page 29 Example: Configuring a Filter to Count and Sample Accepted Packets on page 114 Example: Configuring a Filter to Count and Sample Accepted Packets This example shows how to configure a standard stateless firewall filter to count and sample accepted packets.Junos OS 11. configure traffic sampling by including the sampling statement at the [edit forwarding-options] hierarchy level. • • • • Requirements on page 114 Overview on page 114 Configuration on page 114 Verification on page 116 Requirements No special configuration beyond device initialization is required before configuring this example. you use a standard stateless firewall filter to count and sample all packets received on a logical interface. 114 Copyright © 2011. Configuration The following example requires you to navigate various levels in the configuration hierarchy. the input firewall filter does not log the packets rejected by RPF. For information about navigating the CLI. although the rejected packets are counted. • show class-of-service classifier type dscp—Displays only the classifiers of the DSCP for IPv4 type. see “Using the CLI Editor in Configuration Mode” on page 15. Juniper Networks.

Configure the term to count and sample all packets. perform the following tasks: • • • Configure the Stateless Firewall Filter on page 115 Apply the Stateless Firewall Filter to a Logical Interface on page 115 Confirm and Commit Your Candidate Configuration on page 116 CLI Quick Configuration To quickly configure this example. Create the stateless firewall filter sam. remove any line breaks.3/30 set interfaces at-2/0/0 unit 301 family inet filter input sam Configure the Stateless Firewall Filter Step-by-Step Procedure To configure the stateless firewall filter sam: 1. [edit interfaces ge-0/0/1 unit 0 family inet] user@host# set filter input sam NOTE: The Junos OS does not sample packets originating from the router. 115 . then only the transit packets going through that interface are sampled.1. [edit] user@host# edit interfaces ge-0/0/1 unit 0 family inet 2. and then paste the commands into the CLI at the [edit] hierarchy level. [edit interfaces ge-0/0/1 unit 0 family inet] user@host# set address 10. Configure the interface address for the logical interface. Apply the stateless firewall filter to the logical interface.3/30 3.2. Inc.Chapter 5: Standard Firewall Filter Configuration To configure this example. Copyright © 2011. [edit firewall family inet filter sam] user@host# set term all then count count_sam user@host# set term all then sample Apply the Stateless Firewall Filter to a Logical Interface Step-by-Step Procedure To apply the stateless firewall filter to a logical interface: 1. set firewall family inet filter sam term all then count count_sam set firewall family inet filter sam term all then sample set interfaces at-2/0/0 unit 301 family inet address 10. Juniper Networks.1. [edit] user@host# edit firewall family inet filter sam 2.2. Configure the logical interface to which you will apply the stateless firewall filter. If you configure a filter and apply it to the output side of an interface. Packets that are sent from the Routing Engine to the Packet Forwarding Engine are not sampled. copy the following configuration commands into a text file.

[edit] user@host# show firewall family inet { filter sam { term all { then { count count_sam.Junos OS 11. Confirm the configuration of the interface by entering the show interfaces configuration mode command. sample. 116 Copyright © 2011.1. repeat the instructions in this example to correct the configuration. Inc. } } } } 3. If the command output does not display the intended configuration. Juniper Networks. [edit] user@host# commit Verification Confirm that the configuration is working properly. commit your candidate configuration. If the command output does not display the intended configuration. [edit] user@host# show interfaces interfaces { at-2/0/0 { unit 301 { family inet { filter { input sam. If you are done configuring the device.3/30. Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command. . • • • Displaying the Packet Counter on page 116 Displaying the Firewall Filter Log Output on page 117 Displaying the Sampling Output on page 117 Displaying the Packet Counter Purpose Verify that the firewall filter is evaluating packets. repeat the instructions in this example to correct the configuration. } address 10. # default action is accept } } } } 2.2.4 Firewall Filter and Policer Configuration Guide Confirm and Commit Your Candidate Configuration Step-by-Step Procedure To confirm and then commit your candidate configuration: 1.

Juniper Networks.211.2.1:49552 10.301 23:02:27 A at-2/0/0.211.301 23:01:22 A at-2/0/0. A hyphen (-) or the abbreviation pfe indicates that the packet was handled by the Packet Forwarding Engine.211.301 Pro TCP TCP ICM TCP TCP ICM ICM ICM ICM Source address 10. Displaying the Sampling Output Purpose Verify that the sampling output contains appropriate data.2.211.301 23:01:19 A at-2/0/0.2.211.0.101 10. 117 . Filter—Name of a filter that has been configured with the filter statement at the [edit firewall] hierarchy level.101 10.301 23:02:25 A at-2/0/0.301 23:01:21 A at-2/0/0.1:56 10.1:26873 Meaning This output file contains the following fields: • • Time—Time at which the packet was received (not shown in the default).1:80 10.0.2.211.25 10.211. A space (no hyphen) indicates that the packet was handled by the Routing Engine.25 10. • • • Pro—Packet’s protocol name or number.2. • A—Filter action: • • • A—Accept (or next term) D—Discard R—Reject • Interface—Interface on which the filter is configured.211.211.211.25 10.25 10. NOTE: We strongly recommend that you always explicitly configure an action in the then statement.2.301 23:09:07 A at-2/0/0.0.2.101 10.25 10.101 Destination address 10. Copyright © 2011.0.Chapter 5: Standard Firewall Filter Configuration Action user@host> show firewall filter sam Filter: Counters: Name Bytes sam sam-1 98 Packets 8028 Displaying the Firewall Filter Log Output Purpose Action Display the packet header information for all packets evaluated by the firewall filter.211.211.1:23251 10. Destination address—Destination IP address in the packet.1:29471 10.211. Inc.2.0.301 23:01:20 A at-2/0/0. user@host> show firewall log Time Filter A Interface 23:09:09 A at-2/0/0.301 23:09:07 A at-2/0/0.1:80 10.211.211.2.2.211.211.2.211.2. Source address—Source IP address in the packet.1:56 10.1:16557 10.2.

9.9.2.gz Size: 57.Junos OS 11.1.168.168.9. Inc.194 192.gz Size: 15017. • • • • Requirements on page 118 Overview on page 119 Configuration on page 119 Verification on page 121 Requirements No special configuration beyond device initialization is required before configuring stateless firewall filters.0.9.168. Juniper Networks.194 192. Last changed: Dec 19 13:15:54 wtmp.195 0 0 1 Apr 7 15:48:56 192. .4 Firewall Filter and Policer Configuration Guide Action wtmp.195 0 0 1 TOS Pkt Intf IP TCP len num frag flags 0x0 84 8 0x0 0x0 0x0 84 8 0x0 0x0 0x0 84 8 0x0 0x0 Related Documentation • • Understanding How to Use Standard Firewall Filters on page 29 Example: Configuring a Filter to Set the DSCP Bit to Zero on page 111 Standard Firewall Filters for Trusted Sources • Example: Configuring a Stateless Firewall Filter to Accept Traffic from Trusted Sources on page 118 Example: Configuring a Filter to Block Telnet and SSH Access on page 123 Example: Configuring a Filter to Block TFTP Access on page 129 Example: Configuring a Filter to Accept OSPF Packets from a Prefix on page 132 Example: Configuring a Filter to Accept DHCP Packets Based on Address on page 134 Example: Configuring a Filter to Block TCP Access to a Port Except from Specified BGP Peers on page 137 • • • • • Example: Configuring a Stateless Firewall Filter to Accept Traffic from Trusted Sources This example shows how to create a stateless firewall filter that protects the Routing Engine from traffic originating from untrusted sources.9.195 0 0 1 Apr 7 15:48:55 192.168.9. Last changed: Nov 19 13:47:29 wtmp.168. Last changed: Oct 20 15:24:34 | Pipe through a command user@host> show log /var/tmp/sam # Apr 7 15:48:50 Time Dest Src Dest Src Proto addr addr port port Apr 7 15:48:54 192.gz Size: 493.168. 118 Copyright © 2011.194 192.

and then copy and paste the commands into the CLI at the [edit] hierarchy level. remove any line breaks.0/24 and a destination port that specifies BGP.Chapter 5: Standard Firewall Filter Configuration Overview In this example.122. To configure the stateless firewall filter: 1. Configuration CLI Quick Configuration To quickly configure this example. Create the first filter term. you create a stateless firewall filter called protect-RE that discards all traffic destined for the Routing Engine except SSH and BGP protocol packets from specified trusted sources. This example includes the following firewall filter terms: • ssh-term—Accepts TCP packets with a source address of 192.122.2.168. Create the stateless firewall filter.1.1. change any details necessary to match your network configuration. NOTE: You can move terms within the firewall filter using the insert command. creates a firewall filter log and system logging records. See insert in the Junos OS CLI User Guide. [edit firewall family inet filter protect-RE] Copyright © 2011. Inc.2. [edit] user@host# edit firewall family inet filter protect-RE 2. then discards all packets. paste them into a text file. see “Using the CLI Editor in Configuration Mode” on page 15 in the Junos OS CLI User Guide.0/24 set firewall family inet filter protect-RE term ssh-term from protocol tcp set firewall family inet filter protect-RE term ssh-term from destination-port ssh set firewall family inet filter protect-RE term ssh-term then accept set firewall family inet filter protect-RE term bgp-term from source-address 10. set firewall family inet filter protect-RE term ssh-term from source-address 192.0/24 set firewall family inet filter protect-RE term bgp-term from protocol tcp set firewall family inet filter protect-RE term bgp-term from destination-port bgp set firewall family inet filter protect-RE term bgp-term then accept set firewall family inet filter protect-RE term discard-rest-term then log set firewall family inet filter protect-RE term discard-rest-term then syslog set firewall family inet filter protect-RE term discard-rest-term then discard set interfaces lo0 unit 0 family inet filter input protect-RE Step-by-Step Procedure The following example requires you to navigate various levels in the configuration hierarchy. 119 .168. For instructions on how to do that. Juniper Networks.0/24 and a destination port that specifies SSH. • bgp-term—Accepts TCP packets with a source address of 10. • discard-rest-term—For all packets that are not accepted by ssh-term or bgp-term. copy the following commands.

destination-port ssh. and source address match conditions for the term.122. Create the second filter term.1. 120 Copyright © 2011.Junos OS 11. If the output does not display the intended configuration. } protocol tcp. Apply the filter to the input side of the Routing Engine interface. Juniper Networks. Inc. repeat the instructions in this example to correct the configuration. destination port.0/24. Define the action for the term. user@host# show firewall family inet { filter protect-RE { term ssh-term { from { source-address { 192. Define the protocol.168. [edit firewall family inet filter protect-RE term bgp-term] user@host# set then accept 8. destination port. Define the protocol. [edit firewall family inet filter protect-RE term discard-rest] user@host# set then log syslog discard 10. and source address match conditions for the term.168. Define the actions for the term. Create the third filter term. [edit firewall family inet filter protect-RE term ssh-term] user@host# set then accept 5. [edit firewall family inet filter protect-RE] user@host# edit term discard-rest-term 9. [edit firewall family inet filter protect-RE term bgp-term] user@host# set from protocol tcp destination-port bgp source-address 10.122. [edit firewall family inet filter protect-RE] user@host# edit term bgp-term 6. [edit] user@host# set interfaces lo0 unit 0 family inet filter input protect-RE Results Confirm your configuration by entering the show firewall command and the show interfaces lo0 command from configuration mode. Define the action for the term.2. [edit firewall family inet filter protect-RE term ssh-term] user@host# set from protocol tcp destination-port ssh source-address 192.0/24 7. .0/24 4.4 Firewall Filter and Policer Configuration Guide user@host# edit term ssh-term 3.

} then accept. From configuration mode. } } } } user@host# show interfaces lo0 unit 0 { family inet { filter { input protect-RE. Inc. and Trusted Sources Firewall Filter on page 122 Displaying Stateless Firewall Filter Logs on page 122 Displaying Stateless Firewall Filter Configurations Purpose Action Verify the configuration of the firewall filter.2. } } If you are done configuring the device. } term discard-rest-term { then { log.Chapter 5: Standard Firewall Filter Configuration } then accept.0. [edit] user@host# commit Verification To confirm that the configuration is working properly. discard.1.0. } term bgp-term { from { source-address { 10. perform these tasks: • • • Displaying Stateless Firewall Filter Configurations on page 121 Verifying a Services. syslog. Protocols. enter the show firewall command and the show interfaces lo0 command. enter commit from configuration mode. 121 .1/32. } protocol tcp. Copyright © 2011. } address 127.0/24. Juniper Networks. destination-port bgp.

verify that packets matching the term are recorded in the firewall log or your system logging facility.71 inet.Junos OS 11. verify that the filter actions are not taken for packets that do not match. The show route summary command does not display a protocol other than Direct.168. . If you included the log or syslog action in a term.0/24 to verify that you can log in to the device using only SSH from a host with this address prefix. BGP. Verifying a Services. In addition.4-20040518. or Static. Use the show route summary command to verify that the routing table on the device does not contain any entries with a protocol other than Direct. verify that the terms are listed in the order in which you want the packets to be tested. 9 active Local: 9 routes. and Trusted Sources Firewall Filter Purpose Action Verify that the actions of the firewall filter terms are taken.0 (JSERIES) #0: 2004-05-18 09:27:50 UTC user@host> user@host> show route summary Router ID: 192.168. • Use the ssh host-name command from a host at an IP address that matches 192.0: 34 destinations.122. or Static.4 Firewall Filter and Policer Configuration Guide Meaning Verify that the output shows the intended configuration of the firewall filter.. • Sample Output % ssh 192. 5 active . From operational mode. Send packets to the device that match the terms. Protocols. 10 active Static: 5 routes. Inc. Local. Meaning Verify the following information: • • You can successfully log in to the device using SSH.249. In addition. 34 routes (33 active.JUNOS 6. BGP..71 %ssh host user@host's password: --. Local. enter the show firewall log command. Action Sample Output user@host> show firewall log 122 Copyright © 2011. Displaying Stateless Firewall Filter Logs Purpose Verify that packets are being logged. 1 hidden) Direct: 10 routes.249.168. 9 active BGP: 10 routes. Juniper Networks. You can move terms within a firewall filter by using the insert CLI command. 0 holddown.

28.28.17. The Filter output is always pfe.70.17.0 ge-0/0/0.168.70.168.19 172. D (discard). the time of day the packet was filtered is shown. Under Protocol.17. the protocol in the IP header of the packet is appropriate for the filter. the inbound (ingress) interface on which the packet arrived is appropriate for the filter.71 192. R (reject).19 172.70. • • • • Related Documentation • • • • • Junos OS Feature Support Reference for SRX Series and J Series Devices show route summary in the Junos OS Routing Protocols and Policies Command Reference show firewall in the Junos OS Routing Protocols and Policies Command Reference show firewall log in the Junos OS Routing Protocols and Policies Command Reference show interfaces (Loopback) in the Junos OS Interfaces Command Reference Example: Configuring a Filter to Block Telnet and SSH Access • • • • Requirements on page 123 Overview on page 124 Configuration on page 124 Verification on page 126 Requirements You must have access to a remote host that has network connectivity with this router.71 Meaning Each record of the output contains information about the logged packet. Under Action.0 ge-0/0/0. the source address in the IP header of the packet is appropriate for the filter. the destination address in the IP header of the packet is appropriate for the filter.19 Dest Addr 192. 123 . Inc. the configured action of the term matches the action taken on the packet—A (accept).168.19 172.70. Verify the following information: • • • Under Time. Filter pfe pfe pfe pfe Action D D D D Interface ge-0/0/0.28.Chapter 5: Standard Firewall Filter Configuration Log : Time 15:11:02 15:11:01 15:11:01 15:11:01 . Under Src Addr. Under Dest Addr.0 Protocol TCP TCP TCP TCP Src Addr 172.71 192.168. Copyright © 2011.0 ge-0/0/0.. Juniper Networks.17.71 192. Under Interface..28.

1. Juniper Networks.1. perform the following tasks: • • • Configure the Stateless Firewall Filter on page 124 Apply the Firewall Filter to the Loopback Interface on page 125 Confirm and Commit Your Candidate Configuration on page 125 CLI Quick Configuration To quickly configure this example. see “Using the CLI Editor in Configuration Mode” on page 15.1. and then paste the commands into the CLI at the [edit] hierarchy level. • To match packets destined for or originating from the address 192.0/24 set firewall family inet filter local_acl term terminal_access from protocol tcp set firewall family inet filter local_acl term terminal_access from port ssh set firewall family inet filter local_acl term terminal_access from port telnet set firewall family inet filter local_acl term terminal_access then accept set firewall family inet filter local_acl term terminal_access_denied from protocol tcp set firewall family inet filter local_acl term terminal_access_denied from port ssh set firewall family inet filter local_acl term terminal_access_denied from port telnet set firewall family inet filter local_acl term terminal_access_denied then log set firewall family inet filter local_acl term terminal_access_denied then reject set firewall family inet filter local_acl term default-term then accept set interfaces lo0 unit 0 family inet filter input local_acl set interfaces lo0 unit 0 family inet address 127. For information about navigating the CLI.168. you create an IPv4 stateless firewall filter that logs and rejects Telnet or SSH access packets unless the packet is destined for or originates from the 192. and telnet ssh IPv4 match conditions. port telnet.1.Junos OS 11.0/24 IPv4 match condition. To configure this example.168. Telnet port.1/32 Configure the Stateless Firewall Filter Step-by-Step Procedure To configure the stateless firewall filter that selectively blocks Telnet and SSH access: 1.0/24 124 Copyright © 2011. .4 Firewall Filter and Policer Configuration Guide Overview In this example. Create the stateless firewall filter local_acl. or SSH port. remove any line breaks. To match packets destined for or originating from a TCP port.168. you use the address 192. [edit] user@myhost# edit firewall family inet filter local_acl 2. you use the protocol tcp. copy the following configuration commands into a text file.0.0/24 subnet. [edit firewall family inet filter local_acl] user@myhost# set term terminal_access from address 192. Define the filter term terminal_access. • Configuration The following example requires you to navigate various levels in the configuration hierarchy.168.168.0/24 subnet. Inc.1.0. set firewall family inet filter local_acl term terminal_access from address 192.

} protocol tcp. } then { log.1. Juniper Networks.Chapter 5: Standard Firewall Filter Configuration user@myhost# set term terminal_access from protocol tcp user@myhost# set term terminal_access from port ssh user@myhost# set term terminal_access from port telnet user@myhost# set term terminal_access then accept 3. [edit firewall family inet filter local_acl] user@myhost# set term terminal_access_denied from protocol tcp user@myhost# set term terminal_access_denied from port ssh user@myhost# set term terminal_access_denied from port telnet user@myhost# set term terminal_access_denied then log user@myhost# set term terminal_access_denied then reject user@myhost# set term default-term then accept Apply the Firewall Filter to the Loopback Interface Step-by-Step Procedure • To apply the firewall filter to the loopback interface: [edit] user@myhost# set interfaces lo0 unit 0 family inet filter input local_acl user@myhost# set interfaces lo0 unit 0 family inet address 127.1/32 Confirm and Commit Your Candidate Configuration Step-by-Step Procedure To confirm and then commit your candidate configuration: 1.0.0. If the command output does not display the intended configuration. Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command. } } term default-term { Copyright © 2011. Inc. } term terminal_access_denied { from { protocol tcp. reject. [edit] user@myhost# show firewall family inet { filter local_acl { term terminal_access { from { address { 192. Define the filter term terminal_access_denied. port [ssh telnet]. port [ssh telnet]. repeat the instructions in this example to correct the configuration. 125 . } then accept.168.0/24.

.1/32. • • Verifying Accepted Packets on page 126 Verifying Logged and Rejected Packets on page 127 Verifying Accepted Packets Purpose Verify that the actions of the firewall filter terms are taken. repeat the instructions in this example to correct the configuration. 126 Copyright © 2011. Juniper Networks. commit your candidate configuration. } address 127.Junos OS 11. If the command output does not display the intended configuration. Inc. If you are done configuring the device. [edit] user@myhost# commit Verification Confirm that the configuration is working properly.0. } } } 2. Confirm the configuration of the interface by entering the show interfaces configuration mode command.0. } } } 3.4 Firewall Filter and Policer Configuration Guide then accept. [edit] user@myhost# show interfaces lo0 { unit 0 { family inet { filter { input local_acl.

127 . This packet should be accepted.0/24 subnet. Escape character is '^]'. user@host-A> ssh myhost user@myhosts’s password: --. Inc.0 built 2010-11-02 04:48:46 UTC % cli user@myhost> 3. Connected to myhost-fxp0.1.1.JUNOS 11. Clear the firewall log on your router. From a host at an IP address within the 192.71.. user@myhost> show firewall log Verifying Logged and Rejected Packets Purpose Verify that the actions of the firewall filter terms are taken.168. host (ttyp0) login: user Password: --. user@host-A> telnet myhost Trying 192. use the ssh hostname command to verify that you can log in to the device using only SSH. user@myhost> clear firewall log 2. and the packet header information for this packet should not be logged in the firewall filter log buffer in the Packet Forwarding Engine. This packet should be accepted. Copyright © 2011.JUNOS 11.1-20101102.net.0 built 2010-11-02 04:48:46 UTC % cli user@myhost> 4.168. use the telnet hostname command to verify that you can log in to your router using only Telnet. From a host at an IP address within the 192. Juniper Networks.168.249.1-20101102.acme.Chapter 5: Standard Firewall Filter Configuration Action 1.168. Use the show firewall log command to verify that the routing table on the device does not contain any entries with a source address in the 192.0/24 subnet.0/24 subnet.1. and the packet header information for this packet should not be logged in the firewall filter log buffer in the Packet Forwarding Engine..

.0 fxp0.187. and the packet header information for this packet should be logged in the firewall filter log buffer in the Packet Forwarding Engine.Junos OS 11.168. use the telnet hostname command to verify that you can log in to the device using only Telnet. telnet: connect to address 192.187.187..187.168. user@myhost> clear firewall log 2.187.168.1.187.0 fxp0. Filter local_acl local_acl local_acl Action R R R Interface fxp0.0 fxp0.0 Protocol Src Addr TCP 192.4 Firewall Filter and Policer Configuration Guide Action 1. user@myhost> show firewall log Time 18:41:25 18:41:25 18:41:25 .187.0/24 subnet. user@host-B ssh myhost ssh: connect to host sugar port 22: Connection refused --.249.168.168.5 Dest Addr 192.0 fxp0.5 TCP TCP TCP 192.0/24 subnet. .168.0 fxp0.5 TCP 192.1.5 192.5 TCP 192.71.168. This packet should be rejected.1 192. and the packet header information for this packet should be logged in the firewall filter log buffer in the PFE.168.168. Use the show firewall log command to verify that the routing table on the device does not contain any entries with a source address in the 192.. Inc. Juniper Networks.168.187.3: Connection refused telnet: Unable to connect to remote host % 4. From a host at an IP address outside of the 192.5 192.1.1-20101102.1 192.187.187.0/24 subnet. user@host-B> telnet myhost Trying 192.JUNOS 11. 18:43:06 18:43:06 18:43:06 .1 192.187.168.168.168.1 192.0 built 2010-11-02 04:48:46 UTC % 3.168. From a host at an IP address outside of the 192...1 local_acl R local_acl R local_acl R Related Documentation • • • Logging of Packet Headers Evaluated by a Firewall Filter Term on page 221 Understanding How to Use Standard Firewall Filters on page 29 Example: Configuring a Stateless Firewall Filter to Accept Traffic from Trusted Sources on page 118 Example: Configuring a Filter to Block TFTP Access on page 129 Example: Configuring a Filter to Accept OSPF Packets from a Prefix on page 132 Example: Configuring a Filter to Accept DHCP Packets Based on Address on page 134 • • • 128 Copyright © 2011..168. Clear the firewall log on your router.1 192.168.187. use the ssh hostname command to verify that you cannot log in to the device using only SSH.187. This packet should be rejected.168.

However.255. remove any line breaks. 129 . see “Using the CLI Editor in Configuration Mode” on page 15. Juniper Networks. perform the following tasks: • • • Configure the Stateless Firewall Filter on page 130 Apply the Firewall Filter to the Loopback Interface on page 130 Confirm and Commit Your Candidate Configuration on page 130 CLI Quick Configuration To quickly configure this example. copy the following configuration commands into a text file. To configure this example. set firewall family inet filter tftp_access_control term one from protocol udp set firewall family inet filter tftp_access_control term one from port tftp set firewall family inet filter tftp_access_control term one then log set firewall family inet filter tftp_access_control term one then discard set interfaces lo0 unit 0 family inet filter input tftp_access_control set interfaces lo0 unit 0 family inet address 127. Configuration The following example requires you to navigate various levels in the configuration hierarchy.0 and a destination address of 255. Inc. and then paste the commands into the CLI at the [edit] hierarchy level. you block Trivial File Transfer Protocol (TFTP) access.0. the Junos OS filters and discards Dynamic Host Configuration Protocol (DHCP) or Bootstrap Protocol (BOOTP) packets that have a source address of 0. some vendors’ equipment automatically accepts these packets. In this example.1/32 Copyright © 2011.0.0. For information about navigating the CLI.Chapter 5: Standard Firewall Filter Configuration Example: Configuring a Filter to Block TFTP Access • • • • Requirements on page 129 Overview on page 129 Configuration on page 129 Verification on page 131 Requirements No special configuration beyond device initialization is required before configuring this example.255.0. to decrease vulnerability to denial-of-service (DoS) attacks. logging any attempts to establish TFTP connections. This default filter is known as a unicast RPF check. To interoperate with other vendors' equipment. Overview By default.255. you can configure a filter that checks for both of these addresses and overrides the default RPF-check filter by accepting these packets.

repeat the instructions in this example to correct the configuration.0. [edit] user@host# edit firewall family inet filter tftp_access_control 2. Inc.4 Firewall Filter and Policer Configuration Guide Configure the Stateless Firewall Filter Step-by-Step Procedure To configure the stateless firewall filter that selectively blocks TFTP access: 1. Juniper Networks. } } } } 130 Copyright © 2011. port tftp. . [edit firewall family inet filter tftp_access_control] user@host# set term one from protocol udp user@host# set term one from port tftp 3. [edit firewall family inet filter tftp_access_control] user@host# set term one then log user@host# set term one then discard Apply the Firewall Filter to the Loopback Interface Step-by-Step Procedure To apply the firewall filter to the loopback interface: • [edit] user@host# set interfaces lo0 unit 0 family inet filter input tftp_access_control user@host# set interfaces lo0 unit 0 family inet address 127. } then { log. discard. If the command output does not display the intended configuration. Create the stateless firewall filter tftp_access_control.1/32 Confirm and Commit Your Candidate Configuration Step-by-Step Procedure To confirm and then commit your candidate configuration: 1. Specify that matched packets be logged to the buffer on the Packet Forwarding Engine and then discarded. [edit] user@host# show firewall family inet { filter tftp_access_control { term one { from { protocol udp. Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command.Junos OS 11.0. Specify a match on packets received on UDP port 69.

If you are done configuring the device. Confirm the configuration of the interface by entering the show interfaces configuration mode command. Juniper Networks. Clear the firewall log on your router. Related Documentation • • Understanding How to Use Standard Firewall Filters on page 29 Example: Configuring a Stateless Firewall Filter to Accept Traffic from Trusted Sources on page 118 Example: Configuring a Filter to Block Telnet and SSH Access on page 123 Example: Configuring a Filter to Accept OSPF Packets from a Prefix on page 132 Example: Configuring a Filter to Accept DHCP Packets Based on Address on page 134 • • • Copyright © 2011. user@myhost> clear firewall log 2. repeat the instructions in this example to correct the configuration. [edit] user@host# show interfaces lo0 { unit 0 { family inet { filter { input tftp_access_control.0. [edit] user@host# commit Verification Confirm that the configuration is operating properly: • Verifying Logged and Discarded Packets on page 131 Verifying Logged and Discarded Packets Purpose Action Verify that the actions of the firewall filter terms are taken.0. From another host. If the command output does not display the intended configuration. } address 127.1/32.Chapter 5: Standard Firewall Filter Configuration 2. To 1. Inc. } } } 3. commit your candidate configuration. 131 . send a packet to UDP port 69 on this router.

you create a filter that accepts only OSPF packets from an address in the prefix 10.2.0/16 set firewall family inet filter ospf_filter term term1 from protocol ospf set firewall family inet filter ospf_filter term term1 then accept set firewall family inet filter ospf_filter term default-term then reject administratively-prohibited set interfaces ge-0/0/1 unit 0 family inet address 10.Junos OS 11.0. Overview In this example. [edit] user@host# edit firewall family inet filter ospf_filter 132 Copyright © 2011. Create the filter.108.4 Firewall Filter and Policer Configuration Guide Example: Configuring a Filter to Accept OSPF Packets from a Prefix This example shows how to configure a standard stateless firewall filter to accept packets from a trusted source. • • • • Requirements on page 132 Overview on page 132 Configuration on page 132 Verification on page 134 Requirements No special configuration beyond device initialization is required before configuring this example. remove any line breaks. Inc.1. .0. discarding all other packets with an administratively-prohibited ICMP message Configuration The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI. and then paste the commands into the CLI at the [edit] hierarchy level.3/30 set interfaces ge-0/0/1 unit 0 family inet filter input ospf_filter Configure the Stateless Firewall Filter Step-by-Step Procedure To configure the stateless firewall filter ospf_filter: 1.0/16. perform the following tasks: • • • Configure the Stateless Firewall Filter on page 132 Apply the Firewall Filter to the Loopback Interface on page 133 Confirm and Commit Your Candidate Configuration on page 133 CLI Quick Configuration To quickly configure this example. To configure this example. copy the following configuration commands into a text file.108. set firewall family inet filter ospf_filter term term1 from source-address 10. Juniper Networks. see “Using the CLI Editor in Configuration Mode” on page 15.

Chapter 5: Standard Firewall Filter Configuration 2. } } term default_term { then { reject administratively-prohibited. # default reject action } Copyright © 2011. Configure the interface. Inc. Apply the filter to the input. [edit interfaces ge-0/0/1 unit 0 family inet] user@host# set filter input ospf_filter Confirm and Commit Your Candidate Configuration Step-by-Step Procedure To confirm and then commit your candidate configuration: 1.0/16 user@host# set term term1 from protocol ospf user@host# set term term1 then accept 3. } then { accept. If the command output does not display the intended configuration. Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command. [edit firewall family inet filter ospf_filter] user@host# set term default_term then reject administratively-prohibited Apply the Firewall Filter to the Loopback Interface Step-by-Step Procedure To apply the firewall filter to the loopback interface: 1. } protocol ospf.108. [edit firewall family inet filter ospf_filter] user@host# set term term1 from source-address 10.0/16. repeat the instructions in this example to correct the configuration. [edit interfaces ge-0/0/1 unit 0 family inet] user@host# set address 10. Configure the term that rejects all other packets. [edit] user@host# show firewall family inet { filter ospf_filter { term term1 { from { source-address { 10. Configure the logical interface IP address.1.0.0.3/30 3.108. 133 . Configure the term that accepts packets. [edit] user@host# edit interfaces ge-0/0/1 unit 0 family inet 2. Juniper Networks.2.

Related Documentation • • Understanding How to Use Standard Firewall Filters on page 29 Example: Configuring a Stateless Firewall Filter to Accept Traffic from Trusted Sources on page 118 Example: Configuring a Filter to Block Telnet and SSH Access on page 123 Example: Configuring a Filter to Block TFTP Access on page 129 Example: Configuring a Filter to Accept DHCP Packets Based on Address on page 134 • • • Example: Configuring a Filter to Accept DHCP Packets Based on Address This example shows how to configure a standard stateless firewall filter to accept packets from a trusted source. } } } 3. commit your candidate configuration. } address 10. Confirm the configuration of the interface by entering the show interfaces configuration mode command. repeat the instructions in this example to correct the configuration.Junos OS 11.4 Firewall Filter and Policer Configuration Guide } } } 2. [edit] user@host# show interfaces lo0 { unit 0 { family inet { filter { input ospf_filter. If you are done configuring the device. Inc. enter the show firewall filter ospf_filter operational mode command. [edit] user@host# commit Verification To confirm that the configuration is working properly. Juniper Networks.1. .3/30. 134 Copyright © 2011. • • • • Requirements on page 134 Overview on page 135 Configuration on page 135 Verification on page 137 Requirements This example is supported on MX Series routers only.2. If the command output does not display the intended configuration.

Juniper Networks. Inc. • • • Configure the Stateless Firewall Filter on page 135 Apply the Firewall Filter to the Loopback Interface on page 135 Confirm and Commit Your Candidate Configuration on page 136 CLI Quick Configuration To quickly configure this example. Configure the term to match packets with a source address of 0. [edit firewall family inet filter rpf_dhcp] user@host# set term dhcp_term from source-address 0.255.0 and a destination address of 255. Create the stateless firewall filter rpf_dhcp. set firewall family inet filter rpf_dhcp term dhcp_term from source-address 0. [edit] user@host# edit firewall family inet filter rpf_dhcp 2. and then paste the commands into the CLI at the [edit] hierarchy level.255/32 set firewall family inet filter rpf_dhcp term dhcp_term then accept set interfaces ge-0/0/1 unit 0 family inet address 10.0/32 set firewall family inet filter rpf_dhcp term dhcp_term from destination-address 255. Configuration The following example requires you to navigate various levels in the configuration hierarchy.255.2. see “Using the CLI Editor in Configuration Mode” on page 15. [edit firewall family inet filter rpf_dhcp] set term dhcp_term then accept Apply the Firewall Filter to the Loopback Interface Step-by-Step Procedure To apply the filter to the input at the loopback interface: 1. Apply the rpf_dhcp filter if packets are not arriving on an expected path. For information about navigating the CLI.255.0.0 and a destination address of 255.255/32 3. you create a filter (rpf_dhcp) that accepts DHCP packets with a source address of 0.255. copy the following configuration commands into a text file. 135 .0.0.0.255.0.255.0.0.255.255.0.Chapter 5: Standard Firewall Filter Configuration Overview In this example. [edit] user@host# set interfaces lo0 unit 0 family inet rpf-check fail-filter rpf_dhcp Copyright © 2011.1.255.3/30 set interfaces ge-0/0/1 unit 0 family inet filter input sam Configure the Stateless Firewall Filter Step-by-Step Procedure To configure the stateless firewall filter: 1. remove any line breaks. Configure the term to accept packets that match the specified conditions.255.0/32 user@host# set term dhcp_term from destination-address 255.

1/32 Confirm and Commit Your Candidate Configuration Step-by-Step Procedure To confirm and then commit your candidate configuration: 1.0. [edit] user@host# show interfaces lo0 { unit 0 { family inet { filter { rpf-check { fail-filter rpf_dhcp. Configure an address for the loopback interface. Juniper Networks. Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command.255. } } then accept.0. mode loose. } destination-address { 255.1/32. When you are done configuring the device. [edit] user@host# show firewall family inet { filter rpf_dhcp { term dhcp_term { from { source-address { 0. repeat the instructions in this example to correct the configuration.0. [edit] user@host# set interfaces lo0 unit 0 family inet address 127. } } } 3.255/32. [edit] user@host# commit 136 Copyright © 2011.255.0/32. If the command output does not display the intended configuration. If the command output does not display the intended configuration.Junos OS 11.4 Firewall Filter and Policer Configuration Guide 2. } } address 127.0. Confirm the configuration of the interface by entering the show interfaces configuration mode command. repeat the instructions in this example to correct the configuration. commit your candidate configuration.0.0. . Inc. } } } 2.

Overview In this example. you create a stateless firewall filter that blocks all TCP connection attempts to port 179 from all requesters except the specified BGP peers. Related Documentation • • Understanding How to Use Standard Firewall Filters on page 29 Example: Configuring a Stateless Firewall Filter to Accept Traffic from Trusted Sources on page 118 Example: Configuring a Filter to Block Telnet and SSH Access on page 123 Example: Configuring a Filter to Block TFTP Access on page 129 Example: Configuring a Filter to Accept OSPF Packets from a Prefix on page 132 • • • Example: Configuring a Filter to Block TCP Access to a Port Except from Specified BGP Peers This example shows how to configure a standard stateless firewall filter that limits certain TCP and Internet Control Message Protocol (ICMP) traffic destined for the Routing Engine. 137 . Inc. Figure 2 on page 138 shows the topology used in this example. Device E blocks the connection attempt. Device C attempts to make a TCP connection to Device E. Copyright © 2011. Juniper Networks. enter the show firewall operational mode command. • • • • Requirements on page 137 Overview on page 137 Configuration on page 138 Verification on page 141 Requirements No special configuration beyond device initialization is required before you configure this example. The stateless firewall filter filter_bgp179 matches all packets from the directly connected interfaces on Device A and Device B to the destination port number 179. This example shows the configuration on Device C and Device E.Chapter 5: Standard Firewall Filter Configuration Verification To confirm that the configuration is working properly.

10.10. remove any line breaks.10.2/32 set firewall family inet filter filter_bgp179 term 1 from source-address 10.10.Junos OS 11.10.5/30 set interfaces ge-1/0/0 unit 9 description to-C set interfaces ge-1/0/0 unit 9 family inet address 10.10. see “Using the CLI Editor in Configuration Mode” on page 15.10.6 B C Configuration The following example requires that you navigate various levels in the configuration hierarchy.10.10. and then copy and paste the commands into the CLI at the [edit] hierarchy level.10. perform the following tasks: • Configuring Device E on page 139 CLI Quick Configuration To quickly configure this example.1/32 set protocols bgp group external-peers type external set protocols bgp group external-peers peer-as 22 set protocols bgp group external-peers neighbor 10.10 set routing-options autonomous-system 17 set firewall family inet filter filter_bgp179 term 1 from source-address 10.2 set protocols bgp group external-peers neighbor 10.10.2 A AS 22 AS 17 E 10. change any details necessary to match your network configuration.0.1 10. For information about navigating the CLI.10.168. paste them into a text file.4 Firewall Filter and Policer Configuration Guide Figure 2: Typical Network with BGP Peer Sessions 10. copy the following commands.10.9/30 set interfaces lo0 unit 2 family inet filter input filter_bgp179 set interfaces lo0 unit 2 family inet address 192.10. set interfaces ge-1/2/0 unit 10 description to-E set interfaces ge-1/2/0 unit 10 family inet address 10.1/30 set interfaces ge-1/2/1 unit 5 description to-B set interfaces ge-1/2/1 unit 5 family inet address 10.10.10.6/32 set firewall family inet filter filter_bgp179 term 1 from destination-port bgp set firewall family inet filter filter_bgp179 term 1 then accept set firewall family inet filter filter_bgp179 term 2 then reject Device C Device E 138 Copyright © 2011. To configure this example. Juniper Networks.10.10 .10.10.9 10.6 set protocols bgp group external-peers neighbor 10. g040870 10.10/30 set protocols bgp group external-peers type external set protocols bgp group external-peers peer-as 17 set protocols bgp group external-peers neighbor 10.9 set routing-options autonomous-system 22 set interfaces ge-1/2/0 unit 0 description to-A set interfaces ge-1/2/0 unit 0 family inet address 10.5 10. Inc.10.

10.10. Configure BGP. show interfaces. Apply the firewall filter to the loopback interface.0. confirm your configuration by entering the show firewall. Define the filter term that accepts TCP connection attempts to port 179 from the specified BGP peers.6/32 user@E# set term 1 from destination-port bgp user@E# set term 1 then accept 5. Inc.6 user@E# set neighbor 10. see “Using the CLI Editor in Configuration Mode” on page 15 in the Junos OS CLI User Guide. To configure the stateless firewall filter that blocks all TCP connection attempts to port 179 from all requestors except specified BGP peers: 1. show protocols. and show routing-options commands. Configure the interfaces.168. Define the other filter term to reject packets from other sources. If the output does not Copyright © 2011. [edit routing-options] user@E# set autonomous-system 17 4. [edit firewall family inet filter filter_bgp179] user@E# set term 2 then reject 6.10. Juniper Networks.10.10.2 user@E# set neighbor 10.10. [edit firewall family inet filter filter_bgp179] user@E# set term 1 from source-address 10. [edit interfaces lo0 unit 2 family inet] user@E# set filter input filter_bgp179 user@E# set address 192. 139 .10. For information about navigating the CLI.10.10.10.9/30 2.10. Configure the autonomous system (AS) number.2/32 user@E# set term 1 from source-address 10.1/30 user@E# set interfaces ge-1/2/1 unit 5 description to-B user@E# set interfaces ge-1/2/1 unit 5 family inet address 10.10 3.10.Chapter 5: Standard Firewall Filter Configuration Configuring Device E Step-by-Step Procedure The following example requires you to navigate various levels in the configuration hierarchy.10.10.1/32 Results From configuration mode. [edit protocols bgp group external-peers] user@E# set type external user@E# set peer-as 22 user@E# set neighbor 10.10.10.5/30 user@E# set interfaces ge-1/0/0 unit 9 description to-C user@E# set interfaces ge-1/0/0 unit 9 family inet address 10. user@E# set interfaces ge-1/2/0 unit 0 description to-A user@E# set interfaces ge-1/2/0 unit 0 family inet address 10.

10. } } } } user@E# show interfaces lo0 { unit 2 { family inet { filter { input filter_bgp179.0. } } } ge-1/0/0 { unit 9 { description to-C. } then accept.168. family inet { address 10. family inet { address 10.4 Firewall Filter and Policer Configuration Guide display the intended configuration.2/32. .10.10.10.10.5/30. Juniper Networks.9/30.10.10. } address 192.10.Junos OS 11. } destination-port bgp. family inet { address 10. user@E# show firewall family inet { filter filter_bgp179 { term 1 { from { source-address { 10. } } } ge-1/2/0 { unit 0 { description to-A.10. 140 Copyright © 2011.10. repeat the instructions in this example to correct the configuration.6/32.1/32. } term 2 { then { reject. } } } ge-1/2/1 { unit 5 { description to-B. Inc.1/30.10.

Repeat the procedure. } } user@R0# show routing-options autonomous-system 17. The output on Device E shows that connections are established with Device A and Device B only. using the appropriate interface names and addresses for each BGP-enabled device. interface 10. where appropriate.6.0. If you are done configuring the device. user@C> show system connections extensive | match 10.10. neighbor 10. Inc. Verification Confirm that the configuration is working properly. run the show system connections extensive command on Device C and Device E. user@E> show firewall filter filter_bgp179 Filter: filter_bgp179 Verifying the TCP Connections Purpose Action Verify the TCP connections.10.10.14. • • • Verifying That the Filter Is Configured on page 141 Verifying the TCP Connections on page 141 Monitoring Traffic on the Interfaces on page 142 Verifying That the Filter Is Configured Purpose Action Make sure that the filter is listed in output of the show firewall filter command. Juniper Networks.10 Copyright © 2011.0 { interface fe-1/2/0. for every BGP-enabled device in the network.0. enter commit from configuration mode.10. From operational mode. neighbor 10. } } ospf { area 0.2.10.10.10.255.1. peer-as 22.179. 141 . The output on Device C shows the attempt to establish a TCP connection.Chapter 5: Standard Firewall Filter Configuration } } } user@E# show protocols bgp { group external-peers { type external.10. neighbor 10.

10.bgp: S 573929123:573929123(0) win 16384 <mss 1460.sackOK.10.5.nop.10.10.nop.61335 > 10.2.nop.10.5.179 10.timestamp 1869546338 1869532439>: BGP.eol> 18:54:32.timestamp 1869532439 1869518816>: BGP.179 10.10. ack 19 win 16384 <nop.9 18:54:20.10.eol> 18:54:29.bgp > 10.10.10.10.10.10.323018 In IP 10.10.62096 10. length: 19 19:02:49.10.10.10. run the monitor traffic command on the Device E interface to Device B and on the Device E interface to Device C.9.6.10.61335 > 10. ack 38 win 16384 <nop.timestamp 1869546438 1869546338> user@E> monitor traffic size 1500 interface ge-1/0/0.timestamp 1869015440 0.bgp: .10.10.bgp: S 573929123:573929123(0) win 16384 <mss 1460.10.sackOK.10.1.10.nop.eol> 18:54:23.61506 10.timestamp 1869012240 0.6.1.nop.10.10.61335 > 10.10.10.10.10.10.179 ESTABLISHED ESTABLISHED ESTABLISHED ESTABLISHED Monitoring Traffic on the Interfaces Purpose Compare the traffic on an interface that establishes a TCP connection with the traffic on an interface that does not establish a TCP connection.10.10.bgp > 10.9.sackOK.nop. length: 19 19:03:17.5.nop.9.10.9.773493 Out IP 10.6.10. ack messages are not received.10. acknowledgment (ack) messages are received.10.5.timestamp 1869518816 1869504850>: BGP.10.10.62096: P 19:38(19) ack 20 win 16384 <nop.eol> 18:54:26. . In the first example.10.10.220162 Out IP 10. From operational mode.320501 In IP 10.sackOK.61335 > 10.nop.10.62096 > 10.nop.nop.61335 > 10. user@E> monitor traffic size 1500 interface ge-1/2/1.10.9.eol> 18:54:35.bgp: S 573929123:573929123(0) win 16384 <mss 1460.bgp: S 573929123:573929123(0) win 16384 <mss 1460.10.timestamp 1869518916 1869518816> 19:03:03.sackOK.timestamp 1869532539 1869532439> 19:03:17.nop.10.5.10.62096 10.bgp > 10.nop.10.timestamp 1869009240 0.10.10.700912 Out IP 10.5.62096: .10.5.10 tcp4 tcp4 tcp4 tcp4 0 0 0 0 0 0 0 0 10.10.9.10.10.62096: P 3330573561:3330573580(19) ack 915601686 win 16384 <nop.10.10.10.5. Juniper Networks.6.61335 > 10.175471 Out IP 10.10.10.Junos OS 11.nop.4 Firewall Filter and Policer Configuration Guide tcp4 0 0 10.374118 Out IP 10. In the second example.10.bgp: S 573929123:573929123(0) win 16384 <mss 1460.10. ack 20 win 16384 <nop.6.573799 Out IP 10.10.10.9.10.5 19:02:49.10.179 10.bgp: .10.10.179 SYN_SENT user@E> show system connections extensive | match 10.10.2.10.62096 > 10.51872 10.wscale 0.973185 Out IP 10.174422 Out IP 10.10.61506 10.801244 In IP 10.bgp: S 573929123:573929123(0) win 16384 <mss 1460. length: 19 19:03:03.10.6.bgp: P 1:20(19) ack 19 win 16384 <nop.wscale 0.6.10.422418 Out IP 10.10.sackOK.nop.nop.10.10.10. Inc.10.10.wscale 0.62096 > 10.eol> Action Related Documentation • • • Understanding How to Use Standard Firewall Filters on page 29 Understanding Flood Prevention Stateless Firewall Filters Example: Configuring a Stateless Firewall Filter to Protect Against TCP and ICMP Floods on page 143 Example: Configuring a Filter to Accept Packets Based on IPv6 TCP Flags on page 149 • 142 Copyright © 2011.6.10.

000.168. These addresses are defined in the trusted-addresses prefix list. you create a stateless firewall filter called protect-RE that polices TCP and ICMP packets.000. Policed packets include connection request packets (SYN and ACK flag bits equal 1 and 0). • icmp-term—Polices echo request packets. 143 .2. Copyright © 2011.000 bytes. All of these ICMP packets are counted in the icmp-counter counter.000 bps and the burst size to 15. Use the following abbreviations when specifying limits: k (1. connection release packets (FIN flag bit equals 1). Inc.000 bytes. Each policer is incorporated into the action of a filter term.0/24 or 10.000.000 bps to 32. • • • • Requirements on page 143 Overview on page 143 Configuration on page 144 Verification on page 147 Requirements No special configuration beyond device initialization is required before configuring stateless firewall filters.Chapter 5: Standard Firewall Filter Configuration Standard Firewall Filters That Prevent IP Packet Flooding • Example: Configuring a Stateless Firewall Filter to Protect Against TCP and ICMP Floods on page 143 Example: Configuring a Filter to Accept Packets Based on IPv6 TCP Flags on page 149 • Example: Configuring a Stateless Firewall Filter to Protect Against TCP and ICMP Floods This example shows how to create a stateless firewall filter that protects against TCP and ICMP denial-of-service attacks.000 bps and the burst-size limit can be from 1.000). and g (1. This example includes the following policers: • tcp-connection-policer—Limits the traffic rate of the TCP packets to 500.000). and connection reset packets (RST flag bit equals 1). Juniper Networks.000.000).000. This example includes the following terms: • tcp-connection-term—Polices certain TCP packets with a source address of 192.000.1. unreachable packets.000.122. m (1.000 bps and the burst size to 15. echo response packets. • icmp-policer—Limits the traffic rate of the ICMP packets to 1. the bandwidth limit can be from 32. When specifying limits. and time-exceeded packets.500 bytes through 100.0/24. Packets that exceed the traffic rate are discarded. Overview In this example.000 bytes. Packets that exceed the traffic rate are discarded.

Inc. copy the following commands to a text file. See insert in the Junos OS CLI User Guide.Junos OS 11. .2. Juniper Networks. If you want to include the terms created in this procedure in the protect-RE firewall filter configured in “Example: Configuring a Stateless Firewall Filter to Accept Traffic from Trusted Sources” on page 118. and then paste the commands into the CLI. [edit] set firewall family inet filter protect-RE term tcp-connection-term from source-prefix-list trusted-addresses set firewall family inet filter protect-RE term tcp-connection-term from protocol tcp set firewall family inet filter protect-RE term tcp-connection-term from tcp-flags "(syn & !ack) | fin | rst" set firewall family inet filter protect-RE term tcp-connection-term then policer tcp-connection-policer set firewall family inet filter protect-RE term tcp-connection-term then accept set firewall family inet filter protect-RE term icmp-term from protocol icmp set firewall family inet filter protect-RE term icmp-term from icmp-type echo-request set firewall family inet filter protect-RE term icmp-term from icmp-type echo-reply set firewall family inet filter protect-RE term icmp-term from icmp-type unreachable set firewall family inet filter protect-RE term icmp-term from icmp-type time-exceeded set firewall family inet filter protect-RE term icmp-term then policer icmp-policer set firewall family inet filter protect-RE term icmp-term then count icmp-counter set firewall family inet filter protect-RE term icmp-term then accept set firewall policer tcp-connection-policer filter-specific set firewall policer tcp-connection-policer if-exceeding bandwidth-limit 1m set firewall policer tcp-connection-policer if-exceeding burst-size-limit 15k set firewall policer tcp-connection-policer then discard set firewall policer icmp-policer filter-specific set firewall policer icmp-policer if-exceeding bandwidth-limit 1m set firewall policer icmp-policer if-exceeding burst-size-limit 15k set firewall policer icmp-policer then discard set policy-options prefix-list trusted-addresses 10.0/24 144 Copyright © 2011. perform the configuration tasks in this example first. This approach ensures that the rate-limiting terms are included as the first two terms in the firewall filter. remove any line breaks.0/24 set policy-options prefix-list trusted-addresses 192.1.168.122.4 Firewall Filter and Policer Configuration Guide NOTE: You can move terms within the firewall filter by using the insert command. Configuration CLI Quick Configuration To quickly configure the stateless firewall filter. See insert in the Junos OS CLI User Guide. Then configure the terms as described in “Example: Configuring a Stateless Firewall Filter to Accept Traffic from Trusted Sources” on page 118. NOTE: You can move terms within the firewall filter by using the insert command.

[edit firewall policer icmp-policer] user@host# set filter-specific user@host# set if-exceeding burst-size-limit 15k bandwidth-limit 1m 7. For information about navigating the CLI. 145 .2.122. [edit] user@host# set policy-options prefix-list trusted-addresses 192. [edit firewall policer tcp-connection-policer] user@host# set filter-specific user@host# set if-exceeding burst-size-limit 15k bandwidth-limit 1m 4. [edit] user@host# edit firewall family inet filter protect-RE 9. Define the action for the policer. [edit] user@host# edit firewall policer icmp-policer 5. [edit firewall family inet filter protect-RE term tcp-connection-term] user@host# set from source-prefix-list trusted-addresses Copyright © 2011. Create the stateless firewall filter. Set the rate limits for the policer. Juniper Networks. Define the first policer. [edit firewall policer tcp-connection-policer] user@host# set then discard 3. Define the first term for the filter. Define the action for the policer.1.Chapter 5: Standard Firewall Filter Configuration Step-by-Step Procedure The following example requires you to navigate various levels in the configuration hierarchy. Inc. see “Using the CLI Editor in Configuration Mode” on page 15. Define the second policer. Define the prefix list.0/24 user@host# set policy-options prefix-list trusted-addresses 10.168.0/24 8. [edit firewall policer icmp-policer] user@host# set then discard 6. To configure stateless firewall filter policers: 1. [edit] user@host# edit firewall policer tcp-connection-policer 2. Define the source address match condition for the term. [edit firewall family inet filter protect-RE] user@host# edit term tcp-connection-term 10. Define the rate limits for the policer.

[edit firewall family inet filter protect-RE term icmp-term] user@host# set then policer icmp-policer count icmp-counter accept Results Confirm your configuration by entering the show firewall command and the show policy-options command from configuration mode. } protocol tcp. Define the action for the term. 146 Copyright © 2011. [edit firewall family inet filter protect-RE term icmp-term] user@host# set from protocol icmp 15. Define the actions for the term.Junos OS 11. [edit firewall family inet filter protect-RE term icmp-term] user@host# set from icmp-type [echo-request echo-reply unreachable time-exceeded] 16. Define the second term. [edit] user@host# edit firewall family inet filter protect-RE term icmp-term 14. Define the protocol for the term. If the output does not display the intended configuration. repeat the instructions in this example to correct the configuration. user@host# show firewall family inet { filter protect-RE { term tcp-connection-term { from { source-prefix-list { trusted-addresses. Define protocol match conditions for the term. } then { policer icmp-policer. [edit firewall family inet filter protect-RE term tcp-connection-term] user@host# set from protocol tcp tcp-flags "(syn & !ack) | fin | rst" 12. Define the match conditions for the term. . Juniper Networks. tcp-flags "(syn & !ack) | fin | rst". } then { policer tcp-connection-policer.4 Firewall Filter and Policer Configuration Guide 11. icmp-type [ echo-request echo-reply unreachable time-exceeded ]. } } term icmp-term { from { protocol icmp. [edit firewall family inet filter protect-RE term tcp-connection-term] user@host# set then policer tcp-connection-policer accept 13. Inc. accept.

} then discard. if-exceeding { bandwidth-limit 1m. Inc. } policer icmp-policer { filter-specific.0/24. enter commit from configuration mode. 192. Copyright © 2011. From configuration mode. burst-size-limit 15k. if-exceeding { bandwidth-limit 1m. 147 .168. • • • Displaying Stateless Firewall Filter Configurations on page 147 Verifying a TCP and ICMP Flood Firewall Filter on page 147 Displaying Firewall Filter Statistics on page 148 Displaying Stateless Firewall Filter Configurations Purpose Action Meaning Verify the configuration of the firewall filter. In addition. You can move terms within a firewall filter by using the insert CLI command. Verifying a TCP and ICMP Flood Firewall Filter Purpose Verify that the actions of the firewall filter terms are taken.0/24. verify that the terms are listed in the order in which you want the packets to be tested. accept. Verification Confirm that the configuration is working properly. } } } } policer tcp-connection-policer { filter-specific. } If you are done configuring the device.2. enter the show firewall command. } then discard.Chapter 5: Standard Firewall Filter Configuration count icmp-counter. Verify that the output shows the intended configuration of the firewall filter. Juniper Networks.1. burst-size-limit 15k. } user@host# show policy-options prefix-list trusted-addresses { 10.122.

Junos OS 11. 100% packet loss Meaning Verify the following information: • • • You can successfully log in to the device using Telnet. Juniper Networks. The device does not send responses to the ping host size 20000 command.249.249.249.71 PING host-ge-000.1 built 2004-05-21 09:38:12 UTC user@host> user@host> ping 192. From operational mode. In addition.acme.71: icmp_seq=2 ttl=253 time=14.71 Trying 192.. Escape character is '^]'.249.net (192.168.168. Connected to host. log in to the device with the telnet host-name command from another host with one of these address prefixes.host-ge-000.2.946 ms 64 bytes from 192. Use the ping host-name command to verify that the device responds only to ICMP packets (such as ping requests) that do not exceed the policer traffic rates.71: icmp_seq=1 ttl=253 time=19.168.168..71: icmp_seq=0 ttl=253 time=11. 148 Copyright © 2011.4 Firewall Filter and Policer Configuration Guide Action Send packets to the device that match the terms. .JUNOS 6.249. verify that the filter actions are not taken for packets that do not match.249.71): 20000 data bytes ^C --.acme. enter the show firewall filter filter-name command.net ping statistics --12 packets transmitted.net. 0 packets received.639 ms .249.168.71): 56 data bytes 64 bytes from 192.71.net (192.122. host (ttyp0) login: user Password: --.168.168.474 ms 64 bytes from 192.168...249. For example. Inc.0/24 or 10.acme. • • Sample Output user@host> telnet 192.0/24.168.4-20040521. Displaying Firewall Filter Statistics Purpose Action Verify that packets are being policed and counted.acme.1.168. • Verify that the device can establish only TCP sessions with a host at an IP address that matches 192.71 size 20000 PING host-ge-000. Use the ping host-name size bytes command to exceed the policer traffic rates by sending ping requests with large data payloads. user@host> ping 192. The device sends responses to the ping host command.249.

Under Packets. Inc. • • • • Requirements on page 150 Overview on page 150 Configuration on page 150 Verification on page 152 Copyright © 2011. the number of bytes that match the filter term containing the count counter-name action are shown. Juniper Networks. Under Counters: • • Under Name. 149 . the name of the firewall filter is correct. Example: Configuring a Filter to Accept Packets Based on IPv6 TCP Flags This example shows how to configure a standard stateless firewall filter to accept packets from a trusted source. telnet in the Junos OS System Basics and Services Command Reference. the number of packets that match the filter term containing the count counter-name action are shown. Related Documentation • “Two-Color Policer Configuration Overview on page 307” in the Junos OS Firewall Filter and Policer Configuration Guide. Under Packets. the names of any counters configured in the firewall filter are correct. the names of any policers configured in the firewall filter are correct. Under Bytes.Chapter 5: Standard Firewall Filter Configuration Sample Output user@host> show firewall filter protect-RE Filter: protect-RE Counters: Name icmp-counter Policers: Name tcp-connection-policer icmp-policer Bytes 1040000 Packets 643254873 7391 Packets 5600 Meaning Verify the following information: • • Next to Filter. Junos OS Feature Support Reference for SRX Series and J Series Devices • • • • show firewall in the Junos OS Routing Protocols and Policies Command Reference ping in the Junos OS System Basics and Services Command Reference. • • Under Policers: • • Under Name. the number of packets that match the conditions specified for the policer are shown.

Specify that a packet matches if it is the initial packet in a TCP session and the next header after the IPv6 header is type TCP. [edit] user@host# edit firewall family inet6 filter tcp_filter 2. and then paste the commands into the CLI at the [edit] hierarchy level.4 Firewall Filter and Policer Configuration Guide Requirements No special configuration beyond device initialization is required before configuring this example. Specify that matched packets are counted. logged to the buffer on the Packet Forwarding Engine.1. Juniper Networks. and accepted. Configuration The following example requires you to navigate various levels in the configuration hierarchy. Inc.34. copy the following commands into a text file. [edit firewall family inet6 filter tcp_filter] user@host# set term 1 then count tcp_syn_pkt user@host# set term 1 then log user@host# set term 1 then accept 150 Copyright © 2011. Create the IPv6 stateless firewall filter tcp_filter. Overview In this example. remove any line breaks. • • • Configure the Stateless Firewall Filter on page 150 Apply the Firewall Filter to the Loopback Interface on page 151 Confirm and Commit Your Candidate Configuration on page 151 CLI Quick Configuration To quickly configure this example. you create a filter that accepts packets with specific IPv6 TCP flags. [edit firewall family inet6 filter tcp_filter] user@host# set term 1 from next-header tcp user@host# set term 1 from tcp-flags syn 3. set firewall family inet6 filter tcp_filter term 1 from next-header tcp set firewall family inet6 filter tcp_filter term 1 from tcp-flags syn set firewall family inet6 filter tcp_filter term 1 then count tcp_syn_pkt set firewall family inet6 filter tcp_filter term 1 then log set firewall family inet6 filter tcp_filter term 1 then accept set interfaces lo0 unit 0 family inet6 filter input tcp_filter set interfaces lo0 unit 0 family inet6 address ::10. see “Using the CLI Editor in Configuration Mode” on page 15.Junos OS 11.0/120 Configure the Stateless Firewall Filter Step-by-Step Procedure To configure the firewall filter 1. . For information about navigating the CLI.

Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command. } address ::10. If the command output does not display the intended configuration. Inc. } } } 3.34. } then { count tcp_syn_pkt.0/120.Chapter 5: Standard Firewall Filter Configuration Apply the Firewall Filter to the Loopback Interface Step-by-Step Procedure To apply the firewall filter to the loopback interface: • [edit] user@host# set interfaces lo0 unit 0 family inet6 filter input tcp_filter user@host# set interfaces lo0 unit 0 family inet6 address ::10. commit your candidate configuration.0/120 Confirm and Commit Your Candidate Configuration Step-by-Step Procedure To confirm and then commit your candidate configuration: 1. 151 . [edit] user@host# show firewall family inet6 { filter tcp_filter { term 1 { from { next-header tcp.1. log. [edit] user@host# show interfaces lo0 { unit 0 { family inet6 { filter { input tcp_filter.1. } } } } 2. [edit] user@host# commit Copyright © 2011. accept. repeat the instructions in this example to correct the configuration. repeat the instructions in this example to correct the configuration.34. Confirm the configuration of the interface by entering the show interfaces configuration mode command. When you are done configuring the device. tcp-flags syn. If the command output does not display the intended configuration. Juniper Networks.

• • Requirements on page 153 Overview on page 153 152 Copyright © 2011. you protect against the use of IP fragmentation as a means to disguise TCP packets from a firewall filter. the first fragment (fragment offset of 0) that arrives at the device contains only the TCP source and destination ports (first 4 bytes). The TCP flags. fragmented packets are not sampled correctly by the firewall filter. arrive in the second fragment (fragment offset of 1). and the sequence number (next 4 bytes). If this IP packet carries a TCP packet. When file sampling. packets are sampled before fragmenting the packet and packet-capture captures packet after fragmentation. port-mirroring and CFLOW is applied on an interface in output direction. consider an IP packet that is fragmented into the smallest allowable fragment size of 8 bytes (a 20-byte IP header plus an 8-byte payload). . For example. Inc.Junos OS 11. On all SRX Series and J Series devices. Related Documentation • • Understanding How to Use Standard Firewall Filters on page 29 Example: Configuring a Stateless Firewall Filter to Handle Fragments on page 152 Example: Configuring a Stateless Firewall Filter to Handle Fragments This example shows how to create a stateless firewall filter that handles packet fragments. By applying these policies to the Routing Engine. which are contained in the next 8 bytes of the TCP header. Juniper Networks. enter the show firewall operational mode command. Security Considerations for IP Fragment Filtering. Related Documentation • • Understanding How to Use Standard Firewall Filters on page 29 Example: Configuring a Stateless Firewall Filter to Protect Against TCP and ICMP Floods on page 143 Example: Configuring a Filter to Block TCP Access to a Port Except from Specified BGP Peers on page 137 • Standard Firewall Filters That Handle Fragmented Packets • • Firewall Filters That Handle Fragmented Packets Overview on page 152 Example: Configuring a Stateless Firewall Filter to Handle Fragments on page 152 Firewall Filters That Handle Fragmented Packets Overview You can create stateless firewall filters that handle fragmented packets destined for the Routing Engine.4 Firewall Filter and Policer Configuration Guide Verification To confirm that the configuration is working properly. See RFC 1858.

Overview In this example. paste them into a text file. the term adds a record to the system logging destinations for the firewall facility.0. Inc. • first-fragment-term—Accepts the first fragment of a fragmented TCP packet with a destination port that specifies the BGP protocol. A packet is considered unfragmented if the MF flag is not set and the fragment offset equals 0. only those fragments that are part of a packet containing a first fragment accepted by first-fragment-term are reassembled by the destination device. In addition.0/0 set firewall family inet filter fragment-RE term not-from-prefix-term from source-address 10. copy the following commands.0/24 except set firewall family inet filter fragment-RE term not-from-prefix-term then discard Copyright © 2011.2. This example includes the following firewall filter terms: • not-from-prefix-term-–Discards packets that are not from 10. NOTE: You can move terms within the firewall filter by using the insert command.2. (packet fragments 6–8191).0/24 only. 153 .0/24 and destined for the BGP port.0/24 to ensure that subsequent terms in the firewall filter are matched against packets from 10.2. However. Configuration CLI Quick Configuration To quickly configure this example. • not-fragmented-term—Accepts unfragmented TCP packets with a destination port that specifies the BGP protocol.1. • small-offset-term—Discards small (1–5) offset packets to ensure that subsequent terms in the firewall filter can be matched against all the headers in the packet. change any details necessary to match your network configuration. Packet fragments offset can be from 1 through 8191. see “insert” in the Junos OS CLI User Guide. • fragment-term—Accepts all fragments that were not discarded by small-offset-term. remove any line breaks.1.2. For more information.1. and then copy and paste the commands into the CLI at the [edit] hierarchy level.Chapter 5: Standard Firewall Filter Configuration • • Configuration on page 153 Verification on page 156 Requirements No special configuration beyond device initialization is required before configuring stateless firewall filters.0. Juniper Networks. set firewall family inet filter fragment-RE term not-from-prefix-term from source-address 0.1. you create a stateless firewall filter called fragment-RE that accepts fragmented packets originating from 10.

[edit firewall family inet filter fragment-RE ] user@host# set term not-from-prefix-term from source-address 0. Configure the first term for the filter. [edit firewall family inet filter fragment-RE term small-offset-term] user@host# set from fragment-offset 1-5 5.0/24 except user@host# set term not-from-prefix-term then discard 3. For instructions on how to do that. Define the third term for the filter.0/0 user@host# set term not-from-prefix-term from source-address 10.2. To configure the stateless firewall filter: 1.0.0. Define the stateless firewall filter. [edit] user@host# edit firewall family inet filter fragment-RE term not-fragmented-term 154 Copyright © 2011. Define the match conditions for the term.1. Define the second term for the filter. Define the action for the term. [edit] user@host# edit firewall family inet filter fragment-RE 2. [edit firewall family inet filter fragment-RE] user@host# edit term small-offset-term 4.4 Firewall Filter and Policer Configuration Guide set firewall family inet filter fragment-RE term small-offset-term from fragment-offset 1-5 set firewall family inet filter fragment-RE term small-offset-term then syslog set firewall family inet filter fragment-RE term small-offset-term then discard set firewall family inet filter fragment-RE term not-fragmented-term from fragment-offset 0 set firewall family inet filter fragment-RE term not-fragmented-term from fragment-flags "!more-fragments" set firewall family inet filter fragment-RE term not-fragmented-term from protocol tcp set firewall family inet filter fragment-RE term not-fragmented-term from destination-port bgp set firewall family inet filter fragment-RE term not-fragmented-term then accept set firewall family inet filter fragment-RE term first-fragment-term from first-fragment set firewall family inet filter fragment-RE term first-fragment-term from protocol tcp set firewall family inet filter fragment-RE term first-fragment-term from destination-port bgp set firewall family inet filter fragment-RE term first-fragment-term then accept set firewall family inet filter fragment-RE term fragment-term from fragment-offset 6-8191 set firewall family inet filter fragment-RE term fragment-term then accept Step-by-Step Procedure The following example requires you to navigate various levels in the configuration hierarchy. Inc. [edit firewall family inet filter fragment-RE term small-offset-term] user@host# set then syslog discard 6.Junos OS 11. . Juniper Networks. see “Using the CLI Editor in Configuration Mode” on page 15 in the Junos OS CLI User Guide.

[edit] user@host# edit firewall family inet filter fragment-RE term first-fragment-term 10. repeat the instructions in this example to correct the configuration. Define the action for the term. Define the last term for the filter. If the output does not display the intended configuration. [edit firewall family inet filter fragment-RE term not-fragmented-term] user@host# set from fragment-flags "!more-fragments" fragment-offset 0 protocol tcp destination-port bgp 8.0/0. user@host# show firewall family inet { filter fragment-RE { term not-from-prefix-term { from { source-address { 0. Define the match conditions for the term. [edit firewall family inet filter fragment-RE term first-fragment-term] user@host# set from first-fragment protocol tcp destination-port bgp 11. [edit firewall family inet filter fragment-RE term first-fragment-term] user@host# set then accept 12. } term small-offset-term { from { Copyright © 2011.1. Define the action for the term.Chapter 5: Standard Firewall Filter Configuration 7. Define the match conditions for the term. [edit firewall family inet filter fragment-RE term fragment-term] user@host# set then accept Results Confirm your configuration by entering the show firewall command from configuration mode. [edit] user@host# edit firewall family inet filter fragment-RE term fragment-term 13. Define the match conditions for the term.0. } } then discard. Juniper Networks. Inc. Define the action for the term.0/24 except.2. 155 . 10.0. Define the fourth term for the filter. [edit firewall family inet filter fragment-RE term not-fragmented-term] user@host# set then accept 9. [edit firewall family inet filter fragment-RE term fragment-term] user@host# set from fragment-offset 6–8191 14.

protocol tcp. enter commit from configuration mode. } then accept. From configuration mode. } then { syslog. } then accept.Junos OS 11. enter the show firewall command. } then accept. verify that the terms are listed in the order in which you want the packets to be tested. fragment-flags "!more-fragments". . You can analyze the flow of the filter terms by displaying the entire configuration. Verification To confirm that the configuration is working properly. Verify that the output shows the intended configuration of the firewall filter. destination-port bgp. } term fragment-term { from { fragment-offset 6-8191. Inc. Action Meaning 156 Copyright © 2011. Juniper Networks. protocol tcp. } } } If you are done configuring the device. } term first-fragment-term { from { first-fragment. discard. You can move terms within a firewall filter by using the insert CLI command. destination-port bgp. } } term not-fragmented-term { from { fragment-offset 0.4 Firewall Filter and Policer Configuration Guide fragment-offset 1-5. In addition. perform these tasks: • • Displaying Stateless Firewall Filter Configurations on page 156 Verifying a Firewall Filter that Handles Fragments on page 157 Displaying Stateless Firewall Filter Configurations Purpose Verify the configuration of the firewall filter.

A prefix-specific action applies additional matching criteria on the filter-matched packets based on specified address prefix bits and then associates the matched packets with a counter and policer instance for that filter term or for all terms in the firewall filter.0/24 with small fragment offsets are recorded in the device’s system logging destinations for the firewall facility. After you name and configure a policer. A policer specifies two types of rate limits on traffic: • Bandwidth limit—The average traffic rate permitted.1.2. You can then apply the policer in an interface configuration or. Juniper Networks. you can also specify a prefix-specific action as a nonterminating action that applies a policer to the matched packets. it is stored as a template. or rate limiting. is an important component of firewall filters that lets you limit the amount of traffic that passes into or out of an interface. in a firewall filter configuration. Send packets to the device that match the terms. For an IPv4 firewall filter term only. set to a specific packet loss priority (PLP) level.Chapter 5: Standard Firewall Filter Configuration Verifying a Firewall Filter that Handles Fragments Purpose Action Meaning Verify that the actions of the firewall filter terms are taken. Packets can be marked for a lower priority by being set to a specific output queue. Standard Firewall Filters That Set Rate Limits • • Stateless Firewall Filters That Reference Policers Overview on page 157 Example: Configuring a Rate-Limiting Filter Based on Destination Class on page 158 Stateless Firewall Filters That Reference Policers Overview Policing. specified as a number of bits per second. to rate-limit packet-filtered traffic only. You can use policing to define specific classes of traffic on an interface and apply a set of rate limits to each class. Maximum burst size—The packet size permitted for bursts of data that exceed the bandwidth limit. Inc. Traffic that exceeds the rate limits configured for the policer is either discarded or marked as lower priority than traffic that conforms to the configured rate limits. Copyright © 2011. or both. low-priority traffic can be discarded to prevent congestion. 157 . • Policing uses an algorithm to enforce a limit on average bandwidth while allowing bursts up to a specified maximum value. Related Documentation • show route summary in the Junos OS Routing Protocols and Policies Command Reference. Verify that packets from 10. A stateless firewall filter that references a policer can provide protection from denial-of-service (DOS) attacks. When necessary.

Inc.Junos OS 11. 158 Copyright © 2011. configure the destination class class1. To activate a policer from within a stateless firewall filter configuration: • • Create a template for the policer by including the policer policer-name statement. • • • • Requirements on page 158 Overview on page 158 Configuration on page 159 Verification on page 161 Requirements No special configuration beyond device initialization is required before configuring this example. Juniper Networks. . Reference the policer in a filter term that specifies the policer in the policer policer-name nonterminating action. you use a stateless firewall filter to set rate limits based on a destination class.4 Firewall Filter and Policer Configuration Guide To apply a policer or a prefix action to packet-filtered traffic. Overview In this example. You can also activate a policer by including the policer (input | output) policer-template-name statement at a logical interface. Before you begin. you can use the following firewall filter nonterminating actions: • • • policer policer-name three-color-policer (single-rate | two-rate) policer-name prefix-action action-name Related Documentation • • • Standard Firewall Filter Nonterminating Actions on page 82 Traffic Policing Overview on page 297 Prefix-Specific Counting and Policing Overview on page 359 Example: Configuring a Rate-Limiting Filter Based on Destination Class This example shows how to configure a rate-limiting stateless firewall filter.

1. copy the following commands into a text file. Configure the policer template police_class1. Create the stateless firewall filter rl_dclass1. set firewall filter rl_dclass1 policer police_class1 if-exceeding bandwidth-limit 25 set firewall filter rl_dclass1 policer police_class1 if-exceeding burst-size-limit 1000 set firewall filter rl_dclass1 policer police_class1 then discard set firewall filter rl_dclass1 term term1 from destination-class class1 set firewall filter rl_dclass1 term term1 then policer police_class1 set interfaces ge-0/0/1 unit 0 family inet address 10. see “Using the CLI Editor in Configuration Mode” on page 15. 159 . • • • Configure the Stateless Firewall Filter on page 159 Apply the Stateless Firewall Filter to a Logical Interface on page 159 Confirm and Commit Your Candidate Configuration on page 160 CLI Quick Configuration To quickly configure this example. and then paste the commands into the CLI at the [edit] hierarchy level.3/30 set interfaces ge-0/0/1 unit 0 family inet filter input ospf_or_131 Configure the Stateless Firewall Filter Step-by-Step Procedure To configure the stateless firewall filter rl_dclass1 with policer police_class1 for destination class class1: 1.Chapter 5: Standard Firewall Filter Configuration Configuration The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI. [edit firewall filter rl_dclass1] user@host# set policer police_class1 if-exceeding bandwidth-limit 25 user@host# set policer police_class1 if-exceeding burst-size-limit 1000 user@host# set policer police_class1 then discard 3. [edit firewall filter rl_dclass1] user@host# set term term1 from destination-class class1 user@host# set term term1 then policer police_class1 Apply the Stateless Firewall Filter to a Logical Interface Step-by-Step Procedure To apply the filter rl_dclass1 to a logical interface: 1. Juniper Networks. Configure a filter term that uses policer police_class1 to rate-limit traffic for destination class class1. [edit] user@host# edit interfaces ge-0/0/1 unit 0 family inet Copyright © 2011. remove any line breaks. Inc. [edit] user@host# edit firewall filter rl_dclass1 2.2. Configure the logical interface to which you will apply the stateless firewall filter.

[edit interfaces ge-0/0/1 unit 0 family inet] user@host# set filter input rl_dclass1 Confirm and Commit Your Candidate Configuration Step-by-Step Procedure To confirm and then commit your candidate configuration: 1. burst-size-limit 1000.3/30.4 Firewall Filter and Policer Configuration Guide 2. } address 10. [edit] user@host# show interfaces ge-0/0/1 { unit 0 { family inet { filter { input rl_dclass1. Juniper Networks.3/30 3. . repeat the instructions in this example to correct the configuration. Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command.1. repeat the instructions in this example to correct the configuration. [edit interfaces ge-0/0/1 unit 0 family inet] user@host# set address 10. Apply the stateless firewall filter to the logical interface. } then { discard.Junos OS 11.1. Inc. } } term term1 { from { destination-class class1. If the command output does not display the intended configuration. If the command output does not display the intended configuration. Confirm the configuration of the interface by entering the show interfaces configuration mode command. Configure the interface address for the logical interface. } } } 160 Copyright © 2011. } then { policer police_class1.2.2. [edit] user@host# show firewall filter rl_dclass1 { policer police_class1 { if-exceeding { bandwidth-limit 25. } } } 2.

You partition your filtering terms into multiple firewall filters that each perform a filtering task. you only manage the configuration for a filtering task in a single firewall filter. you want the flexibility of being able to modify filtering terms common to multiple interfaces without having to reconfigure the filter of every affected interface. you apply a single stateless firewall filter to an interface in the input or output direction or both. 161 . enter the show class-of-service ge-0/0/1 operational mode command. However. the solution is to apply an effectively “chained” structure of multiple stateless firewall filters to a single interface. this approach might not be practica. Related Documentation • • • • • Understanding How to Use Standard Firewall Filters on page 29 Filtering Packets Received on an Interface Set Overview on page 192 Statement Hierarchy for Defining an Interface Set on page 192 Statement Hierarchy for Configuring a Filter to Match on an Interface Set on page 193 Example: Filtering Packets Received on an Interface Set on page 193 Multiple Standard Firewall Filters Applied as a List • • • Multiple Standard Firewall Filters Applied as a List Overview on page 161 Guidelines for Applying Multiple Standard Firewall Filters as a List on page 164 Example: Applying Lists of Multiple Standard Firewall Filters on page 165 Multiple Standard Firewall Filters Applied as a List Overview This topic covers the following information: • • • • • • The Challenge: Simplify Large-Scale Firewall Filter Administration on page 161 A Solution: Apply Lists of Firewall Filters on page 162 Configuration of Multiple Filters for Filter Lists on page 162 Application of Filter Lists to a Router Interface on page 162 Interface-Specific Names for Filter Lists on page 163 How Filter Lists Evaluate Packets on page 163 The Challenge: Simplify Large-Scale Firewall Filter Administration Typically. when you have a device configured with many interfaces. commit your candidate configuration. Juniper Networks. [edit] user@host# commit Verification To confirm that the configuration is working properly.Chapter 5: Standard Firewall Filter Configuration 3. Inc. In large environments. Copyright © 2011. In this way. In general. You can then choose which filtering tasks you want to perform for a given interface and apply the filtering tasks to that interface. If you are done configuring the device.

consider configuring a separate firewall filter that contains the shared filtering terms. One option is to apply multiple filters as a single input list or output list.Junos OS 11. The other option is to reference a stateless firewall filter from within the term of another stateless firewall filter. A Solution: Apply Lists of Firewall Filters The most straightforward way to avoid configuring duplicate filtering terms common to multiple stateless firewall filters is to configure multiple firewall filters and then apply a customized list of filters to each interface. The Junos OS uses the filters—in the order in which they appear in the list—to evaluate packets that transit the interface. administrators often organize the shared filters by filtering criteria.4 Firewall Filter and Policer Configuration Guide The Junos OS policy framework provides two options for managing the application of multiple separate firewall filters to individual router interfaces. by the services to which customers subscribe. or by the purposes of the interfaces. you only need to modify one firewall filter that contains those terms. Shared filters—For each set of packet-filtering rules common across two or more interfaces. configure a separate firewall filter that contains only the filtering terms for that interface. 162 Copyright © 2011. Include the filter that contain only the filtering terms unique to the interface. If you need to modify filtering terms shared across multiple interfaces. Application of Filter Lists to a Router Interface Applying a list of firewall filters to an interface is a matter of selecting the filters that meet the packet-filtering requirements of that interface. you can include an input-list or output-list statement (or both) within the filter stanza to specify the relevant filters in the order in which they are to be used: • • Include any filters that contain common filtering terms relevant to the interface. . Configuration of Multiple Filters for Filter Lists Configuring firewall filters to be applied in unique lists for each router interface involves separating shared packet-filtering rules from interface-specific packet-filtering rules as follows: • Unique filters—For each set of packet-filtering rules unique to a specific interface. • TIP: When planning for a large number firewall filters to be applied using filter lists. For each interface. NOTE: In contrast with the alternative approach (configuring nested firewall filters) applying firewall filter lists combines multiple firewall filters at each interface application point. Juniper Networks. Inc.

• • Otherwise. the resulting concatenated filter is interface-specific. • Input filter list name—For example. if no packet match results in an implicit or explicit terminating action. the Junos OS uses the following name for the filter: fe-0/1/2. routing-instance routing-instance-name. If the packet matches a term that includes the next term action. any nonterminating actions are taken and then the packet is implicitly accepted. the Junos OS uses the following name for the filter: ge-1/3/0. if you use the output-list statement to apply a chain of filters to logical interface fe-0/1/2. the packet is counted and evaluation of the packet continues with the next term or firewall filter. the matching packet is evaluated against the next term in the firewall filter. otherwise. 163 .0-o You can use the interface-specific name of a filter list when you enter a Junos OS operational mode command that specifies a stateless firewall filter name. Terminating actions include the following: accept. any subsequent filters in the list are not used to evaluate the packet. if a packet matches a standard firewall filter term that is configured with the count nonterminating action and the next term flow control action. and therefore any subsequent filters in the list are not used to evaluate the packet. beginning with the first filter in the list until either a terminating action occurs or the packet is implicitly discarded: • If the packet matches a filter term that specifies a terminating action. The system-generated name of an interface-specific filter consists of the full interface name followed by either ’-i’ for an input filter list or ’-o’ for an output filter list. Juniper Networks. the matching packet is not evaluated against subsequent terms in the firewall filter. How Filter Lists Evaluate Packets The policy framework software evaluates a packet against the filters in a list sequentially. reject. Inc.0. logical-system logical-system-name. How Standard Firewall Filters Evaluate Packets on page 20 Guidelines for Applying Multiple Standard Firewall Filters as a List on page 164 Example: Applying Lists of Multiple Standard Firewall Filters on page 165 Related Documentation • • • Copyright © 2011. For example.Chapter 5: Standard Firewall Filter Configuration Interface-Specific Names for Filter Lists Because a filter list is configured under an interface. discard.0. The accept action is a terminating action.0-i • Output filter list name—For example. the packet is implicitly discarded. and topology topology-name. if you use the input-list statement to apply a chain of filters to logical interface ge-1/3/0. If the packet matches a filter term that does not specify either a terminating action or the next term action.

input-list [ filter-names ]. Juniper Networks. 164 Copyright © 2011.. To apply a list of multiple filters to the input or output direction of a router logical interface. . } } } } } You can include the interface configuration at one of the following hierarchy levels: • • [edit] [edit logical-systems logical-system-name] Filter Input Lists and Output Lists for Router Interfaces When applying a list of firewall filters as a list.. the following limitations apply: • • You can specify up to 16 firewall filters for a filter input list.Junos OS 11. you include the input filter-name or output filter-name statement under the filter stanza for a protocol family. Inc..4 Firewall Filter and Policer Configuration Guide Guidelines for Applying Multiple Standard Firewall Filters as a List This topic covers the following information: • • • • Statement Hierarchy for Applying Lists of Multiple Firewall Filters on page 164 Filter Input Lists and Output Lists for Router Interfaces on page 164 Types of Filters Supported in Lists on page 164 Restrictions on Applying Filter Lists for MPLS or Layer 2 CCC Traffic on page 165 Statement Hierarchy for Applying Lists of Multiple Firewall Filters To apply a single filter to the input or output direction of a router logical interface. include the input-list [ filter-names ] or output-list [ filter-names ] statement under the filter stanza for a protocol family: interfaces { interface-name { unit logical-unit-number { family family-name { filter { .filter-options. Types of Filters Supported in Lists Lists of multiple firewall filters applied to a router interface support standard stateless firewall filters only. You can specify up to 16 firewall filters for a filter output list. output-list [ filter-names ].. You cannot apply lists containing service filters or simple filters to a router interface.

0. • Overview In this example. or MPC and performed the initial router configuration. Juniper Networks. the configuration section of this example includes setting an IP address for logical interface ge-1/3/0. DPC. • Verified that traffic is flowing in the topology and that ingress and egress IPv4 traffic is flowing through logical interface ge-1/3/0. you can use the input-list [ filter-names ] and output-list [ filter-names ] statements for all interfaces except the following: • • • Management and internal Ethernet (fxp) interfaces Loopback (lo0) interfaces USB modem (umd) interfaces Multiple Standard Firewall Filters Applied as a List Overview on page 161 Example: Applying Lists of Multiple Standard Firewall Filters on page 165 Related Documentation • • Example: Applying Lists of Multiple Standard Firewall Filters This example shows how to apply lists of multiple stateless firewall filters. be sure that you have: • Installed your router and supported PIC.1. This example uses logical interface ge-1/3/0. • • NOTE: For completeness. Configured a logical interface to run the IP version 4 (IPv4) protocol (family inet) and configured the logical interface with an interface address. you configure three IPv4 stateless firewall filters and apply each filter directly to the same logical interface by using a list. Inc. Configured basic Ethernet in the topology.Chapter 5: Standard Firewall Filter Configuration Restrictions on Applying Filter Lists for MPLS or Layer 2 CCC Traffic When applying stateless firewall filters that evaluate MPLS traffic (family mpls) or Layer 2 circuit cross-connection traffic (family ccc).0.0.1.0 configured with the IP address 1. Copyright © 2011. Verified that you have access to the remote host that is connected to this router’s logical interface ge-1/3/0.2/30. 165 . • • • • Requirements on page 165 Overview on page 165 Configuration on page 166 Verification on page 169 Requirements Before you begin.

see “Using the CLI Editor in Configuration Mode” on page 15. • • • Configure Multiple IPv4 Stateless Firewall Filters on page 167 Apply the Filters to a Logical Interface as an Input List and an Output List on page 167 Confirm and Commit Your Candidate Configuration on page 168 CLI Quick Configuration To quickly configure this example.2/30 166 Copyright © 2011. set firewall family inet filter filter_FTP term 0 from protocol tcp set firewall family inet filter filter_FTP term 0 from destination-port 21 set firewall family inet filter filter_FTP term 0 then count pkts_FTP set firewall family inet filter filter_FTP term 0 then accept set firewall family inet filter filter_SSH term 0 from protocol tcp set firewall family inet filter filter_SSH term 0 from destination-port 23 set firewall family inet filter filter_SSH term 0 then count pkts_SSH set firewall family inet filter filter_SSH term 0 then accept set firewall family inet filter filter_Telnet term 0 from protocol tcp set firewall family inet filter filter_Telnet term 0 from destination-port 22 set firewall family inet filter filter_Telnet term 0 then count pkts_Telnet set firewall family inet filter filter_Telnet term 0 then accept set firewall family inet filter filter_discard term 1 then count pkts_discarded set firewall family inet filter filter_discard term 1 then discard set interfaces ge-1/3/0 unit 0 family inet address 1.1. In this simple example. . remove any line breaks. Filter filter_Telnet matches on the Telnet port number (23). Configuration The following example requires you to navigate various levels in the configuration hierarchy. copy the following commands into a text file. Filter filter_SSH matches on the SSH port number (22). and then paste the commands into the CLI at the [edit] hierarchy level.Junos OS 11.0. Any of the filters can be applied to other interfaces. If an inbound packet does not match any of the filters in the input list. the order is irrelevant because all of the filters specify the same action. Inc. Juniper Networks. Each filter contains a single term that evaluates IPv4 packets and accepts packets based on the value of the destination port field in the TCP header: • • • Filter filter_FTP matches on the FTP port number (21). NOTE: The Junos OS uses filters in a list in the order in which the filter names appear in the list. either alone (using the input or output statement) or in combination with other filters (using the input-list or output-list statement).1. the packet is discarded. For information about navigating the CLI.4 Firewall Filter and Policer Configuration Guide Topology This example applies the following firewall filters as a list of input filters at logical interface ge-1/3/0. The objective is to configure multiple “minimalist” firewall filters that you can reuse in interface-specific filter lists.

Configure the third firewall filter to count and accept packets from port 22.2/30 Copyright © 2011. [edit] user@host# edit firewall family inet 2. [edit firewall family inet] user@host# set filter filter_Telnet term 0 from protocol tcp user@host# set filter filter_Telnet term 0 from destination-port 22 user@host# set filter filter_Telnet term 0 then count pkts_Telnet user@host# set filter filter_Telnet term 0 then accept 5. [edit firewall family inet] user@host# set filter filter_FTP term 0 from protocol tcp user@host# set filter filter_FTP term 0 from destination-port 21 user@host# set filter filter_FTP term 0 then count pkts_FTP user@host# set filter filter_FTP term 0 then accept 3. Inc. [edit firewall family inet] user@host# set filter filter_SSH term 0 from protocol tcp user@host# set filter filter_SSH term 0 from destination-port 23 user@host# set filter filter_SSH term 0 then count pkt_SSH user@host# set filter filter_SSH term 0 then accept 4. Configure the first firewall filter to count and accept packets for port 21.1.Chapter 5: Standard Firewall Filter Configuration set interfaces ge-1/3/0 unit 0 family inet filter input-list filter_FTP set interfaces ge-1/3/0 unit 0 family inet filter input-list filter_SSH set interfaces ge-1/3/0 unit 0 family inet filter input-list filter_Telnet set interfaces ge-1/3/0 unit 0 family inet filter input-list filter_discard Configure Multiple IPv4 Stateless Firewall Filters Step-by-Step Procedure To configure the IPv4 stateless firewall filters: 1. 167 .0. [edit] user@host# edit interfaces ge-1/3/0 unit 0 family inet 2. Navigate the CLI to the hierarchy level at which you configure IPv4 firewall filters. [edit interfaces ge-1/3/0 unit 0 family inet] user@host# set address 1. [edit firewall family inet] user@host# set filter filter_discard term 1 then count pkts_discarded user@host# set filter filter_discard term 1 then discard Apply the Filters to a Logical Interface as an Input List and an Output List Step-by-Step Procedure To apply the six IPv4 stateless firewall filters as a list of input filters and a list of output filters: 1. Juniper Networks. Navigate the CLI to the hierarchy level at which you apply IPv4 firewall filters to logical interface ge-1/3/0. Configure the last firewall filter to count the discarded packets. Configure the second firewall filter to count and accept packets for port 23. Configure the IPv4 protocol family for the logical interface.1.

Apply the filters as a list of input filters. 168 Copyright © 2011. } then { count pkts_FTP. destination-port 21. } } } filter filter_Telnet { term 0 { from { protocol tcp. } then { count pkts_SSH. . accept. Juniper Networks. } } } filter filter_SSH { term 0 { from { protocol tcp.Junos OS 11. [edit] user@host# show firewall family inet { filter filter_FTP { term 0 { from { protocol tcp. accept. Inc. } } } filter filter_discard { term 1 { then { count pkts_discarded. accept. repeat the instructions in this example to correct the configuration. Confirm the configuration of the stateless firewall filters by entering the show firewall configuration mode command. } then { count pkts_Telnet. destination-port 23.4 Firewall Filter and Policer Configuration Guide 3. If the command output does not display the intended configuration. destination-port 22. [edit interfaces ge-1/3/0 unit 0 family inet] user@host# set filter input-list [ filter_FTP filter_SSH filter_Telnet filter_discard ] Confirm and Commit Your Candidate Configuration Step-by-Step Procedure To confirm and then commit your candidate configuration: 1.

169 . send a packet with destination port number 22 in the header.0.0. [edit] user@host# show interfaces ge-1/3/0 { unit 0 { family inet { filter { input-list [ filter_FTP filter_SSH filter_Telnet filter_discard ]. The packet should be accepted. From the remote host that is connected to this router’s logical interface ge-1/3/0. } } } 3. Juniper Networks. Inc. send a packet with destination port number 23 in the header. If you are done configuring the device. SSH or Telnet Port Purpose Action Verify that all three filters are active for the logical interface. 3. The packet should be accepted. From the remote host that is connected to this router’s logical interface ge-1/3/0.1. [edit] user@host# commit Verification Confirm that the configuration is working properly. 2.2/30. To verify that input packets are accepted according to the three filters: 1. If the command output does not display the intended configuration. send a packet with destination port number 21 in the header. • Verifying That Inbound Packets Are Accepted Only If Destined for the FTP. repeat the instructions in this example to correct the configuration. Copyright © 2011. From the remote host that is connected to this router’s logical interface ge-1/3/0.Chapter 5: Standard Firewall Filter Configuration discard. Confirm the configuration of the interface by entering the show interfaces configuration mode command. } address 1. The packet should be accepted. } } } } 2. SSH or Telnet Port on page 169 Verifying That Inbound Packets Are Accepted Only If Destined for the FTP.0. commit your candidate configuration.1.

Inc. This approach might not be practical. In an environment of this scale.0. The command output displays the number of bytes and packets that match filter terms associated with the following counters: • • • • pkts_FTP-ge-1/3/0. To display counter information for the list of filters applied to the input at ge-1/3/0. 5. when you have a router configured with many. You partition your filtering terms into multiple firewall filters configured so that you can apply a unique filter to each router interface but also apply common filters to multiple router interfaces as required. Juniper Networks. In general. you apply a single stateless firewall filter to an interface in the input or output direction or both. From the remote host that is connected to this router’s logical interface ge-1/3/0. 22.0-i pkts_discard-ge-1/3/0. . the solution is to apply an effectively “chained” structure of multiple stateless firewall filters to a single interface.0-i enter the show firewall filter ge-1/3/0. The packet should be discarded. One option is to apply multiple filters as a 170 Copyright © 2011.0-i operational mode command.0-i Related Documentation • • Multiple Standard Firewall Filters Applied as a List Overview on page 161 Guidelines for Applying Multiple Standard Firewall Filters as a List on page 164 Multiple Standard Firewall Filters in a Nested Configuration • • • Multiple Standard Firewall Filters in a Nested Configuration Overview on page 170 Guidelines for Nesting References to Multiple Standard Firewall Filters on page 172 Example: Nesting References to Multiple Standard Firewall Filters on page 173 Multiple Standard Firewall Filters in a Nested Configuration Overview This topic covers the following information: • • • • The Challenge: Simplify Large-Scale Firewall Filter Administration on page 170 A Solution: Configure Nested References to Firewall Filters on page 171 Configuration of Nested Firewall Filters on page 171 Application of Nested Firewall Filters to a Router Interface on page 171 The Challenge: Simplify Large-Scale Firewall Filter Administration Typically. or 23. send a packet with a destination port number other than 21. however. even hundreds of interfaces.0-i pkts_SSH-ge-1/3/0. The Junos OS policy framework provides two options for managing the application of multiple separate firewall filters to individual router interfaces. you want the flexibility of being able to modify filtering terms common to multiple interfaces without having to reconfigure the filter of every affected interface.Junos OS 11.0-i pkts_Telnet-ge-1/3/0.4 Firewall Filter and Policer Configuration Guide 4.

171 . Configuration of Nested Firewall Filters Configuring a nested firewall filter for each router interface involves separating shared packet-filtering rules from interface-specific packet-filtering rules as follows: • For each set of packet-filtering rules common across multiple interfaces. Inc. An additional filtering term that includes a filter reference to the firewall filter that contains the common filtering terms. you only need to modify one firewall filter.Chapter 5: Standard Firewall Filter Configuration single input list or output list. A Solution: Configure Nested References to Firewall Filters The most structured way to avoid configuring duplicate filtering terms common to multiple stateless firewall filters is to configure multiple stateless firewall filters so that each filter includes the shared filtering terms by referencing a separate filter that contains the common filtering terms. configure a separate firewall filter that contains the shared filtering terms. Related Documentation • • Guidelines for Nesting References to Multiple Standard Firewall Filters on page 172 Example: Nesting References to Multiple Standard Firewall Filters on page 173 Copyright © 2011. Application of Nested Firewall Filters to a Router Interface Applying nested firewall filters is no different from applying an unnested firewall filter. configuring a nested firewall filter combines multiple firewall filters into a new firewall filter definition. Applying nested firewall filters to an interface. For each router interface. NOTE: Similar to the alternative approach (applying a list of firewall filters). The other option is to reference a stateless firewall filter from within the term of another stateless firewall filter. you can include an input or output statement (or both) within the filter stanza to specify the appropriate nested firewall filter. For each interface. If you need to modify filtering terms shared across multiple interfaces. The Junos OS uses the filter terms—in the order in which they appear in the filter definition—to evaluate packets that transit the interface. Juniper Networks. the shared filtering terms and the interface-specific firewall filters are applied through a single nested firewall filter that includes other filters through the filter statement within a separate filtering term. configure a separate firewall filter that contains: • • • All the filtering terms unique to that interface.

1. include the filter filter-name statement as a separate filter term: firewall firewall-name { family family-name { filter filter-name { term term-name { filter filter-name. } } } } You can include the firewall configuration at one of the following hierarchy levels: • • [edit] [edit logical-systems logical-system-name] Filter-Defining Terms and Filter-Referencing Terms You cannot configure a firewall filter term that both references another firewall filter and defines a match condition or action. . } } } } 172 Copyright © 2011. the firewall filter term term term1 in the configuration is not valid: [edit] firewall { family inet { filter filter_1 { term term1 { filter filter_2. If a firewall filter term includes the filter statement. } then { accept.1. from { source-address 1.4 Firewall Filter and Policer Configuration Guide Guidelines for Nesting References to Multiple Standard Firewall Filters This topic covers the following information: • • • • • Statement Hierarchy for Configuring Nested Firewall Filters on page 172 Filter-Defining Terms and Filter-Referencing Terms on page 172 Types of Filters Supported in Nested Configurations on page 173 Number of Filter References in a Single Filter on page 173 Depth of Filter Nesting on page 173 Statement Hierarchy for Configuring Nested Firewall Filters To reference a filter from within a filter. then it cannot also include the from or then statement.1/32. Inc. Juniper Networks. For example.Junos OS 11.

Topology The common_filter firewall filter discards packets that have a UDP source or destination port field number of 69. you must either remove the filter filter_2 statement or remove both the from and then stanzas. if the common filtering criteria needs to be changed. Both of the two additional firewall filters. You then configure two firewall filters that reference the first firewall filter. 173 . reference the common_filter. If filter_1 references filter_2. Number of Filter References in a Single Filter The total number of filters referenced from within a filter cannot exceed 256. Juniper Networks. • • • • Requirements on page 173 Overview on page 173 Configuration on page 174 Verification on page 176 Requirements No special configuration beyond device initialization is required before configuring this example. Later. Inc.Chapter 5: Standard Firewall Filter Configuration } In order for term term1 to be a valid filter term. Overview In this example. Depth of Filter Nesting The Junos OS supports a single level of firewall filter nesting. You cannot use service filters or simple filters in a nested firewall filter configuration. Types of Filters Supported in Nested Configurations Nested configurations of firewall filters support standard stateless firewall filters only. you cannot configure a filter that references a filter that references filter_1. filter1 and filter2. Copyright © 2011. you configure a stateless firewall filter for a match condition and action combination that can be shared among multiple firewall filters. Related Documentation • • Multiple Standard Firewall Filters in a Nested Configuration Overview on page 170 Example: Nesting References to Multiple Standard Firewall Filters on page 173 Example: Nesting References to Multiple Standard Firewall Filters This example shows how to configure nested references to multiple stateless firewall filters. you would modify only the one shared firewall filter configuration.

0. • • • Configure the Nested Firewall Filters on page 174 Apply Both Nested Firewall Filters to Interfaces on page 175 Confirm and Commit Your Candidate Configuration on page 175 CLI Quick Configuration To quickly configure this example. [edit firewall family inet] user@host# set filter common_filter term common_term from protocol udp user@host# set filter common_filter term common_term from port tftp user@host# set filter common_filter term common_term then discard 3.3. [edit] user@host# edit firewall family inet 2.0/16 user@host# set filter filter1 term term2 then reject 4.1. [edit firewall family inet] user@host# set filter filter1 term term1 filter common-filter user@host# set filter filter1 term term2 from address 192. Configure a filter that references the common filter. .0. and then paste the commands into the CLI at the [edit] hierarchy level. [edit firewall family inet] user@host# set filter filter2 term term1 filter common-filter user@host# set filter filter2 term term2 from protocol udp 174 Copyright © 2011. Configure the common filter that will be referenced by multiple other filters.4 Firewall Filter and Policer Configuration Guide Configuration The following example requires you to navigate various levels in the configuration hierarchy. Configure a second filter that references the common filter. Inc. copy the following commands into a text file.1/24 set interfaces ge-0/0/0 unit 0 family inet filter input filter2 Configure the Nested Firewall Filters Step-by-Step Procedure To configure two nested firewall filters that share a common filter: 1. remove any line breaks.168.0. Juniper Networks.1.Junos OS 11. For information about navigating the CLI.1/24 set interfaces ge-0/0/0 unit 0 family inet filter input filter1 set interfaces ge-0/0/3 unit 0 family inet address 10.168.0/16 set firewall family inet filter filter1 term term2 then reject set firewall family inet filter filter2 term term1 filter common-filter set firewall family inet filter filter2 term term2 from protocol udp set firewall family inet filter filter2 term term2 from port bootps set firewall family inet filter filter2 term term2 then accept set interfaces ge-0/0/0 unit 0 family inet address 10. Navigate the CLI to the hierarchy level at which you configure IPv4 firewall filters. see “Using the CLI Editor in Configuration Mode” on page 15. set firewall family inet filter common_filter term common_term from protocol udp set firewall family inet filter common_filter term common_term from port tftp set firewall family inet filter common_filter term common_term then discard set firewall family inet filter filter1 term term1 filter common-filter set firewall family inet filter filter1 term term2 from address 192.

1. Inc.1/24 user@host# set interfaces ge-0/0/0 unit 0 family inet filter input filter2 Confirm and Commit Your Candidate Configuration Step-by-Step Procedure To confirm and then commit your candidate configuration: 1. Juniper Networks. [edit] user@host# set interfaces ge-0/0/3 unit 0 family inet address 10. 175 . } then { reject. } } } filter filter2 { term term1 { Copyright © 2011.Chapter 5: Standard Firewall Filter Configuration user@host# set filter filter2 term term2 from port bootps user@host# set filter filter2 term term2 then accept Apply Both Nested Firewall Filters to Interfaces Step-by-Step Procedure To apply both nested firewall filters to logical interfaces: 1.1. Apply the first nested filter to a logical interface input.1/24 user@host# set interfaces ge-0/0/0 unit 0 family inet filter input filter1 2. Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command.3.168/16. [edit] user@host# set interfaces ge-0/0/0 unit 0 family inet address 10. } then { discard. If the command output does not display the intended configuration. repeat the instructions in this example to correct the configuration. Apply the second nested filter to a logical interface input. port tftp. } } } filter filter1 { term term1 { filter common-filter. } term term2 { from { address 192. [edit] user@host# show firewall family inet { filter common_filter { term common_term { from { protocol udp.0.

commit your candidate configuration. If you are done configuring the device.3. } then { accept. } address 10. } address 10.Junos OS 11. If the command output does not display the intended configuration. Inc. Confirm the configuration of the interface by entering the show interfaces configuration mode command. } term term2 { from { protocol udp. enter the show firewall filter filter1 and show firewall filter filter2 operational mode commands. } } } } 2. [edit] user@host# commit Verification To confirm that the configuration is working properly. [edit] user@host# show interfaces ge-0/0/0 { unit 0 { family inet { filter { input filter1.1/24. Juniper Networks. . } } } ge-0/0/3 { unit 0 { family inet { filter { input filter2. port bootps. repeat the instructions in this example to correct the configuration. Related Documentation • • Multiple Standard Firewall Filters in a Nested Configuration Overview on page 170 Guidelines for Nesting References to Multiple Standard Firewall Filters on page 172 176 Copyright © 2011.4 Firewall Filter and Policer Configuration Guide filter common-filter. } } } 3.1.0.1/24.1.

You can enable this option per firewall filter by including the interface-specific statement in the filter configuration. and MX Series routers. M320. Interface-specific instances are not supported for simple filters. Interface-specific firewall filtering is supported for standard stateless firewall filters and for service filters. and MX Series routers. the filter acts on the sum of traffic entering or exiting those interfaces. If you apply a firewall filter to multiple interfaces on an M Series router other than the M120 or M320 routers. M120. 177 . NOTE: On T Series. interfaces are distributed among multiple packet-forwarding components. any count actions or policer actions configured in the filter terms act on the traffic stream entering or exiting each individual interface. M320. Juniper Networks. If you enable interface-specific instantiation of a firewall filter and then apply that filter to multiple interfaces.Chapter 5: Standard Firewall Filter Configuration Interface-Specific Firewall Filter Instances • • • • Interface-Specific Firewall Filter Instances Overview on page 177 Statement Hierarchy for Configuring Interface-Specific Firewall Filters on page 179 Statement Hierarchy for Applying Interface-Specific Firewall Filters on page 180 Example: Configuring Interface-Specific Firewall Filter Counters on page 180 Interface-Specific Firewall Filter Instances Overview This topic covers the following information: • • • • Instantiation of Interface-Specific Firewall Filters on page 177 Interface-Specific Names for Firewall Filter Instances on page 178 Interface-Specific Firewall Filter Counters on page 178 Interface-Specific Firewall Filter Policers on page 179 Instantiation of Interface-Specific Firewall Filters On T Series. Inc. Interface-specific firewall filtering is not supported on M Series routers other than the M120 and M320 routers. Copyright © 2011. M120. regardless of the sum of traffic on the multiple interfaces. you can enable the Junos OS to automatically create an interface-specific instance of a firewall filter for each interface to which you apply the filter.

if you apply the interface-specific firewall filter filter_s_tcp to the output at logical interface so-2/2/2. suppose you configure the filter counter count_tcp for an interface-specific firewall filter.2-o You can use the interface-specific name of a filter instance when you enter a Junos OS operational mode command that specifies a stateless firewall filter name. and either ’-i’ for an input filter instance or ’-o’ for an output filter instance. Interface-Specific Firewall Filter Counters Instantiation of interface-specific firewall filters causes the Packet Forwarding Engine to maintain any counters for the firewall filter separately for each interface. Juniper Networks. the full interface name. The system-generated name of a firewall filter instance consists of the name of the configured filter followed by a hyphen (’-’). the Junos OS instantiates an interface-specific filter instance with the following system-generated name: filter_s_tcp-at-1/1/1. This is because firewall filter names are restricted to 64 bytes in length.4 Firewall Filter and Policer Configuration Guide Interface-Specific Names for Firewall Filter Instances When the Junos OS creates a separate instance of a firewall filter for a logical interface. the policy framework software might reject the instance name. If a system-generated filter instance name exceeds this maximum length. TIP: When you configure a firewall filter with interface-specific instances enabled. If the filter is applied to the input at logical interface at-1/1/1. You specify interface-specific counters per firewall filter term by specifying the count counter-name non-terminating action.0. If the filter is applied to the output at logical interface so-2/2/2. • Interface-specific input filter counter name—For example.0. • Input filter instance name—For example. if you apply the interface-specific firewall filter filter_s_tcp to the input at logical interface at-1/1/1. The system-generated name of an interface-specific firewall filter counter consists of the name of the configured counter followed by a hyphen (’-’). the instance is associate with an interface-specific name. and either ’-i’ for an input filter instance or ’-o’ for an output filter instance.2. the full interface name. . the Junos OS creates the following system-generated counter name: count_udp-so-2/2/2. suppose you configure the filter counter count_udp for an interface-specific firewall filter. the Junos OS creates the following system-generated counter name: count_tcp-at-1/1/1.0-i • Output filter instance name—For example.Junos OS 11.2. we recommend you limit the filter name to 52 bytes in length. Inc.0-i • Interface-specific output filter counter name—For example. the Junos OS instantiates an interface-specific filter instance with the following system-generated name: count_s_tcp-so-2/2/2.2-o 178 Copyright © 2011.

Chapter 5: Standard Firewall Filter Configuration Interface-Specific Firewall Filter Policers Instantiation of interface-specific firewall filters not only creates separate instances of any firewall filter counters but also creates separate instances of any policer actions. policer policer-name.. } } ] You can include the firewall configuration at one of the following hierarchy levels: • • [edit] [edit logical-systems logical-system-name] Related Documentation • • • Interface-Specific Firewall Filter Instances Overview on page 177 Statement Hierarchy for Applying Interface-Specific Firewall Filters on page 180 Example: Configuring Interface-Specific Firewall Filter Counters on page 180 Copyright © 2011. You specify interface-specific policers per firewall filter term by specifying the policer policer-name non-terminating action. Any counters specified as actions in an interface-specific filter are maintained separately per filter instance. Related Documentation • • • Statement Hierarchy for Configuring Interface-Specific Firewall Filters on page 179 Statement Hierarchy for Applying Interface-Specific Firewall Filters on page 180 Example: Configuring Interface-Specific Firewall Filter Counters on page 180 Statement Hierarchy for Configuring Interface-Specific Firewall Filters To enable interface-specific instances for stateless firewall filters. term term-name { from { match-conditions... Inc... 179 . Juniper Networks. interface-specific.. } } . firewall { family family-name { (filter filter-name | service-filter service-filter-name) { . . include the interface-specific statement in the filter filter-name or service-filter service-filter-name stanza. Any policers applied through an action specified in the firewall filter configuration are applied separately to each interface in the interface group. Any policers specified as actions in an interface-specific filter are applied per filter instance. } then { count counter-name.

} } } } } You can include the interface configuration at one of the following hierarchy levels: • • [edit] [edit logical-systems logical-system-name] Related Documentation • • • Interface-Specific Firewall Filter Instances Overview on page 177 Statement Hierarchy for Configuring Interface-Specific Firewall Filters on page 179 Example: Configuring Interface-Specific Firewall Filter Counters on page 180 Example: Configuring Interface-Specific Firewall Filter Counters This example shows how to configure and apply an interface-specific standard stateless firewall filter.4 Firewall Filter and Policer Configuration Guide Statement Hierarchy for Applying Interface-Specific Firewall Filters To apply an interface-specific stateless firewall filter to a logical interface. } service-filter { input service-filter-name-1.Junos OS 11. include the input filter-name or output filter-name statement in the filter or service-filter stanza of the interfaces configuration: interfaces { interface-name { unit unit-number { family family-name { filter { input filter-name-1. output filter-name-2. M320. No special configuration beyond device initialization is required before configuring this example. • • • • Requirements on page 180 Overview on page 181 Configuration on page 181 Verification on page 183 Requirements Interface-specific stateless firewall filters are supported on T Series. Inc. Juniper Networks. output service-filter-name-2. 180 Copyright © 2011. M120. . and MX Series routers only.

Create the IPv4 firewall filter filter_s_tcp. you create an interface-specific stateless firewall filter that counts and accepts packets with source or destination addresses in a specified prefix and the IP protocol type field set to a specific value. To configure this example. 181 .0-i and filter_s_tcp-so-2/2/2.0/12 set firewall family inet filter filter_s_tcp term 1 from protocol tcp set firewall family inet filter filter_s_tcp term 1 then count count_s_tcp set firewall family inet filter filter_s_tcp term 1 then accept set interfaces at-1/1/1 unit 0 family inet filter input filter_s_tcp set interfaces so-2/2/2 unit 2 family inet filter filter_s_tcp Configure the Interface-Specific Firewall Filter Step-by-Step Procedure To configure the interface-specific firewall filter: 1.2 output Applying the filter to these two interfaces results in two instances of the filter: filter_s_tcp-at-1/1/1. Topology You configure the interface-specific stateless firewall filter filter_s_tcp to count and accept packets with IP source or destination addresses in the 10. Inc.0. remove any line breaks. copy the following commands into a text file.Chapter 5: Standard Firewall Filter Configuration Overview In this example.2-o. The name of the firewall filter counter is count_s_tcp.0/12 prefix and the IP protocol type field set to tcp (or the numeric value 6).0. perform the following tasks: • • • • Configure the Interface-Specific Firewall Filter on page 181 Apply the Interface-Specific Firewall Filter to Multiple Interfaces on page 182 Confirm Your Candidate Configuration on page 182 Clear the Counters and Commit Your Candidate Configuration on page 183 CLI Quick Configuration To quickly configure this example. For information about navigating the CLI.0. Juniper Networks. Configuration The following example requires you to navigate various levels in the configuration hierarchy. set firewall family inet filter filter_s_tcp interface-specific set firewall family inet filter filter_s_tcp term 1 from address 10. and then paste the commands into the CLI at the [edit] hierarchy level.0. You apply the firewall filter to multiple logical interfaces: • • at-1/1/1. see “Using the CLI Editor in Configuration Mode” on page 15. respectively. [edit] user@host# edit firewall family inet filter filter_s_tcp Copyright © 2011.0 input so-2/2/2.

Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command. } protocol tcp. } } 182 Copyright © 2011.2: 1. Apply the interface-specific filter to packets transmitted from logical interface so-2/2/2.0.0/12 user@host# set term 1 from protocol tcp 4. [edit firewall family inet filter filter_s_tcp] user@host# set interface-specific 3. If the command output does not display the intended configuration. Configure the actions for the term.0/12. Configure the match conditions for the term. [edit] user@host# show firewall family inet { filter filter_s_tcp { interface-specific. term 1 { from { address { 10. accept. [edit firewall family inet filter filter_s_tcp] user@host# set term 1 then count count_s_tcp user@host# set term 1 then accept Apply the Interface-Specific Firewall Filter to Multiple Interfaces Step-by-Step Procedure To apply the filter filter_s_tcp to logical interfaces at-1/1/1.0. [edit firewall family inet filter filter_s_tcp] user@host# set term 1 from address 10. [edit] user@host# set interfaces at-1/1/1 unit 0 family inet filter input filter_s_tcp 2. [edit] user@host# set interfaces so-2/2/2 unit 2 family inet filter filter_s_tcp Confirm Your Candidate Configuration Step-by-Step Procedure To confirm your candidate configuration: 1.0. Inc.2.Junos OS 11. Enable interface-specific instances of the filter.0. } then { count count_s_tcp.0 and so-2/2/2.4 Firewall Filter and Policer Configuration Guide 2. Juniper Networks. repeat the instructions in this example to correct the configuration. Apply the interface-specific filter to packets received on logical interface at-1/1/1. .0.

Chapter 5: Standard Firewall Filter Configuration } } 2. To clear only the counters used in this example. Confirm the configuration of the interfaces by entering the show interfaces configuration mode command. [edit] user@host# commit Verification Confirm that the configuration is working properly. 183 . use the clear firewall all command to clear the statistics for all firewall filters. From operational command mode. Commit your candidate configuration. Juniper Networks. Copyright © 2011. [edit] user@host# show interfaces at-1/1/1 { unit 0 family inet { filter { input filter_s_tcp. Inc. include the interface-specific filter instance names: [edit] user@host> clear firewall filter filter_s_tcp-at-1/1/1. } } ] } so-2/2/2 { unit 2 family inet { filter { output filter_s_tcp.2-o 2. If the command output does not display the intended configuration. • • Verifying That the Filter Is Applied to Each of the Multiple Interfaces on page 183 Verifying That the Counters Are Collected Separately by Interface on page 184 Verifying That the Filter Is Applied to Each of the Multiple Interfaces Purpose Verify that the filter is applied to each of the multiple interfaces. repeat the instructions in this example to correct the configuration. } } } } Clear the Counters and Commit Your Candidate Configuration Step-by-Step Procedure To clear the counters and commit your candidate configuration: 1.0-i user@host> clear firewall filter filter_s_tcp-so-2/2/2.

1. MTU: 4470.. SNMP ifIndex: 502.. Enabled. Enabled.2-o. Route table: 0 Flags: Sendbcast-pkt-to-re Input Filters: filter_s_tcp-at-1/1/1. 2.2: user@host> show interfaces so-2/2/2 detail Physical interface: so-2/2/2. . Protocol inet.. user@host> show firewall filter filter_s_tcp Filter: filter_s_tcp Counters: Name Bytes count_s_tcp-at-1/1/1. Run the show firewall command. Physical link is Up Interface index: 129. Generation: 13. Logical interface at-1/1/1. Physical link is Up Interface index: 300.. Generation: 183 . Juniper Networks.. Logical interface so-2/2/2.. Verify that the filter is applied to the input for at-1/1/1.... SNMP ifIndex: 194. Verifying That the Counters Are Collected Separately by Interface Purpose Make sure that the count_s_tcp counters are collected separately for the two logical interfaces.4 Firewall Filter and Policer Configuration Guide Action Run the show interfaces command with the detail or extensive output level. Generation: 132 . Protocol inet.0-i. MTU: 4470.0 (Index 64) (SNMP ifIndex 204) (Generation 5) Flags: Point-To-Point SNMP-Traps 0x4000 Encapsulation: ATM-SNAP . Generation: 146.2 (Index 70) (SNMP ifIndex 536) (Generation 135) Flags: Point-To-Point SNMP-Traps 0x4000 Encapsulation: PPP .0-i 420 count_s_tcp-so-2/2/2.. Inc....2-o 8888 Action Packets 5 101 Related Documentation • • • Interface-Specific Firewall Filter Instances Overview on page 177 Statement Hierarchy for Configuring Interface-Specific Firewall Filters on page 179 Statement Hierarchy for Applying Interface-Specific Firewall Filters on page 180 184 Copyright © 2011.. Verify that the filter is applied to the output for so-2/2/2.. Route table: 0 Flags: Sendbcast-pkt-to-re Output Filters: filter_s_tcp-so-2/2/2.0: user@host> show interfaces at-1/1/1 detail Physical interface: at-1/1/1..Junos OS 11.

Inc. Related Documentation • • Statement Hierarchy for Assigning Interfaces to Interface Groups on page 185 Statement Hierarchy for Configuring a Filter to Match on a Set of Interface Groups on page 186 Example: Filtering Packets Received on an Interface Group on page 188 • Statement Hierarchy for Assigning Interfaces to Interface Groups To assign a logical interface to an interface group.Chapter 5: Standard Firewall Filter Configuration Filtering Packets Received on a Set of Interface Groups • • • Filtering Packets Received on a Set of Interface Groups Overview on page 185 Statement Hierarchy for Assigning Interfaces to Interface Groups on page 185 Statement Hierarchy for Configuring a Filter to Match on a Set of Interface Groups on page 186 Statement Hierarchy for Applying Filters to an Interface Group on page 187 Example: Filtering Packets Received on an Interface Group on page 188 • • Filtering Packets Received on a Set of Interface Groups Overview You can configure a firewall filter term that matches packets tagged for a specified interface group or set of interface groups. For more information. NOTE: You can also configure a firewall filter term that matches on packets tagged for a specified interface set. Layer 2 circuit cross-connection (CCC). IPv6. Juniper Networks. 185 . you can filter packets received on an interface group for either IPv4 or IPv6 traffic. see “Filtering Packets Received on an Interface Set Overview” on page 192. For standard stateless firewall filters. Packets received on an interface in an interface group are tagged as being part of that group. An interface group consists of one or more logical interfaces with the same group number. virtual private LAN service ( VPLS). and Layer 2 bridging traffic. you can filter packets received on an interface group for IPv4. specify the group number by including the group interface-group-number statement in the filter stanza: interfaces { interface-name { unit unit-number { family ( inet | inet6 | vpls | ccc | bridge) { filter { group interface-group-number. } } } } } Copyright © 2011. For service filters.

Junos OS 11. } } 186 Copyright © 2011. You can configure the firewall filter at one of the following hierarchy levels: • • [edit] [edit logical-systems logical-system-name] Related Documentation • • Filtering Packets Received on a Set of Interface Groups Overview on page 185 Statement Hierarchy for Configuring a Filter to Match on a Set of Interface Groups on page 186 Example: Filtering Packets Received on an Interface Group on page 188 • Statement Hierarchy for Configuring a Filter to Match on a Set of Interface Groups You can configure a standard stateless firewall filter or a service filter term that matches packets tagged for a specified interface group or set of interface groups. } } } } } To configure a service filter that matches packets tagged for a specified interface group or set of interface groups. configure a filter term that uses the interface-group interface-group-name match condition: firewall { family (inet | inet6) { service-filter filter-name { term term-name { from { interface-group interface-group-number. } then { service-filter-actions. configure a filter term that uses the interface-group interface-group-number match condition: firewall { family (inet | inet6 | vpls | ccc | bridge) { filter filter-name { term term-name { from { interface-group interface-group-number.4 Firewall Filter and Policer Configuration Guide NOTE: The number 0 is not a valid number for an interface group. . To configure a standard stateless firewall filter that matches packets tagged for a specified interface group or set of interface groups. Juniper Networks. } then { filter-actions. Inc.

Juniper Networks. } } } } } You can include the interface configuration at one of the following hierarchy levels: • • [edit] [edit logical-systems logical-system-name] Related Documentation • • • Interface-Specific Firewall Filter Instances Overview on page 177 Statement Hierarchy for Assigning Interfaces to Interface Groups on page 185 Statement Hierarchy for Configuring a Filter to Match on a Set of Interface Groups on page 186 Example: Filtering Packets Received on an Interface Group on page 188 • Copyright © 2011. output filter-name.Chapter 5: Standard Firewall Filter Configuration } } } You can configure the firewall filter at one of the following hierarchy levels: • • [edit] [edit logical-systems logical-system-name] Related Documentation • • • Filtering Packets Received on a Set of Interface Groups Overview on page 185 Statement Hierarchy for Assigning Interfaces to Interface Groups on page 185 Example: Filtering Packets Received on an Interface Group on page 188 Statement Hierarchy for Applying Filters to an Interface Group To apply a standard stateless firewall filter to an interface group.. include the input filter-name or output filter-name in the filter stanza: interfaces { interface-name { unit unit-number { family family-name { . 187 . Inc. filter { input filter-name..

and contain a TCP source or destination port of a specific type and port number. By applying this firewall filter to only one of the two interfaces in the interface group.168. For information about navigating the CLI. The filter counts. logs. set firewall family inet filter filter_if_group term term1 from interface-group 1 188 Copyright © 2011. and received from or destined for TCP port number 79. You configure the firewall filter filter_if_group to accept only packets from interface group 1. . Overview In this example. • • • • Configure the Stateless Firewall Filter on page 189 Assign Interfaces to the Interface Group on page 189 Apply the Firewall Filter to the Loopback Interface on page 190 Confirm and Commit Your Candidate Configuration on page 190 CLI Quick Configuration To quickly configure this example. and rejects packets that match this criteria.0 and the loopback port lo0. you can apply the filtering mechanism to all packets input to the two interfaces. remove any line breaks. The filter counts. You also configure a stateless firewall filter that matches packets that have been tagged as received on that interface group. logs.Junos OS 11. contain a source or destination address within a particular prefix. Configuration The following example requires you to navigate various levels in the configuration hierarchy. you configure two router interfaces to belong to the interface group. received from or destined for IP addresses in the 192. Inc. and rejects all other packets. Topology You configure the interface group number 1 to consist of the management port fxp0.80. You apply the firewall filter filter_if_group to the router’s loopback interface. see “Using the CLI Editor in Configuration Mode” on page 15.0. • • • • Requirements on page 188 Overview on page 188 Configuration on page 188 Verification on page 191 Requirements No special configuration beyond device initialization is required before configuring this example. and then paste the commands into the CLI at the [edit] hierarchy level. Juniper Networks.114/32 prefix. copy the following commands into a text file.4 Firewall Filter and Policer Configuration Guide Example: Filtering Packets Received on an Interface Group This example shows how to configure a standard stateless firewall filter to match packets tagged for a particular interface group.

Configure the term term2 to count. Juniper Networks. and reject matching packets.114/32 user@host# set term term1 from protocol tcp user@host# set term term1 from port finger 3. Configure term term1 to match packets received on interface group 1. 189 .114/32 prefix.168.1/32 set interfaces lo0 unit 0 family inet address 192. with the source or destination address field in the 192. [edit firewall family inet filter filter_if_group] user@host# set term term2 then count if_group_counter2 user@host# set term term2 then log user@host# set term term2 then accept Assign Interfaces to the Interface Group Step-by-Step Procedure To assign logical interfaces to the interface group number 1 referenced by the firewall filter match term term1: 1.168.80.0.80.0.77. Create the stateless firewall filter filter_if_group.114/32 set firewall family inet filter filter_if_group term term1 from protocol tcp set firewall family inet filter filter_if_group term term1 from port finger set firewall family inet filter filter_if_group term term1 then count if_group_counter1 set firewall family inet filter filter_if_group term term1 then log set firewall family inet filter filter_if_group term term1 then reject set firewall family inet filter filter_if_group term term2 then count if_group_counter2 set firewall family inet filter filter_if_group term term2 then log set firewall family inet filter filter_if_group term term2 then accept set interfaces fxp0 unit 0 family inet filter group 1 set interfaces fxp0 unit 0 family inet address 192.Chapter 5: Standard Firewall Filter Configuration set firewall family inet filter filter_if_group term term1 from address 192.168.168. and accept all other packets. log. and with the TCP source or destination port number 79. Assign the management port to interface group number 1. [edit firewall family inet filter filter_if_group] user@host# set term term1 from interface-group 1 user@host# set term term1 from address 192.1/32 set interfaces lo0 unit 0 family inet filter input filter_if_group Configure the Stateless Firewall Filter Step-by-Step Procedure To configure the stateless firewall filter filter_if_group: 1. [edit] user@host# edit firewall family inet filter filter_if_group 2. Configure term term1 to count.5. [edit firewall family inet filter filter_if_group] user@host# set term term1 then count if_group_counter1 user@host# set term term1 then log user@host# set term term1 then reject 4. [edit] user@host# set interfaces fxp0 unit 0 family inet filter group 1 Copyright © 2011.38/24 set interfaces lo0 unit 0 family inet filter group 1 set interfaces lo0 unit 0 family inet address 10.168. Inc.80. log.

port finger. [edit] user@host# set interfaces lo0 unit 0 family inet filter group 1 user@host# set interfaces lo0 unit 0 family inet address 10. } then { count if_group_counter1. } } term term2 { then { count if_group_counter2.114/32. If the command output does not display the intended configuration.5.168. repeat the instructions in this example to correct the configuration. Assign a second logical interface to interface group number 1. .77.1/32 user@host# set interfaces lo0 unit 0 family inet address 192. Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command.0. [edit] user@host# show firewall family inet { filter filter_if_group { term term1 { from { interface-group 1.168. } } } } 190 Copyright © 2011.Junos OS 11. address { 192.0.1/32 Apply the Firewall Filter to the Loopback Interface Step-by-Step Procedure • To apply the firewall filter to the router’s loopback interface: [edit] user@host# set interfaces lo0 unit 0 family inet filter input filter_if_group Confirm and Commit Your Candidate Configuration Step-by-Step Procedure To confirm and then commit your candidate configuration: 1.4 Firewall Filter and Policer Configuration Guide user@host# set interfaces fxp0 unit 0 family inet address 192. log. reject.38/24 2. } protocol tcp.80. accept. log. Inc. Juniper Networks.168.

enter the show firewall log operational mode command. } } } 3.1/32. enter the show firewall filter filter_if_group operational mode command: user@host> show firewall filter filter_if_group Filter: filter_if_group Counters: Name if_group_counter1 if_group_counter2 Bytes 0 6452105 Packets 0 82667 To display the local log of packet headers for packets evaluated by the firewall filter. If the command output does not display the intended configuration. If you are done configuring the device. [edit] user@host# commit Verification To display the firewall filter counters. repeat the instructions in this example to correct the configuration.Chapter 5: Standard Firewall Filter Configuration 2. group 1. } address 192.0.168. address 192.168. Inc. } address 10. Confirm the configuration of the interfaces by entering the show interfaces configuration mode command. 191 .1/32. Related Documentation • • • Filtering Packets Received on a Set of Interface Groups Overview on page 185 Statement Hierarchy for Assigning Interfaces to Interface Groups on page 185 Statement Hierarchy for Configuring a Filter to Match on a Set of Interface Groups on page 186 Copyright © 2011. } } } lo0 { unit 0 { family inet { filter { input filter_if_group.77. [edit] user@host# show interfaces fxp0 { unit 0 { family inet { filter { group 1.5. Juniper Networks.38/24. commit your candidate configuration.0.

You can filter packets received on an interface set for protocol-independent. MPLS. An interface set groups two or more physical or logical interfaces into a single interface-set name. see “Filtering Packets Received on a Set of Interface Groups Overview” on page 185. Juniper Networks. Related Documentation • • • • Statement Hierarchy for Defining an Interface Set on page 192 Statement Hierarchy for Configuring a Filter to Match on an Interface Set on page 193 Example: Configuring a Rate-Limiting Filter Based on Destination Class on page 158 Example: Filtering Packets Received on an Interface Set on page 193 Statement Hierarchy for Defining an Interface Set To configure a named group of interfaces that can be referenced in a stateless firewall filter match condition.Junos OS 11. IPv6. 192 Copyright © 2011. use the interface-set statement to define the interface-set name and two or more interfaces: firewall { interface-set interface-set-name { interface-name. For more information. NOTE: You can also configure a standard stateless firewall filter term or a service filter term that matches on packets tagged for a specified interface group. or bridging traffic. Inc. . } } You can include the statements at one of the following hierarchy levels: • • [edit firewall] [edit logical-systems logical-system-name firewall] To specify that the interface set contains all interfaces of a particular type. For example.4 Firewall Filter and Policer Configuration Guide Filtering Packets Received on an Interface Set • • • • Filtering Packets Received on an Interface Set Overview on page 192 Statement Hierarchy for Defining an Interface Set on page 192 Statement Hierarchy for Configuring a Filter to Match on an Interface Set on page 193 Example: Filtering Packets Received on an Interface Set on page 193 Filtering Packets Received on an Interface Set Overview You can configure a standard stateless firewall filter term that matches packets tagged for a specified interface set. IPv4. VPLS. use fe-* to specify all Fast Ethernet interfaces. you can use the ’*’ (asterisk) wildcard character.

Chapter 5: Standard Firewall Filter Configuration

Related Documentation

• • • •

Filtering Packets Received on an Interface Set Overview on page 192 Statement Hierarchy for Configuring a Filter to Match on an Interface Set on page 193 Example: Configuring a Rate-Limiting Filter Based on Destination Class on page 158 Example: Filtering Packets Received on an Interface Set on page 193

Statement Hierarchy for Configuring a Filter to Match on an Interface Set
To configure a standard stateless firewall filter that matches packets tagged for a specified interface group or set of interface groups, configure a filter term that uses the interface-group interface-group-name match condition:
firewall { family (any | inet | inet6 | mpls | vpls | bridge) { filter filter-name { term term-name { from { interface-set interface-set-name; } then { filter-actions; } } } } }

Related Documentation

• • • •

Filtering Packets Received on an Interface Set Overview on page 192 Statement Hierarchy for Defining an Interface Set on page 192 Example: Configuring a Rate-Limiting Filter Based on Destination Class on page 158 Example: Filtering Packets Received on an Interface Set on page 193

Example: Filtering Packets Received on an Interface Set
This example shows how to configure a standard stateless firewall filter to match packets tagged for a particular interface set.
• • • •

Requirements on page 193 Overview on page 194 Configuration on page 194 Verification on page 199

Requirements
No special configuration beyond device initialization is required before configuring this example.

Copyright © 2011, Juniper Networks, Inc.

193

Junos OS 11.4 Firewall Filter and Policer Configuration Guide

Overview
In this example, you apply a stateless firewall filter to the input of the router loopback interface. The firewall filter includes a term that matches packets tagged for a particular interface set. Topology You create the firewall filter L2_filter to apply rate limits to the protocol-independent traffic received on the following interfaces:
• • •

fe-0/0/0.0 fe-1/0/0.0 fe-1/1/0.0

First, for protocol-independent traffic received on fe-0/0/0.0, the firewall filter term t1 applies policer p1. For protocol-independent traffic received on any other Fast Ethernet interfaces, firewall filter term t2 applies policer p2. To define an interface set that consists of all Fast Ethernet interfaces, you include the interface-set interface-set-name interface-name statement at the [edit firewall] hierarchy level. To define a packet-matching criteria based on the interface on which a packet arrives to a specified interface set, you configure a term that uses the interface-set firewall filter match condition. Finally, for any other protocol-independent traffic, firewall filter term t3 applies policer p3.

Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see “Using the CLI Editor in Configuration Mode” on page 15. To configure this example, perform the following tasks:

Configuring the Interfaces for Which the Stateless Firewall Filter Terms Take Rate-Limiting Actions on page 195 Configuring the Stateless Firewall Filter That Rate-Limits Protocol-Independent Traffic Based on the Interfaces on Which Packets Arrive on page 196 Applying the Stateless Firewall Filter to the Routing Engine Input Interface on page 198

CLI Quick Configuration

To quickly configure this example, copy the following configuration commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.
set interfaces fe-0/0/0 unit 0 family inet address 10.1.1.1/30 set interfaces fe-1/0/0 unit 0 family inet address 10.2.2.1/30 set interfaces fe-1/1/0 unit 0 family inet address 10.4.4.1/30 set firewall policer p1 if-exceeding bandwidth-limit 5m set firewall policer p1 if-exceeding burst-size-limit 10m set firewall policer p1 then discard

194

Copyright © 2011, Juniper Networks, Inc.

Chapter 5: Standard Firewall Filter Configuration

set firewall policer p2 if-exceeding bandwidth-limit 40m set firewall policer p2 if-exceeding burst-size-limit 100m set firewall policer p2 then discard set firewall policer p3 if-exceeding bandwidth-limit 600m set firewall policer p3 if-exceeding burst-size-limit 1g set firewall policer p3 then discard set firewall interface-set ifset fe-* set firewall family any filter L2_filter term t1 from interface fe-0/0/0.0 set firewall family any filter L2_filter term t1 then count c1 set firewall family any filter L2_filter term t1 then policer p1 set firewall family any filter L2_filter term t2 from interface-set ifset set firewall family any filter L2_filter term t2 then count c2 set firewall family any filter L2_filter term t2 then policer p2 set firewall family any filter L2_filter term t3 then count c3 set firewall family any filter L2_filter term t3 then policer p3 set interfaces lo0 unit 0 family inet address 1.1.1.157/30 set interfaces lo0 unit 0 filter input L2_filter

Configuring the Interfaces for Which the Stateless Firewall Filter Terms Take Rate-Limiting Actions Step-by-Step Procedure To configure the interfaces for which the stateless firewall filter terms take rate-limiting actions:
1.

Configure the logical interface whose input traffic will be matched by the first term of the firewall filter.
[edit] user@host# set interfaces fe-0/0/0 unit 0 family inet address 10.1.1.1/30

2.

Configure the logical interfaces whose input traffic will be matched by the second term of the firewall filter.
[edit ] user@host# set interfaces fe-1/0/0 unit 0 family inet address 10.2.2.1/30 user@host# set interfaces fe-1/1/0 unit 0 family inet address 10.4.4.1/30

3.

If you are done configuring the device, commit the configuration.
[edit] user@host# commit

Results

Confirm the configuration of the router transit interfaces by entering the show interfaces configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.
[edit] user@host# show interfaces fe-0/0/0 { unit 0 { family inet { address 10.1.1.1/30; } } } fe-1/0/0 { unit 0 {

Copyright © 2011, Juniper Networks, Inc.

195

Junos OS 11.4 Firewall Filter and Policer Configuration Guide

family inet { address 10.2.2.1/30; } } } fe-1/1/0 { unit 0 { family inet { address 10.4.4.1/30; } } }

Configuring the Stateless Firewall Filter That Rate-Limits Protocol-Independent Traffic Based on the Interfaces on Which Packets Arrive Step-by-Step Procedure To configure the standard stateless firewall L2_filter that uses policers (p1, p2, and p3) to rate-limit protocol-independent traffic based on the interfaces on which the packets arrive:
1.

Configure the firewall statements.
[edit] user@host# edit firewall

2.

Configure the policer p1 to discard traffic that exceeds a traffic rate of 5m bps or a burst size of 10m bytes.
[edit firewall] user@host# set policer p1 if-exceeding bandwidth-limit 5m user@host# set policer p1 if-exceeding burst-size-limit 10m user@host# set policer p1 then discard

3.

Configure the policer p2 to discard traffic that exceeds a traffic rate of 40m bps or a burst size of 100m bytes .
[edit firewall] user@host# set policer p2 if-exceeding bandwidth-limit 40m user@host# set policer p2 if-exceeding burst-size-limit 100m user@host# set policer p2 then discard

4.

Configure the policer p3 to discard traffic that exceeds a traffic rate of 600m bps or a burst size of 1g bytes.
[edit firewall] user@host# set policer p3 if-exceeding bandwidth-limit 600m user@host# set policer p3 if-exceeding burst-size-limit 1g user@host# set policer p3 then discard

5.

Define the interface set ifset to be the group of all Fast Ethernet interfaces on the router.
[edit firewall] user@host# set interface-set ifset fe-*

6.

Create the stateless firewall filter L2_filter.
[edit firewall] user@host# edit family any filter L2_filter

196

Copyright © 2011, Juniper Networks, Inc.

Chapter 5: Standard Firewall Filter Configuration

7.

Configure filter term t1 to match IPv4, IPv6, or MPLS packets received on interface fe-0/0/0.0 and use policer p1 to rate-limit that traffic.
[edit firewall family any filter L2_filter] user@host# set term t1 from interface fe-0/0/0.0 user@host# set term t1 then count c1 user@host# set term t1 then policer p1

8.

Configure filter term t2 to match packets received on interface-set ifset and use policer p2 to rate-limit that traffic.
[edit firewall family any filter L2_filter] user@host# set term t2 from interface-set ifset user@host# set term t2 then count c2 user@host# set term t2 then policer p2

9.

Configure filter term t3 to use policer p3 to rate-limit all other traffic.
[edit firewall family any filter L2_filter] user@host# set term t3 then count c3 user@host# set term t3 then policer p3

10.

If you are done configuring the device, commit the configuration.
[edit] user@host# commit

Results

Confirm the configuration of the stateless firewall filter and the policers referenced as firewall filter actions by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.
[edit] user@host# show firewall family any { filter L2_filter { term t1 { from { interface fe-0/0/0.0; } then { policer p1; count c1; } } term t2 { from { interface-set ifset; } then { policer p2; count c2; } } term t3 { then { policer p3;

Copyright © 2011, Juniper Networks, Inc.

197

Junos OS 11.4 Firewall Filter and Policer Configuration Guide

count c3; } } } } policer p1 { if-exceeding { bandwidth-limit 5m; burst-size-limit 10m; } then discard; } policer p2 { if-exceeding { bandwidth-limit 40m; burst-size-limit 100m; } then discard; } policer p3 { if-exceeding { bandwidth-limit 600m; burst-size-limit 1g; } then discard; } interface-set ifset { fe-*; }

Applying the Stateless Firewall Filter to the Routing Engine Input Interface Step-by-Step Procedure To apply the stateless firewall filter to the Routing Engine input interface:
1.

Apply the stateless firewall filter to the Routing Engine interface in the input direction.
[edit] user@host# set interfaces lo0 unit 0 family inet address 1.1.1.157/30 user@host# set interfaces lo0 unit 0 filter input L2_filter

2.

If you are done configuring the device, commit the configuration.
[edit] user@host# commit

Results

Confirm the application of the firewall filter to the Routing Engine input interface by entering the show interfaces command again. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.
user@host# show interfaces fe-0/0/0 { ... } fe-1/0/0 { ...

198

Copyright © 2011, Juniper Networks, Inc.

Chapter 5: Standard Firewall Filter Configuration

} fe-1/1/0 { ... } lo0 { unit 0 { filter { input L2_filter; } family inet { address 1.1.1.157/30; } } }

Verification
To confirm that the configuration is working properly, use the show firewall filter L2_filter operational mode command to monitor traffic statistics about the firewall filter and three counters. Related Documentation
• • • •

Understanding How to Use Standard Firewall Filters on page 29 Filtering Packets Received on an Interface Set Overview on page 192 Statement Hierarchy for Defining an Interface Set on page 192 Statement Hierarchy for Configuring a Filter to Match on an Interface Set on page 193

Filter-Based Forwarding
• • • • • •

Filter-Based Forwarding Overview on page 199 Statement Hierarchy for Configuring FBF for IPv4 or IPv6 Traffic on page 201 Statement Hierarchy for Configuring FBF for MPLS-Tagged IPv4 Traffic on page 201 Statement Hierarchy for Configuring Routing Instances for FBF on page 204 Statement Hierarchy for Applying FBF Filters to Interfaces on page 205 Example: Configuring Filter-Based Forwarding on the Source Address on page 206

Filter-Based Forwarding Overview
• • • •

Filters That Classify Packets or Direct Them to Routing Instances on page 199 Input Filtering to Classify and Forward Packets Within the Router on page 200 Output Filtering to Forward Packets to Another Routing Table on page 200 Restrictions for Applying Filter-Based Forwarding on page 200

Filters That Classify Packets or Direct Them to Routing Instances
For IPv4, IPv6, or MPLS-tagged IPv4 traffic only, you can use stateless firewall filters in conjunction with forwarding classes and routing instances to control how packets travel in a network. This is called filter-based forwarding (FBF).

Copyright © 2011, Juniper Networks, Inc.

199

Junos OS 11.4 Firewall Filter and Policer Configuration Guide

You can define a filtering term that matches incoming packets based on source address and then classifies matching packets to a specified forwarding class. This type of filtering can be configured to grant certain types of traffic preferential treatment or to improve load balancing. To configure a stateless firewall filter to classify packets to a forwarding class, configure a term with the nonterminating action forwarding-class class-name. You can also define a filtering term that directs matching packets to a specified routing instance. This type of filtering can be configured to route specific types of traffic through a firewall or other security device before the traffic continues on its path. To configure a stateless firewall filter to direct traffic to a routing instance, configure a term with the terminating action routing-instance routing-instance-name <topology topology-name> to specify the routing instance to which matching packets will be forwarded.

Input Filtering to Classify and Forward Packets Within the Router
You can configure filters to classify packets based on source address and specify the forwarding path the packets take within the router by configuring a filter on the ingress interface. For example, you can use this filter for applications to differentiate traffic from two clients that have a common access layer (for example, a Layer 2 switch) but are connected to different Internet service providers (ISPs). When the filter is applied, the router can differentiate the two traffic streams and direct each to the appropriate network. Depending on the media type the client is using, the filter can use the source IP address to forward the traffic to the corresponding network through a tunnel. You can also configure filters to classify packets based on IP protocol type or IP precedence bits.

Output Filtering to Forward Packets to Another Routing Table
You can also forward packets based on output filters by configuring a filter on the egress interfaces. In the case of port mirroring, it is useful for port-mirrored packets to be distributed to multiple monitoring PICs and collection PICs based on patterns in packet headers. FBF on the port-mirroring egress interface must be configured. Packets forwarded to the output filter have been through at least one route lookup when an FBF filter is configured on the egress interface. After the packet is classified at the egress interface by the FBF filter, it is redirected to another routing table for further route lookup.

Restrictions for Applying Filter-Based Forwarding
An interface configured with filter-based forwarding does not support source-class usage (SCU) filter matching and unicast reverse-path forwarding (RPF) check filters. Related Documentation
• • • • •

Statement Hierarchy for Configuring FBF for IPv4 or IPv6 Traffic on page 201 Statement Hierarchy for Configuring FBF for MPLS-Tagged IPv4 Traffic on page 201 Statement Hierarchy for Configuring Routing Instances for FBF on page 204 Statement Hierarchy for Applying FBF Filters to Interfaces on page 205 Example: Configuring Filter-Based Forwarding on the Source Address on page 206

200

Copyright © 2011, Juniper Networks, Inc.

Chapter 5: Standard Firewall Filter Configuration

Statement Hierarchy for Configuring FBF for IPv4 or IPv6 Traffic
You can configure stateless firewall filters for filter-based forwarding by configuring filter terms that specify the forwarding-class class-name nonterminating action or the routing-instance routing-instance-name terminating action:
firewall { family (inet | inet6) { filter filter-name { term term-name { from { ipv4-or-ipv6-match-conditions; } then { forwarding-class class-name; #optional other-optional-nonterminating-actions; routing-instance routing-instance-name <topology topology-name>; } } } } }

You can include the firewall configuration at one of the following hierarchy levels:
• •

[edit] [edit logical-systems logical-system-name]

Related Documentation

• • • • •

Filter-Based Forwarding Overview on page 199 Standard Firewall Filter Match Conditions for IPv4 Traffic on page 48 Standard Firewall Filter Match Conditions for IPv6 Traffic on page 57 Statement Hierarchy for Configuring Routing Instances for FBF on page 204 Example: Configuring Filter-Based Forwarding on the Source Address on page 206

Statement Hierarchy for Configuring FBF for MPLS-Tagged IPv4 Traffic
For interfaces on Enhanced Scaling flexible PIC concentrators (FPCs) on supported T Series routers only, you can configure stateless firewall filters for filter-based forwarding with match conditions based on Internet Protocol version 4 (IPv4) packet header fields in an MPLS flow:
• • •

Matching on IPv4 Address Fields on page 202 Matching on TCP Port Number Fields on page 202 Matching on UDP Port Number Fields on page 203

Copyright © 2011, Juniper Networks, Inc.

201

Junos OS 11.4 Firewall Filter and Policer Configuration Guide

Matching on IPv4 Address Fields
To configure a firewall filter term that matches on IP source or destination address fields in the IPv4 header of packets in an MPLS flow, you can specify supported match conditions at the [edit firewall family mpls filter filter-name term term-name from ip-version ipv4] hierarchy level:
[edit] firewall { family mpls { filter filter-name { term term-name { from { ip-protocol ipv4 ( from { address-based-match-conditions; } then { forwarding-class class-name; #optional other-optional-nonterminating-actions; routing-instance routing-instance-name <topology topology-name>; } } } then { ... } } } } }

Matching on TCP Port Number Fields
To configure a firewall filter term that matches on TCP source or destination port number fields in the IPv4 header of packets in an MPLS flow, you can specify supported match conditions at the [edit firewall family mpls filter filter-name term term-name from ip-version ipv4 protocol tcp] hierarchy level:
[edit] firewall { family mpls { filter filter-name { term term-name { from { ip-protocol ipv4 ( tcp { from { tcp-port-based-match-conditions; } then { forwarding-class class-name; #optional other-optional-nonterminating-actions; routing-instance routing-instance-name <topology topology-name>; } ]

202

Copyright © 2011, Juniper Networks, Inc.

} then { forwarding-class class-name. #optional other-optional-nonterminating-actions. } } } } Copyright © 2011. Inc. 203 . } } } } } Matching on UDP Port Number Fields To configure a firewall filter term that matches on UDP source or destination port number fields in the IPv4 header of packets in an MPLS flow. routing-instance routing-instance-name <topology topology-name>. #optional other-optional-nonterminating-actions. you can specify supported match conditions at the [edit firewall family mpls filter filter-name term term-name from ip-version ipv4 protocol udp] hierarchy level: [edit] firewall { family mpls { filter filter-name { term term-name { from { ip-protocol ipv4 ( udp { from { udp-port-based-match-conditions. Juniper Networks. routing-instance routing-instance-name <topology topology-name>. #optional other-optional-nonterminating-actions.. } then { forwarding-class class-name.. } } } } then { . } ] udp { from { udp-port-based-match-conditions. routing-instance routing-instance-name <topology topology-name>.Chapter 5: Standard Firewall Filter Configuration udp { from { udp-port-based-match-conditions. } then { forwarding-class class-name.

see the Junos OS Routing Protocols Configuration Guide. Juniper Networks. NOTE: In Junos OS Release 9. The instance-type must be forwarding. interfaces.0. } } } } } Related Documentation • • • • Filter-Based Forwarding Overview on page 199 Standard Firewall Filter Match Conditions for MPLS-Tagged IPv4 Traffic on page 64 Statement Hierarchy for Configuring Routing Instances for FBF on page 204 Example: Configuring Filter-Based Forwarding on the Source Address on page 206 Statement Hierarchy for Configuring Routing Instances for FBF A routing instance is a collection of routing tables. 2. 204 Copyright © 2011.. and routing protocol parameters. You must also create a routing table group that adds interface routes to the following routing instances: • • Routing instance named in the action Default routing table inet.. The set of interfaces belongs to the routing tables. Inc.Junos OS 11. All interfaces belong to the default instance inet. For this instance type. there is no one-to-one mapping between an interface and a routing instance. The name of the routing instance name must be the one referenced in the firewall filter action.0 and later.0 You create a routing table group to resolve the routes installed in the routing instance to directly connected next hops on that interface.4 Firewall Filter and Policer Configuration Guide then { . routing-instances { routing-table-name { instance-type forwarding. For more information on routing table groups and interface routes. you can no longer specify a routing-instance name of default or include special characters within the name of a routing instance. To configure a routing instance for filter-based forwarding: 1. . and the routing protocol parameters control the information in the routing tables. routing-options { static { route destination-prefix nexthop address. where interfaces are not associated with instances. The forwarding routing instance type supports filter-based forwarding.

include the input or output statement in the filter stanza. Inc. interfaces { interface-name { unit unit-number { family (inet | inet6 | mpls) { filter { input filter-name. Juniper Networks. } } } } You can include the interfaces configuration at one of the following hierarchy levels: • • [edit] [edit logical-systems logical-system-name] Related Documentation • • • • Filter-Based Forwarding Overview on page 199 Statement Hierarchy for Configuring FBF for IPv4 or IPv6 Traffic on page 201 Statement Hierarchy for Configuring FBF for MPLS-Tagged IPv4 Traffic on page 201 Statement Hierarchy for Configuring Routing Instances for FBF on page 204 Copyright © 2011. output filter-name. NOTE: An interface configured with filter-based forwarding does not support source-class usage (SCU) filter matching and unicast reverse-path forwarding (RPF) check filters. 205 .Chapter 5: Standard Firewall Filter Configuration } } } } You can include the forwarding routing instance at one of the following hierarchy levels: • • [edit] [edit logical-systems logical-system-name] Related Documentation • • • • Filter-Based Forwarding Overview on page 199 Statement Hierarchy for Configuring FBF for IPv4 or IPv6 Traffic on page 201 Statement Hierarchy for Configuring FBF for MPLS-Tagged IPv4 Traffic on page 201 Example: Configuring Filter-Based Forwarding on the Source Address on page 206 Statement Hierarchy for Applying FBF Filters to Interfaces To apply filter-based forwarding to a logical interface. } address address.

For information about navigating the CLI. The router interface to the source application server is ge-0/0/0. The router matches this flow of data packets using a firewall filter based on the packet IP source address.1/32 and directs matching packets to the routing instance ri_fbf.3.0. Topology The source application server is at host IP address 10.Junos OS 11.0 to the destination application server:.1.1. see “Using the CLI Editor in Configuration Mode” on page 15. Inc.0.1/24.0 to the security device and the interface ge-0/0/3.0. The routing instance ri_fbf routing table ri_fbf. The firewall filter filter_fbf matches packets on the source IP address 1. • • • • Requirements on page 206 Overview on page 206 Configuration on page 206 Verification on page 209 Requirements No special configuration beyond device initialization is required before configuring this example.1. perform the following tasks: • • Configure the Routing Instance on page 207 Configure the Stateless Firewall Filter on page 207 206 Copyright © 2011.1/24. and the destination application server is at host IP address 10.4 Firewall Filter and Policer Configuration Guide • Example: Configuring Filter-Based Forwarding on the Source Address on page 206 Example: Configuring Filter-Based Forwarding on the Source Address This example shows how to configure filter-based forwarding (FBF). Configuration The following example requires you to navigate various levels in the configuration hierarchy. . Overview In this example. To configure this example. the router receives IPv4 traffic from one application server that is destined for a different application server. Any matching packets are routed to a routing instance that first sends all traffic to a security device.1. then forwards the traffic to the designated destination address. Juniper Networks.inet0 is configured with the interface ge-0/0/1. and the router interface to the destination application server is ge-0/0/3.

0.34. Inc. [edit] user@host# set firewall family inet filter filter_fbf term t1 from protocol tcp 2.0 3. All interfaces belong to the default instance inet.0 set routing-instances ri_fbf routing-options static route 12. Set the firewall filter to match the correct source address.1.Chapter 5: Standard Firewall Filter Configuration • Configure the Interfaces to the Application Servers and Apply the Stateless Firewall Filter on page 208 Confirm and Commit Your Candidate Configuration on page 208 • CLI Quick Configuration To quickly configure this example.0 set routing-instances ri_fbf interface ge-0/0/3. Associate the interfaces with the routing instance.1/32 set firewall family inet filter filter_fbf term t1 then routing-instance ri_fbf set interfaces ge-0/0/0 unit 0 family inet filter input filter_fbf Configure the Routing Instance Step-by-Step Procedure To configure the routing instance: 1. The forwarding routing instance type supports filter-based forwarding.1/32 Copyright © 2011.1/24 set interfaces ge-0/0/3 unit 0 family inet address 10.254 Configure the Stateless Firewall Filter Step-by-Step Procedure To configure the stateless firewall filter: 1. Create the firewall filter. Configure the routing information for the routing instance.56.1. and then paste the commands into the CLI at the [edit] hierarchy level. set interfaces ge-0/0/0 unit 0 family inet address 10.254 set firewall family inet filter filter_fbf term t1 from protocol tcp set firewall family inet filter filter_fbf term t1 from source-address 1.3.1.0/24 next-hop 10. [edit] user@host# set routing-instances ri_fbf routing-options static route 12. Juniper Networks.1. there is no one-to-one mapping between an interface and a routing instance.1. 207 .0 user@host# set routing-instances ri_fbf interface ge-0/0/3.1.0. For this instance type. remove any line breaks.1/24 set routing-instances ri_fbf instance-type forwarding set routing-instances ri_fbf interface ge-0/0/1. copy the following configuration commands into a text file.1.3.0/24 next-hop 10. where interfaces are not associated with instances.1.56. [edit] user@host# set routing-instances ri_fbf instance-type forwarding 2.34. Create the routing instance. [edit] user@host# set firewall family inet filter filter_fbf term t1 from source-address 1.3. [edit] user@host# set routing-instances ri_fbf interface ge-0/0/1.

interface ge-0/0/1.1/24 2.3.3. repeat the instructions in this example to correct the configuration.1.Junos OS 11.0.0.0. Configure the interface to the source application server. Confirm the configuration of the routing instance by entering the show routing-instances configuration mode command. } } } 2. If the command output does not display the intended configuration. interface ge-0/0/3. Set the firewall filter to forward packets to the routing instance. Apply the stateless firewall filter to the input from the source application server. . Inc. Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command. [edit] user@host# set interfaces ge-0/0/0 unit 0 family inet filter input filter_fbf Confirm and Commit Your Candidate Configuration Step-by-Step Procedure To confirm and then commit your candidate configuration: 1. [edit] user@host# show firewall family inet { filter filter_fbf { term t1 { 208 Copyright © 2011.0/24 next-hop 10.254.4 Firewall Filter and Policer Configuration Guide 3. repeat the instructions in this example to correct the configuration. Juniper Networks. [edit] user@host# show routing-instances ri_fbf { instance-type forwarding.1.56. [edit] user@host# set firewall family inet filter filter_fbf term t1 then routing-instance ri_fbf Configure the Interfaces to the Application Servers and Apply the Stateless Firewall Filter Step-by-Step Procedure To configure the interfaces to the application servers and apply the stateless firewall filter to the interface to the source application server: 1. [edit] user@host# set interfaces ge-0/0/0 unit 0 family inet address 10. Configure the interface to the destination application server. If the command output does not display the intended configuration.1/24 3.1.34. routing-options { static { route 12. [edit] user@host# set interfaces ge-0/0/3 unit 0 family inet address 10.

0 Admin Link Proto Input Filter up down inet filter_fbf Output Filter Copyright © 2011.1. } } } Verification Confirm that the configuration is working properly.Chapter 5: Standard Firewall Filter Configuration from { source-address { 1. Juniper Networks. Action Use the show interfaces filters command to display firewall filter information for the interface to the source application server. } address 10. Confirm the configuration of the interface by entering the show interfaces configuration mode command. Verifying That Filter-Based Forwarding Is Configured Purpose Verify that the firewall filter is enabled on the interface to the source application server and that the router forwarding table and the routing instance forwarding table contain the correct information. If the command output does not display the intended configuration. } protocol tcp. user@host> show interfaces filters ge-0/0/0.1/32.1/24. To perform the verification: 1.1. 209 . } } } ge-0/0/3 { unit 0 { family inet { address 10.0 Interface ge-0/0/0.1. Inc.0.1/24. } then { routing-instance ri_fbf.1.3. [edit] user@host# show interfaces ge-0/0/0 { unit 0 { family inet { filter { input filter_fbf. } } } } 3. repeat the instructions in this example to correct the configuration.

0/32 perm 0 10.0 10.255 10.0/32 iddn 0 10.iso ISO: Destination Type RtRef Next hop default perm 0 Routing table: ri_fbf.0.0 10.1.1.1/32 intf 0 10.1/32 intf 0 10.255.1.0.0.1.1.255/32 iddn 0 ge-0/0/0.0.0 10.0/32 perm 0 10.3.1.255/32 iddn 0 ge-0/0/3.1.1/32 user 0 10.0 10.1/32 user 0 10.1.0. .0.1.63/32 iddn 0 255.1. Juniper Networks.1.1/32 iddn 0 10.1.1 10.1.1 Routing table: default.1.1 10.0.1.0.1.1.0 10.63 Next hop Type Index NhRef Netif rjct 559 2 dscd 545 1 rslv 617 1 recv rjct locl locl bcst mdsc mcst bcst 615 559 616 616 614 546 529 543 1 2 2 2 1 1 1 1 10.1.1 10. Use the show route forwarding-table command to verify the contents of the router forwarding table and the routing instance forwarding table.1.0.0.3.1 10.1/32 iddn 0 10.0/32 iddn 0 ge-0/0/3.1.255/32 perm 0 Next hop 0:12:f2:21:cf:0 Type Index NhRef Netif ucst 331 4 me0.255.3.1.0.0/32 iddn 0 ge-0/0/0.0.3.1.255/32 perm 0 Routing table: ri_fbf.1.3. user@host> show route forwarding-table Routing table: default.1. Inc.3.0/24 ifdn 0 ge-0/0/0.0. 210 Copyright © 2011.1.1.0.1.0 rjct 36 3 dscd 34 1 rslv 613 1 recv rjct locl locl bcst rslv recv rjct locl locl bcst bcst 611 36 612 612 610 583 581 36 582 582 580 32 1 3 2 2 1 1 vlan.255 224.1/32 user 0 10.255.0.0/26 ifdn 0 10.1 10.1.0.0.0 3 2 2 1 vlan.1.0 1 vlan.1.1.1.iso ISO: Destination Type RtRef Next hop default perm 0 Type Index NhRef Netif rjct 60 1 Type Index NhRef Netif rjct 600 1 Meaning The output indicates that the filter was created on the interface and that the routing instance is forwarding matching traffic to the correct IP address.1.0 224.0 1 10.inet Internet: Destination Type RtRef default user 1 default perm 0 0.1.1.0.3.1.1/32 iddn 0 10.inet Internet: Destination Type RtRef default perm 0 0.1.1.1 10.3.0 10.0.1.Junos OS 11.1/32 perm 0 255.3.0.0/4 perm 0 224.4 Firewall Filter and Policer Configuration Guide 2.0 10.0/24 ifdn 0 ge-0/0/3.0 10.1/32 intf 0 10.3.255.1.

it causes an error. Juniper Networks. and the number of bytes per file. You can set up one or more accounting profiles that specify some common characteristics of this data. Number of files that the routing platform retains before discarding. include the filter-profile filter-profile-name statement in the accounting-options stanza. } files number. size bytes. 211 . accounting-options { filter-profile filter-profile-name { file log-filename { archive-sites { site-urls. firewall filter.Chapter 5: Standard Firewall Filter Configuration Related Documentation • • • • • Filter-Based Forwarding Overview on page 199 Statement Hierarchy for Configuring FBF for IPv4 or IPv6 Traffic on page 201 Statement Hierarchy for Configuring FBF for MPLS-Tagged IPv4 Traffic on page 201 Statement Hierarchy for Configuring Routing Instances for FBF on page 204 Statement Hierarchy for Applying FBF Filters to Interfaces on page 205 Accounting for Standard Firewall Filters • • • • Accounting for Standard Firewall Filters Overview on page 211 Statement Hierarchy for Configuring Firewall Filter Accounting Profiles on page 211 Statement Hierarchy for Applying Firewall Filter Accounting Profiles on page 212 Example: Configuring Statistics Collection for a Standard Firewall Filter on page 213 Accounting for Standard Firewall Filters Overview Juniper Networks devices can collect various kinds of data about traffic passing through the device. If you apply the same profile name to both a firewall filter and an interface. Inc. Related Documentation • • • Statement Hierarchy for Configuring Firewall Filter Accounting Profiles on page 211 Statement Hierarchy for Applying Firewall Filter Accounting Profiles on page 212 Example: Configuring Statistics Collection for a Standard Firewall Filter on page 213 Statement Hierarchy for Configuring Firewall Filter Accounting Profiles To configure an accounting profile that you can apply to a firewall filter. including the following: • • Fields used in the accounting records. and Routing Engine. start-time time. Polling period that the system uses to record the data • There are several types of accounting profiles: interface. source class and destination class usage. Copyright © 2011.

term { filter filter-profile-name. } interval minutes. } 212 Copyright © 2011. Related Documentation • • • Accounting for Standard Firewall Filters Overview on page 211 Statement Hierarchy for Applying Firewall Filter Accounting Profiles on page 212 Example: Configuring Statistics Collection for a Standard Firewall Filter on page 213 Statement Hierarchy for Applying Firewall Filter Accounting Profiles You can apply an accounting profile to a standard stateless firewall filter for any supported protocol family except family any. } } } You can include the accounting options configuration at one of the following hierarchy levels: • • [edit] [edit logical-systems logical-system-name] To specify the name of the accounting data log file in the /var/log directory to be used in conjunction with the accounting profile. counter-name-2.Junos OS 11. } then { actions. physical-interface-policer. include the accounting-profile accounting-profile-name statement at the firewall filter stanza: firewall { family family-name { filter filter-name { accounting-profile accounting-profile-name. include the counters statement. counters { counter-name-1. Juniper Networks.4 Firewall Filter and Policer Configuration Guide transfer-interval minutes. include the interval minutes statement. include the file log-filename statement. To specify the names of the firewall filter counters for which filter profile statistics are collected. To apply a filter-accounting profile to a stateless firewall filter. interface-specific. . Inc. To specify how often statistics are collected for the accounting profile. } term term-name { from { match-conditions.

Copyright © 2011. and the statistics are written to the file /var/log/ff_accounting_file. Juniper Networks. • • • • Requirements on page 213 Overview on page 213 Configuration on page 214 Verification on page 217 Requirements Firewall filter accounting profiles are supported for all traffic types except family any.Chapter 5: Standard Firewall Filter Configuration } } } } You can include the firewall configuration at one of the following hierarchy levels: • • [edit] [edit logical-systems logical-system-name] Related Documentation • • • Accounting for Standard Firewall Filters Overview on page 211 Statement Hierarchy for Configuring Firewall Filter Accounting Profiles on page 211 Example: Configuring Statistics Collection for a Standard Firewall Filter on page 213 Example: Configuring Statistics Collection for a Standard Firewall Filter This example shows how to configure and apply a stateless firewall filter that collects data according to parameters specified in an associated accounting profile.0. No special configuration beyond device initialization is required before configuring this example. Statistics are collected for counters named counter1. Topology The firewall filter accounting profile filter_acctg_profile specifies that statistics are collected every 60 minutes. The accounting profile specifies how frequently to collect packet and byte count statistics and the name of the file to which the statistics are written. The profile also specifies that statistics are to be collected for three firewall filter counters. The IPv4 stateless firewall filter named my_firewall_filter increments a counter for each of three filter terms. 213 . you create a firewall filter accounting profile and apply it to a stateless firewall filter. The filter is applied to logical interface ge-0/0/1. and counter3. Inc. Overview In this example. counter2.

4 Firewall Filter and Policer Configuration Guide Configuration The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI. Inc. remove any line breaks.1. set accounting-options filter-profile filter_acctg_profile file ff_accounting_file set accounting-options filter-profile filter_acctg_profile interval 60 set accounting-options filter-profile filter_acctg_profile counters counter1 set accounting-options filter-profile filter_acctg_profile counters counter2 set accounting-options filter-profile filter_acctg_profile counters counter3 set firewall family inet filter my_firewall_filter accounting-profile filter_acctg_profile set firewall family inet filter my_firewall_filter term term1 from protocol ospf set firewall family inet filter my_firewall_filter term term1 then count counter1 set firewall family inet filter my_firewall_filter term term1 then discard set firewall family inet filter my_firewall_filter term term2 from source-address 10.3/30 set interfaces ge-0/0/1 unit 0 family inet filter input my_firewall_filter Configure an Accounting Profile Step-by-Step Procedure To configure an accounting profile: 1. see “Using the CLI Editor in Configuration Mode” on page 15. Configure the accounting profile to filter and collect packet and byte count statistics every 60 minutes and write them to the /var/log/ff_accounting_file file.0/16 set firewall family inet filter my_firewall_filter term term2 then count counter2 set firewall family inet filter my_firewall_filter term term2 then discard set firewall family inet filter my_firewall_filter term accept-all then count counter3 set firewall family inet filter my_firewall_filter term accept-all then accept set interfaces ge-0/0/1 unit 0 family inet address 10. perform the following tasks: • • • • • Configure an Accounting Profile on page 214 Configure a Firewall Filter That References the Accounting Profile on page 215 Apply the Firewall Filter to an Interface on page 215 Confirm Your Candidate Configuration on page 216 Clear the Counters and Commit Your Candidate Configuration on page 217 CLI Quick Configuration To quickly configure this example. Juniper Networks. copy the following configuration commands into a text file. .108. [edit] user@host# edit accounting-options filter-profile filter_acctg_profile 2.0. [edit accounting-options filter-profile filter_acctg_profile] user@host# set file ff_accounting_file user@host# set interval 60 214 Copyright © 2011.2. and then paste the commands into the CLI at the [edit] hierarchy level. Create the accounting profile filter_acctg_profile.Junos OS 11. To configure this example.

Chapter 5: Standard Firewall Filter Configuration 3. [edit interfaces ge-0/0/1 unit 0 family inet] user@host# set address 10. Configure the logical interface to which you will apply the stateless firewall filter.108. [edit interfaces ge-0/0/1 unit 0 family inet] Copyright © 2011.0. Create the stateless firewall filter my_firewall_filter.1. Juniper Networks. Apply the stateless firewall filter to the logical interface. [edit accounting-options filter-profile filter_acctg_profile] user@host# set counters counter1 user@host# set counters counter2 user@host# set counters counter3 Configure a Firewall Filter That References the Accounting Profile Step-by-Step Procedure To configure a firewall filter that references the accounting profile: 1. Configure the first filter term and counter. 215 .3/30 3. [edit firewall family inet filter my_firewall_filter] user@host# set accounting-profile filter_acctg_profile 3. [edit firewall family inet filter my_firewall_filter] user@host# set term accept-all then count counter3 user@host# set term accept-all then accept Apply the Firewall Filter to an Interface Step-by-Step Procedure To apply the stateless firewall filter to a logical interface: 1.2. Inc. [edit firewall family inet filter my_firewall_filter] user@host# set term term2 from source-address 10. Configure the second filter term and counter. Configure the third filter term and counter.0/16 user@host# set term term2 then count counter2 user@host# set term term2 then discard 5. [edit] user@host# edit firewall family inet filter my_firewall_filter 2. [edit] user@host# edit interfaces ge-0/0/1 unit 0 family inet 2. [edit firewall family inet filter my_firewall_filter] user@host# set term term1 from protocol ospf user@host# set term term1 then count counter1 user@host# set term term1 then discard 4. Configure the interface address for the logical interface. Apply the filter-accounting profile filter_acctg_profile to the firewall filter. Configure the accounting profile to collect filter profile statistics (packet and byte counts) for three counters.

[edit] user@host# show firewall family inet { filter my_firewall_filter { accounting-profile filter_acctg_profile.4 Firewall Filter and Policer Configuration Guide user@host# set filter input my_firewall_filter Confirm Your Candidate Configuration Step-by-Step Procedure To confirm your candidate configuration: 1. Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command. .0/16.0. term term1 { from { protocol ospf. 216 Copyright © 2011. } then { count counter1. Juniper Networks. If the command output does not display the intended configuration. Confirm the configuration of the accounting profile by entering the show accounting-options configuration mode command.108. accept. counters { counter1. discard. Inc. counter2. discard. } } then { count counter2. } } 2. If the command output does not display the intended configuration. } } term term2 { from { source-address { 10. repeat the instructions in this example to correct the configuration. counter3.Junos OS 11. interval 60. [edit] user@host# show accounting-options filter-profile filter_acctg_profile { file ff_accounting_file. repeat the instructions in this example to correct the configuration. } } term accept-all { then { count counter3.

217 . run the show interfaces command with the detail or extensive output level. } } } Clear the Counters and Commit Your Candidate Configuration Step-by-Step Procedure To clear the counters and commit your candidate configuration: 1. repeat the instructions in this example to correct the configuration. user@host> show firewall filter my_firewall_filter Filter: my_firewall_filter Counters: Name counter1 counter2 Bytes 0 0 Packets 0 0 Copyright © 2011.3/30.2. [edit] user@host> clear firewall filter my_firewall_filter 2. To clear only the counters incremented in this example. use the clear firewall all command to clear the statistics for all firewall filters. run the show firewall filter my_firewall_filter command.1. Confirm the configuration of the interfaces by entering the show interfaces configuration mode command. } address 10. [edit] user@host# commit Verification To verify that the filter is applied to the logical interface. [edit] user@host# show interfaces ge-0/0/1 { unit 0 { family inet { filter { input my_firewall_filter. include the name of the firewall filter. Inc. From operational command mode. If the command output does not display the intended configuration.Chapter 5: Standard Firewall Filter Configuration } } } } 3. Juniper Networks. To verify that the three counters are collected separately. Commit your candidate configuration.

In addition to writing syslog messages to a log file. regardless of facility. severity. Events consist of routine operations. Each Junos OS system log message belongs to a message category. This system logging utility is similar to the UNIX syslogd utility. To configure global settings and facility-specific settings that override these default values.4 Firewall Filter and Policer Configuration Guide counter3 0 0 Related Documentation • • • Accounting for Standard Firewall Filters Overview on page 211 Statement Hierarchy for Configuring Firewall Filter Accounting Profiles on page 211 Statement Hierarchy for Applying Firewall Filter Accounting Profiles on page 212 Logging of Stateless Firewall Filter Activity • • • • System Logging Overview on page 218 System Logging of Events Generated for the Firewall Facility on page 219 Logging of Packet Headers Evaluated by a Firewall Filter Term on page 221 Example: Configuring Logging for a Stateless Firewall Filter Term on page 222 System Logging Overview The Junos OS generates system log messages (also called syslog messages) to record system events that occur on the device. By default. you can configure the syslog message utility to redirect messages of a specified severity to a specified file instead of to the main system log file. Together. that reflects the hardware. Juniper Networks. to additional destinations. syslog messages that have a severity of info or more serious are written to the main system log file messages in the /var/log directory of the local Routing Engine. A group of messages belonging to the same facility are either generated by the same software process or concern a similar hardware condition or user activity (such as authentication attempts). You can also configure the syslog message utility to write syslog messages of a specified severity. Inc. 218 Copyright © 2011. and critical conditions that might require urgent resolution. called a facility. or to a remote host or the other Routing Engine. the facility and severity of an event are known as the message priority. or destination—you can override the default values for file-archiving properties and the default timestamp format. which indicates how seriously the triggering event affects router functions. The content of a syslog message identifies the Junos OS process that generates the message and briefly describes the operation or error that occurred. for all syslog facilities or for a specified facility. you can write syslog messages to the terminal sessions of any logged-in users. . At the global level—for all system logging messages.or software-based source of the triggering event. failure and error conditions. For all syslog facilities or for a specified facility. Each system log message is also preassigned a severity. to the router console. you can include statements at the [edit system syslog] hierarchy level.Junos OS 11.

Table 22: Syslog Message Destinations for the Firewall Facility Destination File Description Configuring this option keeps the firewall syslog messages out of the main system log file. other statements that specify the format for messages written to the file are ignored (the explicit-priority statement at the [edit system syslog file filename] hierarchy level and the time-format statement at the [edit system syslog] hierarchy level). you include a statement at the [edit system syslog] hierarchy level. allow-duplicates. To include priority and facility with messages written to the file. For more information. and you specify the firewall facility name together with a severity level. include † the structured-data statement. Messages from the firewall that are rated at the specified level or more severe are logged to the destination. Juniper Networks. To override the default standard message format. # All destinations archive archive-options. # File option } allow-duplicates. Just as you can for any other Junos OS system logging facility. # File option explicit-priority. Copyright © 2011. which manages packet forwarding functions. which manages compilation and downloading of Junos OS firewall filters. Inc. # File option archive archive-optios. # Local destinations } } † When the structured-data statement is included. Configuration Statements [edit] system { syslog { file filename { firewall severity. see the Junos OS System Log Messages Reference. include the explicit-priority statement. generated by the Packet Forwarding Engine controller. System log messages with the PFE_FW_ prefix are messages about firewall filters. # File option structured-data. System log messages with the DFWD_ prefix are generated by the firewall process (dfwd). you can direct firewall facility syslog messages to one or more specific destinations: to a specified file. or to a remote host or the other Routing Engine on the router. 219 . Table 22 on page 219 lists the system log destinations you can configure for the firewall facility. When you configure a syslog message destination for firewall facility syslog messages. which is based on a UNIX system log format. # All files time-format (option). to the router console. to the terminal session of one or more logged in users (or to all users).Chapter 5: Standard Firewall Filter Configuration Related Documentation • • • System Logging of Events Generated for the Firewall Facility on page 219 Logging of Packet Headers Evaluated by a Firewall Filter Term on page 221 Example: Configuring Logging for a Stateless Firewall Filter Term on page 222 System Logging of Events Generated for the Firewall Facility System log messages generated for firewall filter actions belong to the firewall facility.

hour. allow-duplicates. or specify * for all logged in users. # Local destinations } } [edit] system { syslog { host (hostname | other-routing-engine) { firewall severity. } time-format (option). To include priority and facility with messages written to the file. } time-format (option). # Local destinations } } [edit] system { syslog { console { firewall severity. † When the structured-data statement is included. regardless of the facility. Remote host or the other Routing Engine Configuring this option causes a copy of the firewall syslog messages to be written to the specified remote host or to the other Routing Engine. Specify one or more user names. Juniper Networks. . as in the example: Sep 07 08:00:10 To include the year. date. # All destinations archive archive-options. time-format millisecond. 220 Copyright © 2011. or both in the timestamp for all system logging messages. include the explicit-priority statement. the timestamp recorded in a standard-format system log message specifies the month. include one of the following statement at the [edit system syslog] hierarchy level: • • • time-format year. By default. Inc. # File option facility-override firewall. # Host option } allow-duplicates. Configuration Statements [edit] system { syslog { user (username | *) { firewall severity. include the facility-override firewall statement.Junos OS 11. the millisecond. and second when the message was logged. # All files time-format (option). # Host option explicit-priority. time-format year millisecond.4 Firewall Filter and Policer Configuration Guide Table 22: Syslog Message Destinations for the Firewall Facility (continued) Destination Terminal session Description Configuring this option causes a copy of the firewall syslog messages to be written to the specified terminal sessions. other statements that specify the format for messages written to the file are ignored (the explicit-priority statement at the [edit system syslog file filename] hierarchy level and the time-format statement at the [edit system syslog] hierarchy level). # Local destinations } } Router console Configuring this option causes a copy of the firewall syslog messages to be written to the router console. minute. # Host option archive archive-optios. To override the default alternative facility for forwarding firewall syslog messages to a remote machine (local3).

Chapter 5: Standard Firewall Filter Configuration The following example illustrates the format for a timestamp that includes both the millisecond (401) and the year (2010): Sep 07 08:00:10. Logging of packet headers evaluated by firewall filters is supported for standard stateless firewall filters for IPv4 or IPv6 traffic only. 221 .2010 Related Documentation • • • • System Logging Overview on page 218 Logging of Packet Headers Evaluated by a Firewall Filter Term on page 221 Example: Configuring Logging for a Stateless Firewall Filter Term on page 222 “Junos OS System Logging Facilities and Message Severity Levels” in the Junos OS System Basics Configuration Guide • “Junos OS System Log Configuration Hierarchy” in the Junos OS System Basics Configuration Guide • “Junos OS Default System Log Settings” in the Junos OS System Basics Configuration Guide • “Logging Messages in Structured-Data Format” in the Junos OS System Basics Configuration Guide • “Including the Year or Millisecond in Timestamps” in the Junos OS System Basics Configuration Guide • “Changing the Alternative Facility Name for Remote System Log Messages” in the Junos OS System Basics Configuration Guide • “Junos OS System Log Alternate Facilities for Remote Logging” in the Junos OS System Basics Configuration Guide Logging of Packet Headers Evaluated by a Firewall Filter Term Built in to the stateless firewall filtering software is the capability to log packet-header information for the packets evaluated by a stateless firewall filter term. Copyright © 2011. Service filters and simple filters do not support logging of packet headers. Table 23 on page 222 lists the packet-header logs you can configure for a firewall filter action. Inc. Juniper Networks.401. You can write the packet header information to the system log file on the local Routing Engine or to a firewall filter buffer in the Packet Forwarding Engine.

terminating-action. Inc. . enter the show log operational mode command without command options. NOTE: Restarting the router causes the contents of this buffer to be cleared.4 Firewall Filter and Policer Configuration Guide Table 23: Packet-Header Logs for Stateless Firewall Filter Terms Log Syslog message destinations configured for the firewall facility Description Configure this option by using the syslog nonterminating action.. If you include the all option. syslog. } then { . To clear log file contents. • • • • Requirements on page 222 Overview on page 223 Configuration on page 223 Verification on page 225 Requirements No special configuration beyond device initialization is required before configuring this example. } } } } Related Documentation • • • System Logging Overview on page 218 System Logging of Events Generated for the Firewall Facility on page 219 Example: Configuring Logging for a Stateless Firewall Filter Term on page 222 Example: Configuring Logging for a Stateless Firewall Filter Term This example shows how to configure a standard stateless firewall filter to log packet headers. all archived versions of the log file are deleted.. enter the clear log filename <all> operational mode command.Junos OS 11. To display log file contents for a specific file in the /var/log directory on the local Routing Engine. firewall { family { filter filter-name { from { match-conditions. Juniper Networks. } } } } Buffer in the Packet Forwarding Engine Configure this option by using the log nonterminating action. 222 Copyright © 2011. To display the local log entries for firewall filters. terminating-action. } then { . enter the show firewall log operational mode command. the specified log file is truncated... To list log files. enter the show log filename operational mode command or the file show /var/log/filename operational mode command. log. NOTE: Packet header information is interspersed with event messages. Configuration Statements firewall { family { filter filter-name { from { match-conditions.

remove any line breaks. set system syslog file messages_firewall_any firewall any set system syslog file messages_firewall_any archive no-world-readable set firewall family inet filter icmp_syslog term icmp_match from address 192.207. Inc. perform the following tasks: • • • • Configure the Syslog Messages File for the Firewall Facility on page 223 Configure the Stateless Firewall Filter on page 223 Apply the Stateless Firewall Filter to a Logical Interface on page 224 Confirm and Commit Your Candidate Configuration on page 224 CLI Quick Configuration To quickly configure this example. Configure a messages file for all syslog messages generated for the firewall facility. user@host# set system syslog file messages_firewall_any firewall any 2. Configuration The following example requires you to navigate various levels in the configuration hierarchy. Create the stateless firewall filter icmp_syslog. copy the following configuration commands into a text file. [edit] Copyright © 2011. 223 . and then paste the commands into the CLI at the [edit] hierarchy level.3/30 set interfaces ge-0/0/1 unit 0 family inet filter input icmp_syslog Configure the Syslog Messages File for the Firewall Facility Step-by-Step Procedure To configure a syslog messages file for the firewall facility: 1.222/32 set firewall family inet filter icmp_syslog term icmp_match from protocol icmp set firewall family inet filter icmp_syslog term icmp_match then count packets set firewall family inet filter icmp_syslog term icmp_match then log set firewall family inet filter icmp_syslog term icmp_match then accept set firewall family inet filter icmp_syslog term default_term then accept set interfaces ge-0/0/1 unit 0 family inet address 10. To configure this example.168. user@host# set system syslog file messages_firewall_any archive no-world-readable Configure the Stateless Firewall Filter Step-by-Step Procedure To configure the stateless firewall filter icmp_syslog that logs and counts ICMP packets that have 192.Chapter 5: Standard Firewall Filter Configuration Overview In this example.222 as either their source or destination.1. For information about navigating the CLI.2. Juniper Networks.168. you use a stateless firewall filter that logs and counts ICMP packets that have 192. Restrict permission to the archived firewall facility syslog files to the root user and users who have the Junos OS maintenance permission. see “Using the CLI Editor in Configuration Mode” on page 15.168.207.207.222 as either their source or destination: 1.

Configure matching on the ICMP protocol and an address.3/30 3. If the command output does not display the intended configuration. [edit interfaces ge-0/0/1 unit 0 family inet] user@host# set filter input icmp_syslog Confirm and Commit Your Candidate Configuration Step-by-Step Procedure To confirm and then commit your candidate configuration: 1. and accept matching packets. .Junos OS 11. Count. Configure the interface address for the logical interface. Confirm the configuration of the syslog message file for the firewall facility by entering the show system configuration mode command. repeat the instructions in this example to correct the configuration. Apply the stateless firewall filter to the logical interface. Juniper Networks. log..207. [edit] user@host# show system syslog { file messages_firewall_any { firewall any.168. Configure the logical interface to which you will apply the stateless firewall filter. [edit] user@host# edit interfaces ge-0/0/1 unit 0 family inet 2. archive no-world-readable.4 Firewall Filter and Policer Configuration Guide user@host# edit firewall family inet filter icmp_syslog 2. Accept all other packets. [edit interfaces ge-0/0/1 unit 0 family inet] user@host# set address 10.2. [edit firewall family inet filter icmp_syslog] user@host# set term icmp_match from address 192.1. [edit firewall family inet filter icmp_syslog] user@host# set term icmp_match then count packets user@host# set term icmp_match then log user@host# set term icmp_match then accept 4.222/32 user@host# set term icmp_match from protocol icmp 3. } } 224 Copyright © 2011. [edit firewall family inet filter icmp_syslog] user@host# set term default_term then accept Apply the Stateless Firewall Filter to a Logical Interface Step-by-Step Procedure To apply the stateless firewall filter to a logical interface: 1. Inc.

207. If the command output does not display the intended configuration. repeat the instructions in this example to correct the configuration. enter the show log filter command: user@host> show log messages_firewall_any Mar 20 08:03:11 hostname feb FW: so-0/1/0.207. accept. 225 .0 192. } address 10. } } } 3. log.168.207. } protocol icmp. } then { count packets.3/30.2. } } term default_term { then accept.1. Confirm the configuration of the stateless firewall filter by entering the show firewall configuration mode command. Inc. repeat the instructions in this example to correct the configuration.168.222/32.168. } } } 4. Juniper Networks. [edit] user@host# commit Verification To confirm that the configuration is working properly.223 0 0 (1 packets) A icmp 192. [edit] user@host# show interfaces ge-0/0/1 { unit 0 { family inet { filter { input icmp_syslog.222 Copyright © 2011. Confirm the configuration of the interface by entering the show interfaces configuration mode command. [edit] user@host# show firewall family inet { filter icmp_syslog { term icmp_match { from { address { 192. commit your candidate configuration. If the command output does not display the intended configuration.Chapter 5: Standard Firewall Filter Configuration 2. If you are done configuring the device.

and are shown for TCP or UDP packets only. the source and destination ports are displayed. . For all other protocols. the ICMP type and code are displayed. NOTE: If the protocol is ICMP.207.168. If packets arrive faster.222 Related Documentation • • • System Logging Overview on page 218 Logging of Packet Headers Evaluated by a Firewall Filter Term on page 221 System log messages with the DFWD_ prefix.Junos OS 11. The last two fields (both zero) are the source and destination TCP/UDP ports. Juniper Networks.168. and displays an output similar to the following: user@host> show log filter Mar 20 08:08:45 hostname feb FW: so-0/1/0.223 0 0 (515 packets) A icmp 192. This log message indicates that only one packet for this match has been detected in about a 1-second interval. the system log function compresses the information so that less output is generated. Source address—Source IP address in the packet. respectively.207. described in the Junos OS System Log Messages Reference 226 Copyright © 2011. • Filter action: • • • A—Accept (or next term) D—Discard R—Reject • • • Protocol—Packet’s protocol name or number. Destination address—Destination IP address in the packet.4 Firewall Filter and Policer Configuration Guide This output file contains the following fields: • Date and Time—Date and time at which the packet was received (not shown in the default). described in the Junos OS System Log Messages Reference • System log messages with the PFE_FW_* prefix. Inc.0 192.

Service Rules A service set is an optional definition you can apply to the traffic at an adaptive services interface. 227 . Juniper Networks. Adaptive services interfaces enable you to coordinate a special range of services on a single PIC or DPC by configuring a set of services and applications.CHAPTER 6 Service Filter Configuration • • • • • • Service Filter Overview on page 227 How Service Filters Evaluate Packets on page 228 Guidelines for Configuring Service Filters on page 230 Guidelines for Applying Service Filters on page 232 Service Filter Match Conditions and Actions on page 235 Example: Configuring and Applying Service Filters on page 242 Service Filter Overview This topic covers the following information: • • • • Services on page 227 Service Rules on page 227 Service Rule Refinement on page 228 Service Filter Counters on page 228 Services The Adaptive Services Physical Interface Cards (PICs). Multiservices PICs. and Multiservices Dense Port Concentrators (DPCs) provide adaptive services interfaces. Copyright © 2011. A service set enables you to configure combinations of directional rules and default settings that control the behavior of each service in the service set. NOTE: Service filters are not supported on J Series devices and Branch SRX devices. Inc.

Service filters enable you to manipulate traffic by performing packet filtering to a defined set of services on an adaptive services interface before the traffic is delivered to its destination. . service filters support counting of matched packets. When you display counters for a service filter. use the show firewall filter filter-name <counter counter-name> operational mode command.Junos OS 11. • To enable counting of the packets matched by a service filter term. Service Filter Counters Like standard firewall filters. the syntax for using the show firewall operational mode command to display the counter is as follows: [edit] user@host> show firewall filter __service-nat_set:out_filter counter out_counter Related Documentation • • • • • • • Stateless Firewall Filter Types on page 6 How Service Filters Evaluate Packets on page 228 Guidelines for Configuring Service Filters on page 230 Guidelines for Applying Service Filters on page 232 Example: Configuring and Applying Service Filters on page 242 “Adaptive Services Overview” in the Junos OS Services Interfaces Configuration Guide “Configuring Service Sets to be Applied to Services Interfaces” in the Junos OS Services Interfaces Configuration Guide • “Configuring Service Rules” in the Junos OS Services Interfaces Configuration Guide How Service Filters Evaluate Packets This topic covers the following information: • • Service Filters That Contain a Single Term on page 229 Service Filters That Contain Multiple Terms on page 229 228 Copyright © 2011. the syntax for specifying the filter name includes the name of the service set to which the service filter is applied. To display counters for service filters. and specify the filter-name as follows: __service-service-set-name:service-filter-name • For example. suppose you configure a service filter named out_filter with a counter named out_counter and apply that service filter to a logical interface to direct certain packets for processing by the output services associated with the service set nat_set. you can optionally use service filters to refine the target of the set of services and also to process traffic.4 Firewall Filter and Policer Configuration Guide Service Rule Refinement When you apply a service set to the traffic at an adaptive services interface. specify the count counter-name nonterminating action in that term. Juniper Networks. Inc. In this scenario. however. You can apply a service filter to traffic before packets are accepted for input or output service processing or after packets return from input service processing.

which is equivalent to including the following example term explicit_skip as the final term in the service filter: term explicit_skip { then skip. 229 . the policy framework software evaluates a packet against the terms in the filter sequentially. Related Documentation • Service Filter Overview on page 227 Copyright © 2011. the policy framework software evaluates a packet as follows: • • If the packet matches all the conditions. until either the packet matches all the conditions in one of the terms or there are no more terms in the filter. Inc. If the packet does not match all the conditions in the term. } By default. If the packet does not match all the conditions. If the packet matches all the conditions and no actions are specified. Service Filter Default Action Each service filter has an implicit skip action at the end of the filter. the actions in that term are performed and evaluation of the packet ends at that term. Any subsequent terms in the filter are not used.Chapter 6: Service Filter Configuration • • • Service Filter Terms That Do Not Contain Any Match Conditions on page 229 Service Filter Terms That Do Not Contain Any Actions on page 229 Service Filter Default Action on page 229 Service Filters That Contain a Single Term For a service filter that consists of a single term. the actions are taken on any packet evaluated. it is discarded. Juniper Networks. • Service Filter Terms That Do Not Contain Any Match Conditions For service filters with a single term and for filters with multiple terms. the packet bypasses service processing. the actions are taken. evaluation of the packet proceeds to the next term in the filter. Service Filter Terms That Do Not Contain Any Actions If a term does not contain any actions. if a term does not contain any match conditions. beginning with the first term in the filter. the packet is accepted. if a packet matches none of the terms in a service filter. the packet is accepted. and if the packet matches the conditions in the term. • Service Filters That Contain Multiple Terms For a service filter that consists of multiple terms. • If the packet matches all the conditions in a term.

Service Filter Protocol Families You can configure service filters to filter IPv4 traffic (family inet) and IPv6 traffic (family inet6) only. . The filter name can 230 Copyright © 2011. Service Filter Names Under the family inet or family inet6 statement. } } } } } Individual statements supported under the service-filter service-filter-name statement are described separately in this topic and are illustrated in the example of configuring and applying a service filter. No other protocol families are supported for service filters.4 Firewall Filter and Policer Configuration Guide • • • Guidelines for Configuring Service Filters on page 230 Guidelines for Applying Service Filters on page 232 Example: Configuring and Applying Service Filters on page 242 Guidelines for Configuring Service Filters This topic covers the following information: • • • • • • Statement Hierarchy for Configuring Service Filters on page 230 Service Filter Protocol Families on page 230 Service Filter Names on page 230 Service Filter Terms on page 231 Service Filter Match Conditions on page 231 Service Filter Terminating Actions on page 231 Statement Hierarchy for Configuring Service Filters To configure a service filter. you can include service-filter service-filter-name statements to create and name service filters. Inc. include the service-filter service-filter-name statement at the [edit firewall family (inet | inet6)] hierarchy level: [edit] firewall { family (inet | inet6) { service-filter service-filter-name { term term-name { from { match-conditions. Juniper Networks.Junos OS 11. } then { actions.

To include spaces in the name. and hyphens (-) and be up to 64 characters long. • Service Filter Match Conditions Service filter terms support only a subset of the IPv4 and IPv6 match conditions that are supported for standard stateless firewall filters. If you specify an IPv6 address in a match condition (the address. destination-address. The term name can contain letters. You must specify a unique name for each term within a firewall filter. enclose the entire name in quotation marks (“ ”). or source-address match conditions). • • You must configure at least one term in a firewall filter. Service Filter Terms Under the service-filter service-filter-name statement. You can use the insert configuration mode command to reorder the terms of a firewall filter. To include spaces in the name. The order in which you specify terms within a firewall filter configuration is important. By default. and hyphens (-) and can be up to 64 characters long. Copyright © 2011. see “IPv6 Overview” and “IPv6 Standards” in the Junos OS Routing Protocols Configuration Guide. IP Version 6 Addressing Architecture. use the syntax for text representations described in RFC 2373. Juniper Networks. 231 . new terms are always added to the end of the existing filter. numbers. you can include term term-name statements to create and name filter terms. you must specify one of the following filter-terminating actions: • • service skip NOTE: These actions are unique to service filters. Firewall filter terms are evaluated in the order in which they are configured. Service Filter Terminating Actions When configuring a service filter term.Chapter 6: Service Filter Configuration contain letters. Service filter terms support only a subset of the IPv4 and IPv6 nonterminating actions that are supported for standard stateless firewall filters: • • • • count counter-name log port-mirror sample Service filters do not support the next action. For more information about IPv6 addresses. numbers. Inc. enclose the entire name in quotation marks (“ ”).

The architecture does not support system logging traffic out of a management interface.Junos OS 11. Adaptive Services Interfaces You can apply a service filter to IPv4 or IPv6 traffic associated with a service set at an adaptive services interface only. Inc. Adaptive services interfaces are supported for the following hardware only: • • • Adaptive Services (AS) PICs on M Series and T Series routers Multiservices (MS) PICs on M Series and T Series routers Multiservices (MS) DPCs on MX Series routers System Logging to a Remote Host from M Series Routers Logging of adaptive services interfaces messages to an external server by means of the fxp0 or em0 port is not supported on M Series routers.4 Firewall Filter and Policer Configuration Guide Related Documentation • • • • • • • Service Filter Overview on page 227 How Service Filters Evaluate Packets on page 228 Guidelines for Applying Service Filters on page 232 Service Filter Match Conditions for IPv4 or IPv6 Traffic on page 235 Service Filter Terminating Actions on page 241 Service Filter Nonterminating Actions on page 241 Example: Configuring and Applying Service Filters on page 242 Guidelines for Applying Service Filters This topic covers the following information: • • • • • Restrictions for Adaptive Services Interfaces on page 232 Statement Hierarchy for Applying Service Filters on page 232 Associating Service Rules with Adaptive Services Interfaces on page 233 Filtering Traffic Before Accepting Packets for Service Processing on page 233 Postservice Filtering of Returning Service Traffic on page 234 Restrictions for Adaptive Services Interfaces The following restrictions apply to adaptive services interfaces and service filters. apply a service filter to the adaptive services interface input or output in conjunction with an interface service set. 232 Copyright © 2011. . Statement Hierarchy for Applying Service Filters You can enable packet filtering of IPv4 or IPv6 traffic before a packet is accepted for input or output service processing. To do this. Instead. Juniper Networks. access to an external server is supported on a Packet Forwarding Engine interface.

The following configuration shows the hierarchy levels at which you can apply the service filters to adaptive services interfaces: [edit] interfaces { interface-name { unit unit-number { family (inet | inet6) { service { input { service-set service-set-name service-filter service-filter-name.Chapter 6: Service Filter Configuration You can also enable packet filtering of IPv4 or IPv6 traffic that is returning to the Packet Forwarding Engine after input service processing completes. To apply an interface service set to the input and output of an adaptive services interface. Juniper Networks. The adaptive services PIC performs different actions depending on whether the packet is sent to the PIC for input service or for output service. you include the service-set service-set-name at the following hierarchy levels: • • [edit interfaces interface-name unit unit-number input] [edit interfaces interface-name unit unit-number output] If you apply a service set to one direction of an adaptive services interface but do not apply a service set to the other direction. an error occurs when you commit the configuration. Filtering Traffic Before Accepting Packets for Service Processing To filter IPv4 or IPv6 traffic before accepting packets for input or output service processing. } } } } } } Associating Service Rules with Adaptive Services Interfaces To define and group the service rules be applied to an adaptive services interface. Inc. post-service-filter service-filter-name. include the service-set service-set-name service-filter service-filter-name at one of the following interfaces: • [edit interfaces interface-name unit unit-number family (inet | inet6) service input] Copyright © 2011. For example. To do this. apply a post-service filter to the adaptive services interface input. 233 . you define an interface service set by including the service-set service-set-name statement at the [edit services] hierarchy level. } output { service-set service-set-name service-filter service-filter-name. you can configure a single service set to perform Network Address Translation (NAT) in one direction and destination NAT (dNAT) in the other direction.

Inc. The system executes the first service set for which it finds a match in the service filter and ignores the subsequent definitions. Juniper Networks. The following requirements apply to filtering inbound or outbound traffic before accepting packets for service processing: • • You configure the same service set on the input and output sides of the interface. A maximum of six service sets can be applied to an interface.4 Firewall Filter and Policer Configuration Guide • [edit interfaces interface-name unit unit-number family (inet | inet6) service output] For the service-set-name.Junos OS 11. The service set retains the input interface information even after services are applied. • • Postservice Filtering of Returning Service Traffic As an option to filtering of IPv4 or IPv6 input service traffic. the router software evaluates them in the order in which they appear in the configuration. . • You can include more than one service set definition on each side of an interface. include the post-service-filter service-filter-name statement at the [edit interfaces interface-name unit unit-number family (inet | inet6) service input] hierarchy level. When you apply multiple service sets to an interface. so that functions such as filter-class forwarding and destination class usage (DCU) that depend on input interface information continue to work. specify a service set configured at the [edit services service-set] hierarchy level. you must also configure and apply a service filter to the interface. The service filter is applied only if a service set is configured and selected. the Junos OS assumes the match condition is true and selects the service set for processing automatically. To apply a service filter in this manner. If you include the service-set statement without an optional service-filter definition. Related Documentation • • • • • • Service Filter Overview on page 227 How Service Filters Evaluate Packets on page 228 Guidelines for Configuring Service Filters on page 230 Example: Configuring and Applying Service Filters on page 242 “Adaptive Services Overview” in the Junos OS Services Interfaces Configuration Guide “Configuring Service Sets to be Applied to Services Interfaces” in the Junos OS Services Interfaces Configuration Guide • “Configuring Service Rules” in the Junos OS Services Interfaces Configuration Guide 234 Copyright © 2011. you can apply a service filter to IPv4 or IPv6 traffic that is returning to the services interface after the service set is executed. The following guidelines apply: • If you include multiple service sets.

Chapter 6: Service Filter Configuration Service Filter Match Conditions and Actions • • • Service Filter Match Conditions for IPv4 or IPv6 Traffic on page 235 Service Filter Terminating Actions on page 241 Service Filter Nonterminating Actions on page 241 Service Filter Match Conditions for IPv4 or IPv6 Traffic Service filters support only a subset of the stateless firewall filter match conditions for IPv4 and IPv6 traffic. Do not match the IP source or destination address field. family inet family inet6 Copyright © 2011. You cannot specify both the address and destination-address match conditions in the same term. Protocol Families family inet family inet family inet6 family inet6 (M Series routers. Match the IP destination address field. family inet — ah-spi-except spi-value destination-address address family inet — family inet family inet6 destination-address address address Do not match the IP destination address field. 235 . (M Series routers. Table 24: Service Filter Match Conditions for IPv4 or IPv6 Traffic Match Condition address address address address except ah-spi spi-value Description Match the IP source or destination address field. except M120 and M320) Match on the IPsec authentication header (AH) security parameter index (SPI) value. Juniper Networks. Inc. You cannot specify both the address and destination-address match conditions in the same term. except M120 and M320) Do not match on the IPsec AH SPI value. Table 24 on page 235 describess the service filter match conditions.

snmp (161). tacacs (49). kshell (544). ftp (21). ssh (22). imap (143). In place of the numeric value. cmd (514). cvspserver (2401). ntalk (518). sunrpc (111). binary. socks (1080). mobilip-mn (435). telnet (23). . we recommend that you also configure the protocol udp or protocol tcp match statement in the same term to specify which protocol is being used on the port. If you configure this match condition for IPv6 traffic. mobileip-agent (434). radacct (1813). printer (515). netbios-dgm (138). Do not match if the packet is a trailing fragment of a fragmented packet. snpp (444). Specify a single value or a range of values. ekshell (2106). To specify the value in binary form. finger (79). nntp (119). bootps (67). rkinit (2108). family inet family inet6 family inet family inet6 family inet family inet6 esp-spi-except value family inet family inet6 first-fragment family inet — 236 Copyright © 2011. domain (53). This match condition is an alias for the bit-field match condition fragment-offset 0 match condition. ldp (646). To specify the value in hexadecimal form. we recommend that you also configure the next-header udp or next-header tcp match condition in the same term to specify which protocol is being used on the port. you can use two terms that specify different match conditions: first-fragment and is-fragment. Match if the packet is the first fragment of a fragmented packet. You can specify a value in hexadecimal.Junos OS 11. timed (525). login (513). talk (517). nfsd (2049). Protocol Families family inet family inet6 destination-port-except number destination-prefix-list name esp-spi value Do not match the UDP or TCP destination port field. ftp-data (20). The first fragment of a fragmented packet has a fragment offset value of 0. Match the IPsec encapsulating security payload (ESP) SPI value. tacacs-ds (65). pop3 (110). bootpc (68). pptp (1723). biff (512). ident (113). syslog (514). smtp (25). https (443). http (80). see the esp-spi match condition. kerberos-sec (88). netbios-ssn (139). Match the list of destination prefixes. include b as a prefix. krbupdate (760). Juniper Networks. To match both first and trailing fragments. ntp (123). dhcp (67).4 Firewall Filter and Policer Configuration Guide Table 24: Service Filter Match Conditions for IPv4 or IPv6 Traffic (continued) Match Condition destination-port number Description Match the UDP or TCP destination port field. exec (512). or xdmcp (177). Do not match the IPsec ESP SPI value or range of values. For details. or decimal form. msdp (639). who (513). you can specify one of the following text synonyms (the port numbers are also listed): afs (1483). klogin (543). ldap (389). see the destination-port match description. netbios-ns (137). Inc. tftp (69). krb-prop (754). For details. eklogin (2105). If you configure this match condition for IPv4 traffic. radius (1812). bgp (179). You cannot specify both the port and destination-port match conditions in the same term. The prefix list is defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level. snmptrap (162). kpasswd (761). rip (520). include 0x as a prefix.

To match both first and trailing fragments.Chapter 6: Service Filter Configuration Table 24: Service Filter Match Conditions for IPv4 or IPv6 Traffic (continued) Match Condition fragment-flags number Description (Ingress only) Match the three-bit IP fragmentation flags field in the IP header. The value is the offset. family inet family inet6 Copyright © 2011. Inc. or a set of values. more-fragments (0x2). specify a value from 0 through 255. For group-number. Juniper Networks. or reserved (0x8). see “Filtering Packets Received on a Set of Interface Groups Overview” on page 185. a range of values. you can use two terms that specify different match conditions (first-fragment and is-fragment). The first-fragment match condition is an alias for the fragment-offset 0 match condition. family inet family inet6 interface-group-except group-number Do not match the interface group on which the packet was received. An offset value of 0 indicates the first fragment of a fragmented packet. Protocol Families family inet — fragment-offset number Match the 13-bit fragment offset field in the IP header. in 8-byte units. In place of the numeric field value. family inet — Match the interface group (set of one or more logical interfaces) on which the packet was received. For information about configuring interface groups. in the overall datagram message to the data fragment. see the interface-group match condition. for details. Specify a numeric value. family inet — fragment-offset-except number interface-group group-number Do not match the 13-bit fragment offset field. you can specify one of the following keywords (the field values are also listed): dont-fragment (0x4). 237 .

the match condition ip-options [ 0-147 ] matches on an IP options field that contains the loose-source-route.Junos OS 11. use the text synonym any. specify the list of values within square brackets ('[’ and ']’). • The 10-Gigabit Ethernet Modular Port Concentrator (MPC). or timestamp (68). For example. stream-id (136). However. For interfaces configured on those MPCs. To ensure that matched packets are instead sent to the Packet Forwarding Engine (where packet processing is implemented in hardware). Match if the packet is a trailing fragment of a fragmented packet. Inc. or any other value from 0 through 147. . 60-Gigabit Ethernet MPC. Juniper Networks. to the specified value or list of values. all packets that are matched using the ip-options match condition are sent to the Packet Forwarding Engine for processing. see the ip-options match condition. a filter term that specifies an ip-option match on one or more specific IP option values (a value other than any) causes packets to be sent to the Routing Engine so that the kernel can parse the IP option field in the packet header. use the value specification [ value1-value2 ]. To match a range of values. To match on multiple values. To match any value for the IP option. ip-options-except values is-fragment Do not match the IP option field to the specified value or list of values. you can specify one of the following text synonyms (the option values are also listed): loose-source-route (131). Packets processed on the kernel might be dropped in case of a system bottleneck. security (130). or syslog nonterminating actions unless you also specify the discard terminating action in the same term. family inet — family inet — 238 Copyright © 2011. This behavior prevents double-counting of packets for a filter applied to a transit interface on the router. or security values. record-route (7). use the ip-options any match condition. NOTE: To match both first and trailing fragments. and 60-Gigabit Ethernet Enhanced Queuing MPC on MX Series routers are capable of parsing the IP option field of the IPv4 packet header. 60-Gigabit Queuing Ethernet MPC. if present. log. you can use two terms that specify different match conditions (first-fragment and is-fragment). router-alert (148). record-route. This match condition is an alias for the bit-field match condition fragment-offset 0 except bits. you cannot specify the count. Do not match the first fragment of a fragmented packet. For details about specifying the values. In place of a numeric value. this match condition does not match on an IP options field that contains only the router-alert value (148).4 Firewall Filter and Policer Configuration Guide Table 24: Service Filter Match Conditions for IPv4 or IPv6 Traffic (continued) Match Condition ip-options values Description Match the 8-bit IP option field. For most interfaces. strict-source-route (137). • Protocol Families family inet — For a firewall filter term that specifies an ip-option match on one or more specific IP option values.

fragment (44). You cannot specify both the address and source-address match conditions in the same term. or vrrp (112). rsvp (46). For details. Inc. family inet family inet6 Copyright © 2011. we recommend that you also configure the next-header udp or next-header tcp match condition in the same term to specify which protocol is being used on the port. 239 . In place of the numeric value. esp (50). we recommend that you also configure the protocol udp or protoco tcp match statement in the same term to specify which protocol is being used on the port. If you configure this match condition for IPv4 traffic. tcp (6). Match the IP protocol type field. udp (17). you cannot configure the destination-port match condition or the source-port match condition in the same term. dstopts (60). hop-by-hop (0). You cannot specify both the address and source-address match conditions in the same term. ipip (4). you can specify one of the following text synonyms (the field values are also listed): ah (51). For details. pim (103). icmp6 (58). icmpv6 (58). igmp (2). Match the prefixes of the source or destination address fields to the prefixes in the specified list. gre (47). If you configure this match condition for IPv6 traffic. family inet family inet6 prefix-list prefix-list-name family inet family inet6 protocol number family inet — protocol-except number source-address address Do not match the IP protocol type field. see the protocol match condition. sctp (132). ospf (89). Match the IP source address. egp (8). Protocol Families family inet family inet6 port-except number Do not match the UDP or TCP source or destination port field. In place of the numeric value. family inet — family inet family inet6 source-address address except Do not match the IP source address. ipv6 (41). you can specify one of the text synonyms listed under destination-port. If you configure this match condition. The prefix list is defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level. Juniper Networks.Chapter 6: Service Filter Configuration Table 24: Service Filter Match Conditions for IPv4 or IPv6 Traffic (continued) Match Condition port number Description Match the UDP or TCP source or destination port field. see the port match condition. icmp (1).

Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header. . Specify the name of a prefix list defined at the [edit policy-options prefix-list prefix-list-name] hierarchy level. If you configure this match condition for IPv4 traffic. we recommend that you also configure the protocol udp or protocol tcp match statement in the same term to specify which protocol is being used on the port. see the tcp-established and tcp-initial match conditions. If you configure this match condition for IPv6 traffic. If you configure this match condition for IPv6 traffic. the SYN flag is set only in the initial packet sent.Junos OS 11. You can string together multiple flags using the bit-field logical operators. we recommend that you also configure the protocol tcp match statement in the same term to specify that the TCP protocol is being used on the port. Match source prefixes in the specified list. For combined bit-field match conditions. If you configure this match condition for IPv4 traffic. You cannot specify the port and source-port match conditions in the same term. Juniper Networks. In place of the numeric value. see the source-port match condition. 240 Copyright © 2011.4 Firewall Filter and Policer Configuration Guide Table 24: Service Filter Match Conditions for IPv4 or IPv6 Traffic (continued) Match Condition source-port number Description Match the UDP or TCP source port field. Inc. we recommend that you also configure the next-header udp or next-header tcp match condition in the same term to specify which protocol is being used on the port. we recommend that you also configure the next-header tcp match condition in the same term to specify that the TCP protocol is being used on the port. you can specify the following text synonyms or hexadecimal values: • • • • • • family inet family inet6 family inet family inet6 tcp-flags value family inet family inet6 fin (0x01) syn (0x02) rst (0x04) push (0x08) ack (0x10) urgent (0x20) In a TCP session. you can specify one of the text synonyms listed with the destination-port number match condition. To specify individual bit fields. while the ACK flag is set in all packets sent after the initial packet. Protocol Families family inet family inet6 source-port-except number source-prefix-list name Do not match the UDP or TCP source port field. For details.

241 . Juniper Networks. Related Documentation • • • • • Service Filter Overview on page 227 Guidelines for Configuring Service Filters on page 230 Example: Configuring and Applying Service Filters on page 242 Service Filter Terminating Actions on page 241 Service Filter Nonterminating Actions on page 241 Service Filter Terminating Actions Service filters support different sets of terminating actions than standard stateless firewall filters or simple filters. destination-address. For more information about IPv6 addresses. IP Version 6 Addressing Architecture. Copyright © 2011. Table 25 on page 241 describes the terminating actions you can configure in a service filter term. Protocol Families • • inet inet6 inet inet6 skip Let the packet bypass service processing. • • Related Documentation • • • • • Service Filter Overview on page 227 Guidelines for Configuring Service Filters on page 230 Example: Configuring and Applying Service Filters on page 242 Service Filter Match Conditions for IPv4 or IPv6 Traffic on page 235 Service Filter Nonterminating Actions on page 241 Service Filter Nonterminating Actions Service filters support different sets of terminating actions for each protocol family.Chapter 6: Service Filter Configuration NOTE: If you specify an IPv6 address in a match condition (the address. Table 25: Terminating Actions for Service Filters Terminating Action service Description Direct the packet to service processing. NOTE: Service filters do not support the next term action. see “IPv6 Overview” and “IPv6 Standards” in the Junos OS Routing Protocols Configuration Guide. use the syntax for text representations described in RFC 2373. or source-address match conditions). Inc.

Protocol Families • • inet inet6 inet inet6 log Log the packet header information in a buffer within the Packet Forwarding Engine. Sample the packet. • • port-mirror • • • • inet inet6 inet inet6 sample Related Documentation • • • • • Service Filter Overview on page 227 Guidelines for Configuring Service Filters on page 230 Example: Configuring and Applying Service Filters on page 242 Service Filter Match Conditions for IPv4 or IPv6 Traffic on page 235 Service Filter Terminating Actions on page 241 Example: Configuring and Applying Service Filters This example shows how to configure and apply service filters. Table 26: Nonterminating Actions for Service Filters Nonterminating Action count counter-name Description Count the packet in the named counter.0 on any of the following hardware components: • • Adaptive Services (AS) PIC on an M Series or T Series router Multiservices (MS) PIC on an M Series or T Series router 242 Copyright © 2011. Juniper Networks.4 Firewall Filter and Policer Configuration Guide NOTE: Service filters do not support the next term action. • • • • Requirements on page 242 Overview on page 243 Configuration on page 243 Verification on page 246 Requirements This example use the logical interface xe-0/1/0. Inc. Supported on M120 routers. . M320 routers configured with Enhanced III FPCs. Port-mirror the packet based on the specified family. You can access this information by issuing the show firewall log command at the command-line interface (CLI).Junos OS 11. and MX Series routers only. Table 26 on page 242 describes the nonterminating actions you can configure in a service filter term.

Inc. you use the service-filter out_filter_presvc to filter IPv4 output traffic before the traffic can be accepted for processing by the services associated with service set vrf_svcs.0. one postservice input filter. 243 . Configured basic Ethernet in the topology. Configured the service set vrf_svcs with service input and output rules and default settings for services at a service interface. you use the service filter in_filter_postsvc to filter traffic that is returning to the services interface after the input service set in_filter_presvc is executed. The in_filter_postsvc service filter counts packets sent from ICMP port 179 and then discards them. see “Using the CLI Editor in Configuration Mode” on page 15.0.0. and you apply the output service filter to the output traffic at the same logical interface. and verified that traffic is flowing in the topology and that IPv4 traffic is flowing through logical interface xe-0/1/0. directs these packets to the input services associated with the service set vrf_svcs. Topology You apply the input service filter and postservice input filter to input traffic at logical interface xe-0/1/0. make sure that you have: • Installed your supported router and PICs or DPCs and performed the initial router configuration. For information about navigating the CLI. • • Configuration The following example requires you to navigate various levels in the configuration hierarchy. and discards all other packets. Filtering IPv4 traffic before it is accepted for output service processing—At logical interface xe-0/1/0. Juniper Networks. Overview In this example. • • For guidelines for configuring service sets. Filtering IPv4 traffic after it has completed input service processing—At logical interface xe-0/1/0.0. The in_filter_presvc service filter counts packets sent from ICMP port 179. The out_filter_presvc service filter counts packets destined for TCP port 179 and then directs the packets to the output services associated with the service set vrf_svcs.0. you create three types of service filters for IPv4 traffic: one input service filter. you use the service filter in_filter_presvc to filter IPv4 input traffic before the traffic can be accepted for processing by services associated with service set vrf_svcs. Copyright © 2011. see “Configuring Service Sets to be Applied to Services Interfaces” in the Junos OS Services Interfaces Configuration Guide. and one output service filter. • Filtering IPv4 traffic before it is accepted for input service processing—At logical interface xe-0/1/0.Chapter 6: Service Filter Configuration • Multiservices (MS) DPC on an MX Series router Before you begin.

Configure the output service filter. set firewall family inet service-filter in_filter_presvc term t1 from protocol tcp set firewall family inet service-filter in_filter_presvc term t1 from source-port bgp set firewall family inet service-filter in_filter_presvc term t1 then count svc_in_pkts set firewall family inet service-filter in_filter_presvc term t1 then service set firewall family inet service-filter in_filter_postsvc term t2 from protocol tcp set firewall family inet service-filter in_filter_postsvc term t2 from source-port bgp set firewall family inet service-filter in_filter_postsvc term t2 then count svc_in_pkts_rtn set firewall family inet service-filter in_filter_postsvc term t2 then skip set firewall family inet service-filter out_filter_presvc term t3 from protocol icmp set firewall family inet service-filter out_filter_presvc term t3 from destination-port bgp set firewall family inet service-filter out_filter_presvc term t3 then count svc_out_pkts set firewall family inet service-filter out_filter_presvc term t3 then service set interfaces xe-0/1/0 unit 0 family inet service input service-set vrf_svcs service-filter in_filter_presvc set interfaces xe-0/1/0 unit 0 family inet service input post-service-filter in_filter_postsvc set interfaces xe-0/1/0 unit 0 family inet service output service-set vrf_svcs service-filter out_filter_presvc Configuring the Three Service Filters Step-by-Step Procedure To configure the three service filters: 1. copy the following commands into a text file. remove any line breaks. [edit] user@host# edit firewall family inet service-filter in_filter_presvc [edit firewall family inet service-filter in_filter_presvc] user@host# set term t1 from protocol tcp user@host# set term t1 from source-port bgp user@host# set term t1 then count svc_in_pkts user@host# set term t1 then service 2. Configure the input service filter. Juniper Networks.4 Firewall Filter and Policer Configuration Guide To configure this example. perform the following tasks: • • Configuring the Three Service Filters on page 244 Applying the Three Service Filters on page 246 CLI Quick Configuration To quickly configure this example. Inc. and then paste the commands into the CLI at the [edit] hierarchy level. [edit] user@host# edit firewall family inet service-filter in_filter_postsvc [edit firewall family inet service-filter in_filter_postsvc] user@host# set term t2 from protocol tcp user@host# set term t2 from source-port bgp user@host# set term t2 then count svc_in_pkts_rtn user@host# set term t2 then skip 3.Junos OS 11. . Configure the postservice input filter. [edit] user@host# edit firewall family inet service-filter out_filter_presvc 244 Copyright © 2011.

} then { count svc_in_pkts. Inc. service. } } } service-filter out_filter_presvc { term t3 { from { protocol icmp. repeat the instructions in this procedure to correct the configuration. 245 . [edit] user@host# show firewall family inet { service-filter in_filter_presvc { term t1 { from { protocol tcp. } } } service-filter in_filter_postsvc { term t2 { from { protocol tcp. If the command output does not display the intended configuration. destination-port bgp. } then { count svc_in_pkts_rtn. source-port bgp. } then { count svc_out_pkts. source-port bgp. } } } } Copyright © 2011. service.Chapter 6: Service Filter Configuration [edit firewall family inet service-filter out_filter_presvc] user@host# set term t3 from protocol icmp user@host# set term t3 from destination-port bgp user@host# set term t3 then count svc_out_pkts user@host# set term t3 then service Results Confirm the configuration of the input and output service filters and the postservice input filter by entering the show firewall configuration mode command. Juniper Networks. skip.

. • • • Verifying That Inbound Traffic Is Filtered Before Input Service on page 246 Verifying That Inbound Traffic Is Filtered After Input Service Processing on page 247 Verifying That Outbound Traffic Is Filtered Before Output Service Processing on page 247 Verifying That Inbound Traffic Is Filtered Before Input Service Purpose Verify that inbound packets sent from TCP port 179 are sent for processing by the input services associated with the service set vrf_svcs. [edit interfaces xe-0/1/0 unit 0 family inet] user@host# set service input service-set vrf_svcs service-filter in_filter_presvc user@host# set service input post-service-filter in_filter_postsvc user@host# set service output service-set vrf_svcs service-filter out_filter_presvc Results Confirm the configuration of the interfaces by entering the show interfaces configuration mode command. } } } } } When you are done configuring the device. Juniper Networks. [edit] user@host# edit interfaces xe-0/1/0 unit 0 family inet 2.Junos OS 11. Apply the input service filter and the postservice input filter. post-service-filter in_filter_postsvc.0.4 Firewall Filter and Policer Configuration Guide Applying the Three Service Filters Step-by-Step Procedure To apply the three service filters: 1. commit your candidate configuration. [edit] user@host# show interfaces xe-0/1/0 { unit 0 { family inet { service { input { service-set vrf_svcs service-filter in_filter_presvc. 246 Copyright © 2011. Verification Confirm that the configuration is working properly. If the command output does not display the intended configuration. Access the IPv4 protocol on the input interface xe-0/1/0. } output { service-set vrf_svcs service-filter out_filter_presvc. Inc. repeat the instructions in this example to correct the configuration.

Display the count of packets returned from processing by the input services associated with the service set vrf_svcs.Chapter 6: Service Filter Configuration Action Display the count of packets sent for processing by the input services associated with the service set vrf_svcs. [edit] user@host> show firewall filter in_filter_postsvc-vrf_svcs counter svc_in_pkts_rtn Action Verifying That Outbound Traffic Is Filtered Before Output Service Processing Purpose Verify that outbound packets sent to ICMP port 179 are sent for processing by the output services associated with the service set vrf_svcs. Display the count of packets sent for processing by the output services associated with the service set vrf_svcs. 247 . Inc. Juniper Networks. [edit] user@host> show firewall filter out_filter_presvc-vrf_svcs counter svc_out_pkts Action Related Documentation • • • • Service Filter Overview on page 227 How Service Filters Evaluate Packets on page 228 Guidelines for Configuring Service Filters on page 230 Guidelines for Applying Service Filters on page 232 Copyright © 2011. [edit] user@host> show firewall filter in_filter_presvc-vrf_svcs counter svc_in_pkts Verifying That Inbound Traffic Is Filtered After Input Service Processing Purpose Verify that inbound packets sent from TCP port 179 are returned from processing by the input services associated with the service set vrf_svcs.

Juniper Networks.4 Firewall Filter and Policer Configuration Guide 248 Copyright © 2011.Junos OS 11. . Inc.

the policy framework software evaluates a packet as follows: • If the packet matches all the conditions. Juniper Networks. Copyright © 2011. Simple filters are recommended for metropolitan Ethernet applications.CHAPTER 7 Simple Filter Configuration • • • • • Simple Filter Overview on page 249 How Simple Filters Evaluate Packets on page 249 Guidelines for Configuring Simple Filters on page 251 Guidelines for Applying Simple Filters on page 254 Example: Configuring and Applying a Simple Filter on page 255 Simple Filter Overview Simple filters are supported on Gigabit Ethernet intelligent queuing 2 (IQ2) and Enhanced Queuing Dense Port Concentrator (DPC) interfaces only. 249 . the actions are taken. Related Documentation • • • • How Simple Filters Evaluate Packets on page 249 Guidelines for Configuring Simple Filters on page 251 Guidelines for Applying Simple Filters on page 254 Example: Configuring and Applying a Simple Filter on page 255 How Simple Filters Evaluate Packets This topic covers the following information: • • • • • Simple Filters That Contain a Single Term on page 249 Simple Filters That Contain Multiple Terms on page 250 Simple Filter Terms That Do Not Contain Any Match Conditions on page 250 Simple Filter Terms That Do Not Contain Any Actions on page 250 Simple Filter Default Action on page 250 Simple Filters That Contain a Single Term For a simple filter that consists of a single term. Inc.

• If the packet matches all the conditions in a term. the packet is discarded. . Related Documentation • • • • Simple Filter Overview on page 249 Guidelines for Configuring Simple Filters on page 251 Guidelines for Applying Simple Filters on page 254 Example: Configuring and Applying a Simple Filter on page 255 250 Copyright © 2011. the policy framework software evaluates a packet against the terms in the filter sequentially. the packet is accepted. Inc. Juniper Networks. • Simple Filter Terms That Do Not Contain Any Match Conditions For simple filters with a single term and for filters with multiple terms. Simple Filter Default Action Each simple filter has an implicit discard action at the end of the filter.Junos OS 11. and if the packet matches the conditions in the term. which is equivalent to including the following example term explicit_discard as the final term in the simple filter: term explicit_discard { then discard. it is discarded. the packet is accepted. } By default. if a term does not contain any match conditions. Any subsequent terms in the filter are not used. the actions in that term are performed and evaluation of the packet ends at that term. If the packet does not match all the conditions in the term. Simple Filter Terms That Do Not Contain Any Actions If a simple filter term does not contain any actions. If the packet does not match all the conditions. if a packet matches none of the terms in a simple filter. the actions are taken on any packet evaluated. • Simple Filters That Contain Multiple Terms For a simple filter that consists of multiple terms. beginning with the first term in the filter. until either the packet matches all the conditions in one of the terms or there are no more terms in the filter.4 Firewall Filter and Policer Configuration Guide • If the packet matches all the conditions and no actions are specified. evaluation of the packet proceeds to the next term in the filter.

[edit] firewall { family inet { simple-filter simple-filter-name { term term-name { from { match-conditions.Chapter 7: Simple Filter Configuration Guidelines for Configuring Simple Filters This topic covers the following information: • • • • • • • Statement Hierarchy for Configuring Simple Filters on page 251 Simple Filter Protocol Families on page 251 Simple Filter Names on page 251 Simple Filter Terms on page 252 Simple Filter Match Conditions on page 252 Simple Filter Terminating Actions on page 253 Simple Filter Nonterminating Actions on page 253 Statement Hierarchy for Configuring Simple Filters To configure a simple filter. and hyphens (-) and be up to 64 characters long. numbers. Simple Filter Names Under the family inet statement. No other protocol family is supported for simple filters. Simple Filter Protocol Families You can configure simple filters to filter IPv4 traffic (family inet) only. } } } } } Individual statements supported under the simple-filter simple-filter-name statement are described separately in this topic and are illustrated in the example of configuring and applying a simple filter. include the simple-filter simple-filter-name statement at the [edit firewall family inet] hierarchy level. The filter name can contain letters. Copyright © 2011. enclose the entire name in quotation marks (“ ”). Inc. you can include simple-filter simple-filter-name statements to create and name simple filters. } then { actions. Juniper Networks. To include spaces in the name. 251 .

class match condition. enclose the entire name in quotation marks (“ ”). only the last one is used. • • • • • Table 27 on page 252 lists the simple filter match conditions. • Simple filters do not support the next term action. By default. numbers. You must specify a unique name for each term within a firewall filter. you can configure source-port 400-500 or destination-port 600-700. Simple Filter Match Conditions Simple filter terms support only a subset of the IPv4 match conditions that are supported for standard stateless firewall filters. • • You must configure at least one term in a firewall filter. Simple filters do not support noncontiguous mask values. . Simple filters do not support multiple source addresses and destination addresses in a single term. simple filters do not support the forwarding. Firewall filter terms are evaluated in the order in which they are configured.4 Firewall Filter and Policer Configuration Guide Simple Filter Terms Under the simple-filter simple-filter-name statement. the following restrictions apply to simple filters: • On MX Series routers with the Enhanced Queuing DPC. If you configure multiple prefixes. only the last one is used. Table 27: Simple Filter Match Conditions Match Condition destination-address destination-address Description Match IP destination address. you can include term term-name statements to create and name filter terms. For example. If you configure multiple addresses. Juniper Networks. To include spaces in the name. Simple filters support only one source-address and one destination-address prefix for each filter term. and hyphens (-) and can be up to 64 characters long. such as the protocol-except match condition or the exception keyword. 252 Copyright © 2011. Unlike standard stateless firewall filters. new terms are always added to the end of the existing filter. The order in which you specify terms within a firewall filter configuration is important. You can use the insert configuration mode command to reorder the terms of a firewall filter. Simple filters do not support negated match conditions. Inc. Simple filters support a range of values for source-port and destination-port match conditions only. The term name can contain letters.Junos OS 11.

rsvp (46). who (513). ntalk (518). In place of the numeric value. protocol number IP protocol field. tcp (6).Chapter 7: Simple Filter Configuration Table 27: Simple Filter Match Conditions (continued) Match Condition destination-port number Description TCP or UDP destination port field. expedited-forwarding. eklogin (2105). snmp (161). krbupdate (760). or vrrp (112). printer (515). radacct (1813). netbios-ns (137). kpasswd (761). snpp (444). telnet (23). timed (525). egp (8). netbios-dgm (138). In place of the numeric field. best-effort. Juniper Networks. see the Junos OS Class of Service Configuration Guide. we recommend that you also configure the protocol match statement to determine which protocol is being used on the port. kerberos-sec (88). fragment (44). bgp (179). krb-prop (754). talk (517). radius (1812). you can specify one of the following text aliases (the port numbers are also listed): afs (1483). imap (143). gre (47). tftp (69). biff (512). ekshell (2106). snmptrap (162). bootpc (68). you can specify one of the following text aliases (the field values are also listed): ah (51). ftp (21). tacacs-ds (65). Terms configured in a simple filter always accept packets. Simple filters do not support the next action. or xdmcp (177). syslog (514). dstopts (60). pop3 (110). cmd (514). igmp (2). and discard. nntp (119). https (443). socks (1080). msdp (639). dhcp (67). Simple Filter Nonterminating Actions Simple filters support only the following nonterminating actions: • forwarding-class (forwarding-class | assured-forwarding |best-effort | expedited-forwarding | network-control) Copyright © 2011. bootps (67). ntp (123). pim (103). ssh (22). icmp (1). ident (113). sctp (132). or network-control. icmpv6 (58). Inc. cvspserver (2401). http (80). 253 . forwarding-class class Match the forwarding class of the packet. nfsd (2049). reject. we recommend that you also configure the protocol match statement to determine which protocol is being used on the port. you can specify one of the text aliases listed for destination-port. mobilip-mn (435). netbios-ssn (139). udp (17). In place of the numeric value. pptp (1723). klogin (543). ospf (89). sunrpc (111). source-address ip-source-address source-port number Match the UDP or TCP source port field. ipv6 (41). icmp6 (58). Specify assured-forwarding. Match the IP source address. Simple Filter Terminating Actions Simple filters do not support explicitly configurable terminating actions. esp (50). exec (512). ftp-data (20). domain (53). kshell (544). hop-by-hop (0). rkinit (2108). mobileip-agent (434). If you configure this match condition. For information about forwarding classes and router-internal output queues. finger (79). such as accept. smtp (25). If you configure this match condition. rip (520). ipip (4). ldap (389). login (513).

the forwarding class is not supported as a from match condition. sampling the packet data. or sending information to a remote host using the system log functionality). } } } } } Restrictions for Applying Simple Filters You can apply a simple filter to the ingress IPv4 traffic at a logical interface configured on the following hardware only: • Gigabit Ethernet intelligent queuing (IQ2) PICs installed on M120. Inc. [edit] interfaces { interface-name { unit logical-unit-number { family inet { simple-filter { input filter-name. • loss-priority (high | low | medium-high | medium-low) Simple filters do not support actions that perform other functions on a packet (such as incrementing a counter. Enhanced Queuing Dense Port Concentrators (EQ DPCs) installed on MX Series routers. or T Series routers.4 Firewall Filter and Policer Configuration Guide NOTE: On the MX Series routers with the Enhanced Queuing DPC. M320.Junos OS 11. Juniper Networks. logging information about the packet header. Related Documentation • • • • Simple Filter Overview on page 249 How Simple Filters Evaluate Packets on page 249 Guidelines for Applying Simple Filters on page 254 Example: Configuring and Applying a Simple Filter on page 255 Guidelines for Applying Simple Filters This topic covers the following information: • • Statement Hierarchy for Applying Simple Filters on page 254 Restrictions for Applying Simple Filters on page 254 Statement Hierarchy for Applying Simple Filters You can apply a simple filter to the IPv4 ingress traffic at a logical interface by including the simple-filter input simple-filter-name statement at the [edit interfaces interface-name unit unit-number family inet] hierarchy level. • 254 Copyright © 2011. .

You can apply simple filters to ingress traffic only. on which EQ DPCs are supported. M320. No other protocol family is supported. see the Junos OS Class of Service Configuration Guide. For more information about configuring the MX Series routers. see the Junos OS Layer 2 Configuration Guide. • • • • Requirements on page 255 Overview on page 256 Configuration on page 256 Verification on page 258 Requirements This example uses one of the following hardware components: • One Gigabit Ethernet intelligent queuing (IQ2) PIC installed on an M120. You can apply simple filters to family inet traffic only. make sure that you have: • Installed your supported router and PIC or DPC and performed the initial router configuration.0. • Copyright © 2011. You can apply only a single simple filter to a supported logical interface. Configured basic Ethernet in the topology. and verified that traffic is flowing in the topology and that ingress IPv4 traffic is flowing into logical interface ge-0/0/1.Chapter 7: Simple Filter Configuration For more information about Ethernet IQ2 PICs and EQ DPCs and related features. Inc. Juniper Networks. Simple filters are not supported for interfaces in an aggregated-Ethernet bundle. including Enhanced Queuing MPC interfaces. or T Series router One Enhanced Queuing Dense Port Concentrator (EQ DPC) installed on an MX Series router • Before you begin. 255 . Simple Filter Overview on page 249 How Simple Filters Evaluate Packets on page 249 Guidelines for Configuring Simple Filters on page 251 Example: Configuring and Applying a Simple Filter on page 255 • • • • Related Documentation • • • • Example: Configuring and Applying a Simple Filter This example shows how to configure a simple filter. The following additional restrictions pertain to applying simple filters: • Simple filters are not supported on Modular Port Concentrator (MPC) interfaces. Input lists are not supported. Egress traffic is not supported.

For information about navigating the CLI.4 Firewall Filter and Policer Configuration Guide Overview This simple filter sets the loss priority to low for TCP traffic with source address 1. To configure this example. perform the following tasks: • • Configuring the Simple Firewall Filter on page 256 Applying the Simple Filter to the Logical Interface Input on page 258 CLI Quick Configuration To quickly configure this example.1. and sets the loss priority to low for all traffic with destination address 6.1.6.0. copy the following commands into a text file.Junos OS 11.6.1/32 user@host# set term 1 from protocol tcp user@host# set term 1 then loss-priority low 256 Copyright © 2011. Topology The simple filter is applied as an input filter (arriving packets are checking for destination address 6. remove any line breaks.3/30 Configuring the Simple Firewall Filter Step-by-Step Procedure To configure the simple filter: 1.0.0/8 range. Inc. Juniper Networks.6. Configure classification of TCP traffic based on the source IP address. not queued output packets) on interface ge-0/0/1.1.1.2.0. [edit firewall family inet simple-filter sf_classify_1] user@host# set term 1 from source-address 1.1.6.1/32 set firewall family inet simple-filter sf_classify_1 term 1 from protocol tcp set firewall family inet simple-filter sf_classify_1 term 1 then loss-priority low set firewall family inet simple-filter sf_classify_1 term 2 from source-address 4.0/8 set firewall family inet simple-filter sf_classify_1 term 2 from protocol tcp set firewall family inet simple-filter sf_classify_1 term 2 from source-port http set firewall family inet simple-filter sf_classify_1 term 2 then loss-priority high set firewall family inet simple-filter sf_classify_1 term 3 from destination-address 6. Create the simple filter sf_classify_1. see “Using the CLI Editor in Configuration Mode” on page 15. [edit] user@host# edit firewall family inet simple-filter sf_classify_1 2. sets the loss priority to high for HTTP (Web) traffic with source addresses in the 4. Configuration The following example requires you to navigate various levels in the configuration hierarchy.0.6.1.1.6/32 set firewall family inet simple-filter sf_classify_1 term 3 then loss-priority low set firewall family inet simple-filter sf_classify_1 term 3 then forwarding-class best-effort set interfaces ge-0/0/1 unit 0 family inet simple-filter input sf_classify_1 set interfaces ge-0/0/1 unit 0 family inet address 10. .6. set firewall family inet simple-filter sf_classify_1 term 1 from source-address 1. and then paste the commands into the CLI at the [edit] hierarchy level.6.6.1.0.

0.6/32. Copyright © 2011.0. Configure classification of other traffic based on the destination IP address. } } then loss-priority low. } } then loss-priority high.6.1/32.1.1.0. } } then { loss-priority low. Configure classification of HTTP traffic based on the source IP address. [edit] user@host# show firewall family inet { simple-filter sf_classify_1 { term 1 { from { source-address { 1. 257 .6.6. [edit firewall family inet simple-filter sf_classify_1] user@host# set term 2 from source-address 4. } term 3 { from { destination-address { 6. Juniper Networks.6/32 user@host# set term 3 then loss-priority low user@host# set term 3 then forwarding-class best-effort Results Confirm the configuration of the simple filter by entering the show firewall configuration mode command.0. [edit firewall family inet simple-filter sf_classify_1] user@host# set term 3 from destination-address 6. If the command output does not display the intended configuration. } protocol { tcp. Inc. } source-port { http. repeat the instructions in this example to correct the configuration.Chapter 7: Simple Filter Configuration 3.6.0/8 user@host# set term 2 from protocol tcp user@host# set term 2 from source-port http user@host# set term 2 then loss-priority high 4. } term 2 { from { source-address { 4. } protocol { tcp.0/8.

[edit] user@host# show interfaces ge-0/0/1 { unit 0 { family inet { simple-filter { input sf_classify_1. } } } } Applying the Simple Filter to the Logical Interface Input Step-by-Step Procedure To apply the simple filter to the logical interface input: 1.2. [edit interfaces ge-0/0/1 unit 0 family inet] user@host# set simple-filter input sf_classify_1 Results Confirm the configuration of the interface by entering the show interfaces configuration mode command.Junos OS 11.2. . } address 10.3/30. Inc. If the command output does not display the intended configuration. [edit interfaces ge-0/0/1 unit 0 family inet] user@host# set address 10.1. Juniper Networks. repeat the instructions in this example to correct the configuration. [edit] user@host# edit interfaces ge-0/0/1 unit 0 family inet 2. • Displaying the Mapping of Forwarding Class Maps and Names to Queue Numbers on page 259 Displaying CoS Queue Counters for the Interface on page 259 Displaying CoS Queue Counter Details for the Physical Interface on page 259 • • 258 Copyright © 2011. } } } When you are done configuring the device.4 Firewall Filter and Policer Configuration Guide forwarding-class best-effort. Verification Confirm that the configuration is working properly. Configure the logical interface to which you will apply the simple filter. Apply the simple filter to the logical interface input.3/30 3.1. commit your candidate configuration. Configure the interface address for the logical interface.

Displaying CoS Queue Counter Details for the Physical Interface Purpose Verify that the CoS queue counter details for the physical interface reflect the simple filter applied to the logical interface. Enter the show interfaces command for the physical interface on which the simple filter is applied. see “show interfaces (Gigabit Ethernet)” or “show interfaces (10-Gigabit Ethernet)” in the Junos OS Interfaces Command Reference. Juniper Networks. [edit] user@host> show interfaces ge-0/0/1 detail Action In the Physical interface section. 259 . [edit] user@host> show interfaces queue ge-0/0/1 ingress Action For information about the command output. and specify detail or extensive output level. [edit] user@host> show class-of-service forwarding-class For information about the command output. For more detailed information about the command output. see “show interfaces queue” in the Junos OS Interfaces Command Reference. Enter the show interfaces queue command for the physical interface on which the simple filter is applied. Displaying CoS Queue Counters for the Interface Purpose Verify that the class-of-service (CoS) queue counters for the interface reflect the simple filter applied to the logical interface.Chapter 7: Simple Filter Configuration Displaying the Mapping of Forwarding Class Maps and Names to Queue Numbers Purpose Action Display the mapping of forwarding class names to queue numbers. under Ingress queues. and specify the ingress option. Related Documentation • • • • Simple Filter Overview on page 249 How Simple Filters Evaluate Packets on page 249 Guidelines for Configuring Simple Filters on page 251 Guidelines for Applying Simple Filters on page 254 Copyright © 2011. see “show class-of-service forwarding-class” in the Junos OS System Basics and Services Command Reference. Inc. the Queue counters section displays ingress queue counters for each forwarding class. Enter the show class-of-service forwarding-class operational mode command.

Inc.4 Firewall Filter and Policer Configuration Guide 260 Copyright © 2011.Junos OS 11. . Juniper Networks.

Copyright © 2011. logical systems offer an effective way to maximize the use of a single router. you can partition a single physical router into multiple logical devices that perform independent routing tasks. you must define the filter in the firewall stanza at the [edit logical-systems logical-system-name] hierarchy level. Stateless Firewall Filters in Logical Systems You can configure a separate set of stateless firewall filters for each logical system on a router. Juniper Networks. Because logical systems perform a subset of the tasks once handled by the physical router.CHAPTER 8 Stateless Firewall Filter Configuration in Logical Systems • • • • • • • Stateless Firewall Filters in Logical Systems Overview on page 261 Guidelines for Configuring and Applying Firewall Filters in Logical Systems on page 262 References from a Firewall Filter in a Logical System to Subordinate Objects on page 265 References from a Firewall Filter in a Logical System to Nonfirewall Objects on page 266 References from a Nonfirewall Object in a Logical System to a Firewall Filter on page 268 Restrictions for Stateless Firewall Filters in Logical Systems on page 273 Example: Configuring a Stateless Firewall Filter to Protect a Logical System Against ICMP Floods on page 279 Stateless Firewall Filters in Logical Systems Overview This topic covers the following information: • • • Logical Systems on page 261 Stateless Firewall Filters in Logical Systems on page 261 Identifiers for Firewall Objects in Logical Systems on page 262 Logical Systems With the Junos OS. and you must apply the filter to a logical interface that is also configured at the [edit logical-systems logical-system-name] hierarchy level. To configure a filter in a logical system. Inc. 261 .

operational show commands and firewall-related SNMP MIB objects include a __logical-system-name/ prefix in the object name. include the filter. Inc. from { match-conditions. For example. 262 Copyright © 2011. Related Documentation • • • • • Stateless Firewall Filter Types on page 6 Guidelines for Configuring and Applying Firewall Filters in Logical Systems on page 262 Unsupported Firewall Filter Statements for Logical Systems on page 273 Unsupported Actions for Firewall Filters in Logical Systems on page 275 Example: Configuring a Stateless Firewall Filter to Protect a Logical System Against ICMP Floods on page 279 “Introduction to Logical Systems” in the Junos OS Logical Systems Configuration Guide ”Logical Systems Operations and Restrictions” in the Junos OS Logical Systems Configuration Guide • • Guidelines for Configuring and Applying Firewall Filters in Logical Systems This topic covers the following information: • • • • • • Statement Hierarchy for Configuring Firewall Filters in Logical Systems on page 262 Filter Types in Logical Systems on page 263 Firewall Filter Protocol Families in Logical Systems on page 263 Firewall Filter Match Conditions in Logical Systems on page 264 Firewall Filter Actions in Logical Systems on page 264 Statement Hierarchy for Applying Firewall Filters in Logical Systems on page 264 Statement Hierarchy for Configuring Firewall Filters in Logical Systems To configure a firewall filter in a logical system. term term-name { filter filter-name. firewall objects configured under the ls1 logical system include __ls1/ as the prefix. service-filter. or simple-filter statement at the [edit logical-systems logical-system-name firewall family family-name] hierarchy level. [edit] logical systems { logical-system-name { firewall { family family-name { filter filter-name { interface-specific. physical-interface-filter. .4 Firewall Filter and Policer Configuration Guide Identifiers for Firewall Objects in Logical Systems To identify firewall objects configured under logical systems.Junos OS 11. Juniper Networks.

Copyright © 2011. term term-name { from { match-conditions. } then { actions. } then { actions. } } } } } } } Filter Types in Logical Systems There are no special restrictions on the types of stateless firewall filter types that you can configure in logical systems. } } } simple-filter filter-name { # For ’family inet’ only. term term-name { from { match-conditions. Juniper Networks. 263 .Chapter 8: Stateless Firewall Filter Configuration in Logical Systems } then { actions. In a logical system. } } } service-filter filter-name { # For ’family inet’ or ’family inet6’ only. you can use the same types of stateless firewall filters that are available on a physical router: • • • Standard stateless firewall filters Service filters Simple filters Firewall Filter Protocol Families in Logical Systems There are no special restrictions on the protocol families supported with stateless firewall filters in logical systems. Inc.

input-list [ filter-names ]. MPLS. Firewall Filter Actions in Logical Systems There are no special restrictions on the actions supported with stateless firewall filters in logical systems. MPLS-tagged IPv4. fail-filter filter-name. output-list [ filter-names ] } rpf-check { # For ’family inet’ or ’family inet6’ only. Layer 2 circuit cross-connection. Statement Hierarchy for Applying Firewall Filters in Logical Systems To apply a firewall filter in a logical system. include the filter filter-name. or simple-filter simple-filter-name statement to a logical interface in the logical system. Service filters—In logical systems. IPv6. • • Firewall Filter Match Conditions in Logical Systems There are no special restrictions on the match conditions supported with stateless firewall filters in logical systems. } service { # For ’family inet’ or ’family inet6’ only. post-service-filter service-filter-name. input filter-name.4 Firewall Filter and Policer Configuration Guide In a logical system. Simple filters—In logical systems. The following configuration shows the hierarchy levels at which you can apply the statements: [edit] logical-systems logical-system-name { interfaces { interface-name { unit logical-unit-number { family family-name { filter { group group-name. service-filter service-filter-name. Juniper Networks. output filter-name. } } 264 Copyright © 2011. VPLS. input { service-set service-set-name <service-filter service-filter-name>. you can filter IPv4 traffic only. . IPv4. and Layer 2 bridging. } output { service-set service-set-name <service-filter service-filter-name>. mode loose.Junos OS 11. you can filter IPv4 and IPv6 traffic. Inc. you can filter the following traffic types: protocol-independent. • Standard stateless firewall filters—In logical systems. you can filter the same protocol families as you can on a physical router.

} } } } } } Related Documentation • • • • • Stateless Firewall Filters in Logical Systems Overview on page 261 References from a Firewall Filter in a Logical System to Subordinate Objects on page 265 References from a Firewall Filter in a Logical System to Nonfirewall Objects on page 266 References from a Nonfirewall Object in a Logical System to a Firewall Filter on page 268 Example: Configuring a Stateless Firewall Filter to Protect a Logical System Against ICMP Floods on page 279 Unsupported Firewall Filter Statements for Logical Systems on page 273 Unsupported Actions for Firewall Filters in Logical Systems on page 275 • • References from a Firewall Filter in a Logical System to Subordinate Objects This topic covers the following information: • • Resolution of References from a Firewall Filter to Subordinate Objects on page 265 Valid Reference from a Firewall Filter to a Subordinate Object on page 265 Resolution of References from a Firewall Filter to Subordinate Objects If a firewall filter defined in a logical system references a subordinate object (for example. 265 . the firewall filter and the policer must be configured under the same [edit logical-systems logical-system-name firewall] hierarchy level. the firewall filter filter1 references the policer pol1. Inc. Both filter1 and pol1 are defined under the same firewall object.Chapter 8: Stateless Firewall Filter Configuration in Logical Systems simple-filter { # For ’family inet’ only. a policer or prefix list). that subordinate object must be defined within the firewall stanza of the same logical system. This rule applies even if the same policer is configured under the main firewall configuration or if the same policer is configured as part of a firewall in another logical system. [edit] logical systems { ls-A { firewall { policer pol1 { if-exceeding { Copyright © 2011. if a firewall filter configuration references a policer. For example. If pol1 had been defined under another firewall object. the configuration would not be valid. This configuration is valid. input simple-filter-name. Valid Reference from a Firewall Filter to a Subordinate Object In this example. Juniper Networks.

266 Copyright © 2011. Juniper Networks. . } then discard.4 Firewall Filter and Policer Configuration Guide bandwidth-limit 401k. However. there are cases when the configuration of the referenced object is not supported at the [edit logical-systems logical-system-name] hierarchy level. } } } } } Related Documentation • • • • Stateless Firewall Filters in Logical Systems Overview on page 261 Guidelines for Configuring and Applying Firewall Filters in Logical Systems on page 262 References from a Firewall Filter in a Logical System to Nonfirewall Objects on page 266 References from a Nonfirewall Object in a Logical System to a Firewall Filter on page 268 References from a Firewall Filter in a Logical System to Nonfirewall Objects This topic covers the following information: • • Resolution of References from a Firewall Filter to Nonfirewall Objects on page 266 Valid Reference to a Nonfirewall Object Outside of the Logical System on page 267 Resolution of References from a Firewall Filter to Nonfirewall Objects In many cases. } then policer pol1.2. } then { reject host-unknown. the referenced object must be defined under the same logical system as the referencing object. a firewall configuration references objects outside the firewall configuration. } } term two { from { source-address 12. As a general rule. } filter filter1 { term one { from { source-address 12.0/16.0.1. burst-size-limit 50k.0/16.0.Junos OS 11. Inc.

0/16. In the following scenario.0. Because service rules cannot be configured in logical systems.2. 1.0. [edit] logical-systems { ls-B { interfaces { fe-0/3/2 { unit 0 { family inet { service { input { service-set fred service-filter inetsf1. family inet { filter filter1 { term one { from { source-address { 12. Juniper Networks.1.0. which is on an adaptive services interface. Service set fred is defined at the main services hierarchy level.0/16.0.0. Inc. firewall filter configurations in the [edit logical-systems logical-system logical-system-name] hierarchy are allowed to reference service sets outside the logical system hierarchy. } } then { reject host-unknown. } } } } } } policy-options { prefix-list prefix1 { 1. } } firewall { # Under logical-system ’ls-B’.3. • • Service filter inetsf1 is defined in ls-B and references prefix list prefix1. } } term two { Copyright © 2011. 267 . and the policy framework software searches the [edit services] hierarchy for the definition of the fred service set. the service filter inetsf1 is applied to IPv4 traffic associated with the service set fred at the logical interface fe-0/3/2.Chapter 8: Stateless Firewall Filter Configuration in Logical Systems Valid Reference to a Nonfirewall Object Outside of the Logical System This example configuration illustrates an exception to the general rule that the objects referenced by a firewall filter in a logical system must be defined under the same logical system as the referencing object.1. 1.0/16.0/16.

Juniper Networks. } then discard. service-set fred { max-flows 100. } } } policer pol1 { if-exceeding { bandwidth-limit 401k.0. . } } then count prefix1. burst-size-limit 50k.2.0/16.Junos OS 11. } } then policer pol1.4 Firewall Filter and Policer Configuration Guide from { source-address { 12. Inc. } } } } # End of logical systems configuration. services { # Main services hierarchy level.0. } } service-filter inetsf1 { term term1 { from { source-prefix-list { prefix1. interface-service { service-interface sp-1/2/0. } } } Related Documentation • • • • Stateless Firewall Filters in Logical Systems Overview on page 261 Guidelines for Configuring and Applying Firewall Filters in Logical Systems on page 262 References from a Firewall Filter in a Logical System to Subordinate Objects on page 265 References from a Nonfirewall Object in a Logical System to a Firewall Filter on page 268 References from a Nonfirewall Object in a Logical System to a Firewall Filter This topic covers the following information: • • • • Resolution of References from a Nonfirewall Object to a Firewall Filter on page 269 Invalid Reference to a Firewall Filter Outside of the Logical System on page 269 Valid Reference to a Firewall Filter Within the Logical System on page 270 Valid Reference to a Firewall Filter Outside of the Logical System on page 272 268 Copyright © 2011.

269 . • • Filter filter1 is defined in ls-C. the policy framework software resolves references to and from firewall filters by searching the [edit logical systems ls-C firewall] hierarchy level. the stateless firewall filters filter1 and fred are applied to the logical interface fe-0/3/2. } } } } } firewall { # Under logical system ’ls-C’. } then { reject host-unknown. the reference from fe-0/3/2. In the following scenario. the policy framework software searches the [edit logical-systems logical-system-name firewall] hierarchy level. family inet { filter filter1 { term one { from { source-address 12.0 in the logical system to fred in the main firewall configuration cannot be resolved. If the nonfirewall filter object is configured in a logical system that does not include any firewall filter configuration statements. Because ls-C contains firewall filter statements (for filter1). Copyright © 2011. [edit] logical-systems { ls-C { interfaces { fe-0/3/2 { unit 0 { family inet { filter { input-list [ filter1 fred ].0 in the logical system ls-C.Chapter 8: Stateless Firewall Filter Configuration in Logical Systems Resolution of References from a Nonfirewall Object to a Firewall Filter If a nonfirewall filter object in a logical system references an object in a firewall filter configured in a logical system. • Invalid Reference to a Firewall Filter Outside of the Logical System This example configuration illustrates an unresolvable reference from a nonfirewall object in a logical system to a firewall filter. the policy framework software searches the firewall configurations defined at the [edit firewall] hierarchy level. Consequently. Firewall filter configurations that belong to other logical systems or to the main [edit firewall] hierarchy level are not searched. Juniper Networks. the reference is resolved using the following logic: • If the nonfirewall filter object is configured in a logical system that includes firewall filter configuration statements.0.1. Inc. Filter fred is defined in the main firewall configuration.0/16.

4 Firewall Filter and Policer Configuration Guide } } term two { from { source-address 12. } } } } } # End of main firewall configurations.Junos OS 11. Consequently.0. } then policer pol1. } } } } # End of logical systems firewall { # Under the main firewall hierarchy level family inet { filter fred { term one { from { source-address 11.0/16. } } } policer pol1 { if-exceeding { bandwidth-limit 401k. } then discard.2. the references from fe-0/3/2. .1. the stateless firewall filters filter1 and fred are applied to the logical interface fe-0/3/2. Inc. In the following scenario.0 in the logical system to filter1 and fred use the stateless firewall filters configured in ls-C. reject host-unknown. } then { log. Juniper Networks.0 in the logical system ls-C. [edit] logical-systems { ls-C { interfaces { 270 Copyright © 2011. burst-size-limit 50k. Because ls-C contains firewall filter statements.0/16. Filter fred is defined in ls-C and also in the main firewall configuration. the policy framework software resolves references to and from firewall filters by searching the [edit logical systems ls-C firewall] hierarchy level.0. Valid Reference to a Firewall Filter Within the Logical System This example configuration illustrates resolvable references from a nonfirewall object in a logical system to two firewall filter. • • Filter filter1 is defined in ls-C.

firewall { # Main firewall filter hierarchy level family inet { filter fred { term one { from { source-address 11.0/16. Copyright © 2011. } } } } policer pol1 { if-exceeding { bandwidth-limit 401k. family inet { filter filter1 { term one { from { source-address 12. Juniper Networks.1. 271 . } then discard. } then policer pol1. } } filter fred { # This ’fred’ is in ’ls-C’. reject host-unknown.0. } } term two { from { source-address 12. } } } } # End of logical systems configurations. } } } } } firewall { # Under logical system ’ls-C’.0/16.0.0. term one { from { source-address 10. } then { reject host-unknown. } then { log. burst-size-limit 50k.Chapter 8: Stateless Firewall Filter Configuration in Logical Systems fe-0/3/2 { unit 0 { family inet { filter { input-list [ filter1 fred ].0.2.0/16. Inc.1.1.0/16.

} } } } } } } # End of logical systems configurations. the references from fe-0/3/2. • • Filter filter1 is defined in the main firewall configuration.2. 272 Copyright © 2011. Valid Reference to a Firewall Filter Outside of the Logical System This example configuration illustrates resolvable references from a nonfirewall object in a logical system to two firewall filter. family inet { filter filter1 { term one { from { source-address 12. . the stateless firewall filters filter1 and fred are applied to the logical interface fe-0/3/2.0/16.0 in the logical system ls-C. Because ls-C does not contain any firewall filter statements.0 in the logical system to filter1 and fred use the stateless firewall filters configured in the main firewall configuration. Inc. } then { reject host-unknown. } } term two { from { source-address 12. [edit] logical-systems { ls-C { interfaces { fe-0/3/2 { unit 0 { family inet { filter { input-list [ filter1 fred ].0.Junos OS 11. Juniper Networks.0/16. In the following scenario. Consequently. firewall { # Main firewall hierarchy level.0. reject host-unknown. the policy framework software resolves references to and from firewall filters by searching the [edit firewall] hierarchy level.4 Firewall Filter and Policer Configuration Guide } then { log. } } } } } # End of main firewall configurations. Filter fred is defined in the main firewall configuration.1.

Copyright © 2011. } } } } policer pol1 { if-exceeding { bandwidth-limit 701k.1.0/16. Juniper Networks. 273 . Inc. } then discard. Related Documentation • • • • Stateless Firewall Filters in Logical Systems Overview on page 261 Guidelines for Configuring and Applying Firewall Filters in Logical Systems on page 262 References from a Firewall Filter in a Logical System to Subordinate Objects on page 265 References from a Firewall Filter in a Logical System to Nonfirewall Objects on page 266 Restrictions for Stateless Firewall Filters in Logical Systems • • Unsupported Firewall Filter Statements for Logical Systems on page 273 Unsupported Actions for Firewall Filters in Logical Systems on page 275 Unsupported Firewall Filter Statements for Logical Systems Table 28 on page 274 shows statements that are supported at the [edit firewall] hierarchy level but not at the [edit logical-systems logical-system-name firewall] hierarchy level. reject host-unknown. } then { log. burst-size-limit 70k.Chapter 8: Stateless Firewall Filter Configuration in Logical Systems } then policer pol1. } } filter fred { term one { from { source-address 11.0. } } # End of main firewall configurations.

Currently. } } } } Description In this example. } } } } [edit] logical-systems { ls1 { firewall { load-balance-group lb-group { next-hop-group nh-group. the accounting-profile statement is not allowed because the accounting profile fw-profile is configured under the [edit accounting-options] hierarchy. . Juniper Networks.. the hierarchical policer statement requires a class-of-service configuration.Junos OS 11. Inc. accept..4 Firewall Filter and Policer Configuration Guide Table 28: Unsupported Firewall Statements for Logical Systems Statement accounting-profile Example [edit] logical-systems { ls1 { firewall { family inet { filter myfilter { accounting-profile fw-profile. which is not supported under logical systems. . load-balance-group This configuration is not allowed because the next-hop-group nh-group statement must be configured at the [edit forwarding-options next-hop-group] hierarchy level—outside the [edit logical-systems logical-system-name firewall] hierarchy. 274 Copyright © 2011... term accept-all { then { count counter1. the forwarding-options dhcp-relay statement is the only forwarding option supported for logical systems. } } } } } } } [edit] logical-systems { lr1 { firewall { hierarchical-policer { . hierarchical-policer In this example.

} } } } } } } Description This configuration is not allowed because the virtual channel sammy refers to an object defined at the [edit class-of-service] hierarchy level.0. Inc. } then { virtual-channel sammy. and class of service is not supported for logical systems.0/16. Table 29: Unsupported Actions for Firewall Filters in Logical Systems Firewall Filter Action Example Description Terminating Actions Not Supported in a Logical System Copyright © 2011. 275 . Juniper Networks.1. provided the firewall filter is configured outside of a logical-system. Related Documentation • • • • • Stateless Firewall Filters in Logical Systems Overview on page 261 Guidelines for Configuring and Applying Firewall Filters in Logical Systems on page 262 Unsupported Actions for Firewall Filters in Logical Systems on page 275 “Introduction to Logical Systems” in the Junos OS Logical Systems Configuration Guide “Logical Systems Operations and Restrictions” in the Junos OS Logical Systems Configuration Guide Unsupported Actions for Firewall Filters in Logical Systems Table 29 on page 275 describes the firewall filter actions that are supported at the [edit firewall] hierarchy level. NOTE: The virtual-channel statement is supported for J Series devices only.Chapter 8: Stateless Firewall Filter Configuration in Logical Systems Table 28: Unsupported Firewall Statements for Logical Systems (continued) Statement virtual-channel Example [edit] logical-systems { ls1 { firewall { family inet { filter foo { term one { from { source-address 10. but not supported at the [edit logical-systems logical-system-name firewall] hierarchy level.

0. } } } } } } } Description Because the logical-system action refers to fred—a logical system defined outside the local logical system—.0. this action is not supported. } then { ipsec-sa barney.1. } then { logical-system fred. 276 Copyright © 2011.1.4 Firewall Filter and Policer Configuration Guide Table 29: Unsupported Actions for Firewall Filters in Logical Systems (continued) Firewall Filter Action logical-system Example [edit] logical-systems { ls1 { firewall { family inet { filter foo { term one { from { source-address 10. Nonterminating Actions Not Supported in a Logical System ipsec-sa [edit] logical-systems { ls1 { firewall { family inet { filter foo { term one { from { source-address 10. . Juniper Networks.0/16. Inc.0/16.Junos OS 11. } } } } } } } Because the ipsec-sa action modifier references barney—a security association defined outside the local logical system—this action is not supported.

Chapter 8: Stateless Firewall Filter Configuration in Logical Systems Table 29: Unsupported Actions for Firewall Filters in Logical Systems (continued) Firewall Filter Action next-hop-group Example [edit] logical-systems { ls1 { firewall { family inet { filter foo { term one { from { source-address 10. port-mirror Because the port-mirror action relies on a configuration defined at the [edit forwarding-options port-mirroring] hierarchy level. } } } } } } } [edit] logical-systems { ls1 { firewall { family inet { filter foo { term one { from { source-address 10.1.0/16. } } } } } } } Description Because the next-hop-group action refers to fred—an object defined at the [edit forwarding-options next-hop-group] hierarchy level—this action is not supported. Inc.0/16.1. Copyright © 2011. 277 .0. this action is not supported.0. } then { port-mirror. } then { next-hop-group fred. Juniper Networks.

the sample action depends on the sampling configuration defined under the [edit forwarding-options] hierarchy. Inc.1. } then { sample. } } } } } } } [edit] logical-systems { ls1 { firewall { family inet { filter icmp-syslog { term icmp-match { from { address { 192. accept.4 Firewall Filter and Policer Configuration Guide Table 29: Unsupported Actions for Firewall Filters in Logical Systems (continued) Firewall Filter Action sample Example [edit] logical-systems { ls1 { firewall { family inet { filter foo { term one { from { source-address 10. . syslog. the syslog action modifier is not supported. Related Documentation • • • • Stateless Firewall Filters in Logical Systems Overview on page 261 Guidelines for Configuring and Applying Firewall Filters in Logical Systems on page 262 Unsupported Firewall Filter Statements for Logical Systems on page 273 “Introduction to Logical Systems” in the Junos OS Logical Systems Configuration Guide 278 Copyright © 2011.222/32. Because this firewall configuration relies on a configuration outside the logical system.0/16.Junos OS 11. } protocol icmp. Juniper Networks.0. } then { count packets. } } } } } } Description In this example.207. syslog In this example. the sample action is not supported. Therefore. } } term default { then accept. there must be at least one system log (system syslog file filename) with the firewall facility enabled for the icmp-syslog filter's logs to be stored.168.

The icmp-policer limits the traffic rate of the ICMP packets to 1. Figure 3: Logical System with a Stateless Firewall Router 1 LS1 so-0/0/2 10.0.0.Chapter 8: Stateless Firewall Filter Configuration in Logical Systems • ”Logical Systems Operations and Restrictions” in the Junos OS Logical Systems Configuration Guide Example: Configuring a Stateless Firewall Filter to Protect a Logical System Against ICMP Floods This example shows how to configure a stateless firewall filter that protects against ICMP denial-of-service attacks on a logical system. Inc. In this example.000 bps and the burst size to 15. • • • • Requirements on page 279 Overview on page 279 Configuration on page 280 Verification on page 281 Requirements In this example. The policer is incorporated into the action of a filter term called icmp-term.2/30 so-0/0/2 10. a ping is sent from a directly connected physical router to the interface configured on the logical system. The logical system accepts the ICMP packets if they are received at a rate of up to 1 Mbps (bandwidth-limit). all packets are dropped. no special configuration beyond device initialization is required. The burst-size-limit statement accepts traffic bursts up to 15 Kbps.000 bytes. The logical system drops all ICMP packets when this rate is exceeded. ICMP packets are again accepted.1/30 R2 Copyright © 2011.45.45. g040571 279 . Figure 3 on page 279 shows the topology used in this example. Packets that exceed the traffic rate are discarded. Overview This example shows a stateless firewall filter called protect-RE that polices ICMP packets. If bursts exceed this limit. When the flow rate subsides.000. Juniper Networks.

45.4 Firewall Filter and Policer Configuration Guide Configuration CLI Quick Configuration To quickly configure this example.Junos OS 11.2/30 2. copy the following commands. Configure the interface on the logical system. and then copy and paste the commands into the CLI at the [edit] hierarchy level. Apply the policer to a filter term. [edit] user@host# set logical-systems LS1 firewall family inet filter protect-RE term icmp-term from protocol icmp user@host# set logical-systems LS1 firewall family inet filter protect-RE term icmp-term then accept 3. . Explicitly enable ICMP packets to be received on the interface.45. [edit] 280 Copyright © 2011. Juniper Networks. For information about navigating the CLI. set logical-systems LS1 interfaces so-0/0/2 unit 0 family inet policer input icmp-policer set logical-systems LS1 interfaces so-0/0/2 unit 0 family inet address 10. Inc. [edit] user@host# set logical-systems LS1 interfaces so-0/0/2 unit 0 family inet address 10.0. To configure an ICMP firewall filter on a logical system: 1. [edit] user@host# set logical-systems LS1 firewall family inet filter protect-RE term icmp-term then policer icmp-policer 5. paste them into a text file. remove any line breaks.0. Apply the policer to the logical system interface. Create the policer.2/30 set logical-systems LS1 firewall family inet filter protect-RE term icmp-term from protocol icmp set logical-systems LS1 firewall family inet filter protect-RE term icmp-term then policer icmp-policer set logical-systems LS1 firewall family inet filter protect-RE term icmp-term then accept set logical-systems LS1 firewall policer icmp-policer if-exceeding bandwidth-limit 1m set logical-systems LS1 firewall policer icmp-policer if-exceeding burst-size-limit 15k set logical-systems LS1 firewall policer icmp-policer then discard Step-by-Step Procedure The following example requires you to navigate various levels in the configuration hierarchy. see “Using the CLI Editor in Configuration Mode” on page 15 in the Junos OS CLI User Guide. change any details necessary to match your network configuration. [edit] user@host# set logical-systems LS1 firewall policer icmp-policer if-exceeding bandwidth-limit 1m user@host# set logical-systems LS1 firewall policer icmp-policer if-exceeding burst-size-limit 15k user@host# set logical-systems LS1 firewall policer icmp-policer then discard 4.

} } } } policer icmp-policer { if-exceeding { bandwidth-limit 1m. Log in to a system that has connectivity to the logical system and run the ping command. } } Verification Confirm that the configuration is working properly. burst-size-limit 15k. 281 . Inc. accept. Verifying That Ping Works Unless the Limits Are Exceeded Purpose Action Make sure that the logical system interface is protected against ICMP-based DoS attacks. } address 10. user@host# show logical-systems LS1 interfaces { so-0/0/2 { unit 0 { family inet { policer { input icmp-policer. } } } } firewall { family inet { filter protect-RE { term icmp-term { from { protocol icmp. Copyright © 2011. commit the configuration.45. } then { policer icmp-policer. } then discard.Chapter 8: Stateless Firewall Filter Configuration in Logical Systems user@host# set logical-systems LS1 interfaces so-0/0/2 unit 0 family inet policer input icmp-policer 6.2/30. Juniper Networks. [edit] user@host# commit Results Confirm your configuration by issuing the show logical-systems LS1 command. If you are done configuring the device.0.

45. Inc.0.0.2: icmp_seq=1 64 bytes from 10.45.0.277 ms ttl=64 time=1.0.0.45. the packet is accepted.Junos OS 11.45.2 PING 10.0.269 ms user@R2> ping 10.45.10.2): 20000 data bytes ^C --. 100% packet loss Meaning When you send a normal ping.2): 56 data 64 bytes from 10. the packet is discarded. Juniper Networks.45.2 ping statistics --4 packets transmitted.4 Firewall Filter and Policer Configuration Guide user@R2> ping 10.45.0.2: icmp_seq=2 bytes ttl=64 time=1.45. 0 packets received.2 (10.0.316 ms ttl=64 time=1.2: icmp_seq=0 64 bytes from 10.45.0.0. When you send a ping packet that exceeds the filter limit.2 size 20000 PING 10. . Related Documentation • Example: Creating an Interface on a Logical System 282 Copyright © 2011.45.2 (10.

accounting-profile Syntax Hierarchy Level Release Information Description Options Required Privilege Level Related Documentation accounting-profile name.4. • Accounting for Standard Firewall Filters Overview on page 211 Copyright © 2011. The statements are organized alphabetically. 283 . Juniper Networks. [edit firewall family family-name filter filter-name] Statement introduced before Junos OS Release 7.CHAPTER 9 Summary of Stateless Firewall Filter Configuration Statements The following descriptions explain each of the statelesss firewall filter configuration statements. name—Name assigned to the accounting profile. interface—To view this statement in the configuration. Inc. interface-control—To add this statement to the configuration. Enable collection of accounting data for the specified filter.

Junos OS 11. . or MS-DPC interfaces. firewall-control—To add this statement to the configuration. [edit logical-systems logical-system-name firewall filter filter-name].4 Firewall Filter and Policer Configuration Guide enhanced-mode Syntax Hierarchy Level enhanced-mode. Required Privilege Level Related Documentation firewall—To view this statement in the configuration. [edit firewall family family-name filter filter-name]. Inc. NOTE: You cannot attach enhanced mode filters to local loopback. When used with one of the chassis enhanced network services modes. If enhanced network services are not configured for the chassis. Limit static service filters or API-client filters to term-based filter format only for inet or inet6 families when enhanced network services mode is configured at the [edit chassis network-services] hierarchy level. management.4. [edit firewall filter filter-name]. Juniper Networks. These interfaces are processed by the routing engine kernel and DPC modules and can accept only compiled firewall filter format. • • Network Services Mode Overview in the Junos OS System Basics Configuration Guide Firewall Filters and Enhanced Network Services Mode Overview in the Junos OS Subscriber Access Configuration Guide • Configuring a Filter for Use with Enhanced Network Services Mode in the Junos OS Subscriber Access Configuration Guide 284 Copyright © 2011. the enhanced-mode statement is ignored and any enhanced mode firewall filters are generated in both term-based and compiled format (the default). [edit logical-systems logical-system-name firewall family family-name filter filter-name] Release Information Description Statement introduced in Junos OS Release 11. firewall filters are generated in term-based format for use with Trio MPC modules.

enhanced-mode. physical-interface-filter. ccc—Layer 2 switching cross-connects.6. 285 . Juniper Networks. source-prefix-length prefix-length. action-modifiers. subnet-prefix-length prefix-length.0. configure a firewall filter for Layer 2 traffic in a bridging environment. destination-prefix-length prefix-length. mpls—MPLS. simple-filter statement introduced in Junos OS Release 7.4 (MX Series routers only). policer policer-name. interface-specific. Logical systems support introduced in Junos OS Release 9. } then { action. } prefix-action name { count. any family type introduced in Junos OS Release 8. Copyright © 2011. On the MX Series routers only. inet6—IPv6 addressing protocol.3.Chapter 9: Summary of Stateless Firewall Filter Configuration Statements family Syntax family family-name { filter filter-name { accounting-profile name.4. bridge—(MX Series routers only) Layer 2 packets that are part of bridging domain. [edit logical-systems logical-system-name firewall] Hierarchy Level Release Information Statement introduced before Junos OS Release 7. } } } } [edit firewall]. inet—IPv4 addressing protocol. family-name—Version or type of addressing protocol: • • • • • • Description Options any—Protocol-independent match conditions. Configure a firewall filter for IP version 4 (IPv4) or IP version 6 (IPv6) traffic. Inc. bridge family type introduced in Junos OS Release 8. } simple-filter filter-name { term term-name { from { match-conditions.

Juniper Networks.4 Firewall Filter and Policer Configuration Guide • vpls—Virtual private LAN service (VPLS). The remaining statements are explained separately. . • • • Guidelines for Configuring Standard Firewall Filters on page 21 Guidelines for Configuring Service Filters on page 230 Guidelines for Configuring Simple Filters on page 251 286 Copyright © 2011. Required Privilege Level Related Documentation interface—To view this statement in the configuration. Inc.Junos OS 11. interface-control—To add this statement to the configuration.

input filter-name—Name of one filter to evaluate when packets are received on the interface.Chapter 9: Summary of Stateless Firewall Filter Configuration Statements filter See the following sections: • • filter (Applying to a Logical Interface) on page 287 filter (Configuring) on page 288 filter (Applying to a Logical Interface) Syntax [edit interfaces interface-name unit logical-unit-number family family]. output filter-name—Name of one filter to evaluate when packets are transmitted on the interface. Required Privilege Level Related Documentation interface—To view this statement in the configuration. Inc. The remaining statements are explained separately. Apply a stateless firewall filter to a logical interface at a specific protocol level. 287 . [edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family family] Release Information Description Options Statement introduced before Junos OS Release 7. • • Guidelines for Configuring Standard Firewall Filters on page 21 Guidelines for Applying Standard Firewall Filters on page 26 Copyright © 2011. Juniper Networks. interface-control—To add this statement to the configuration.4.

Juniper Networks.4.4.3..6. } } } [edit dynamic-profiles profile-name firewall family family-name]. • • Guidelines for Configuring Standard Firewall Filters on page 21 Guidelines for Applying Standard Firewall Filters on page 26 288 Copyright © 2011. from { match-conditions. enclose it in quotation marks (“ ”). The remaining statements are explained separately. Inc. The name can contain letters. family family-name] hierarchy level introduced in Junos OS Release 11. Required Privilege Level Related Documentation firewall—To view this statement in the configuration. [edit logical-systems logical-system-name firewall family family-name] Hierarchy Level Release Information Statement introduced before Junos OS Release 7. physical-interface-filter statement introduced in Junos OS Release 9. } then { actions. Logical systems support introduced in Junos OS Release 9. Support at the [edit dynamic-profiles . firewall-control—To add this statement to the configuration.. To include spaces in the name. and Description Options hyphens (-) and can be up to 64 characters long. physical-interface-filter. interface-specific. filter-name—Name that identifies the filter.4 Firewall Filter and Policer Configuration Guide filter (Configuring) Syntax filter filter-name { accounting-profile name. enhanced-mode. term term-name { filter filter-name. Configure firewall filters. numbers. [edit firewall family family-name].Junos OS 11. .

interface-name—Names of each interface to include in the interface set. [edit logical-systems logical-system-name firewall] Hierarchy Level Release Information Statement introduced before Junos OS Release 7. } [edit firewall]. The statements are explained separately..3. Configure firewall filters.4. Inc. firewall-control—To add this statement to the configuration. • Filtering Packets Received on an Interface Set Overview on page 192 Copyright © 2011. Release Information Statement introduced before Junos OS Release 7.4. Logical systems support introduced in Junos OS Release 9. • • • Guidelines for Configuring Standard Firewall Filters on page 21 Guidelines for Configuring Service Filters on page 230 Guidelines for Configuring Simple Filters on page 251 interface-set Syntax interface-set interface-set-name { interface-name. [edit logical-systems logical-system-name] [edit dynamic-profilesprofile-name].3. Description Required Privilege Level Related Documentation firewall—To view this statement in the configuration.. } [edit]. Required Privilege Level Related Documentation firewall—To view this statement in the configuration. Logical systems support introduced in Junos OS Release 9. Configure an interface set. firewall-control—To add this statement to the configuration. Juniper Networks. 289 . You must specify Description Options more than one name.Chapter 9: Summary of Stateless Firewall Filter Configuration Statements firewall Syntax Hierarchy Level firewall { .

The name can contain letters.Junos OS 11. firewall-control—To add this statement to the configuration.4 Firewall Filter and Policer Configuration Guide interface-specific Syntax Hierarchy Level interface-specific. Juniper Networks.4. [edit logical-systems logical-system-name firewall family (inet | inet6)] Hierarchy Level Release Information Statement introduced before Junos OS Release 7. To include spaces in the name. Inc. enclose it in quotation marks (“ ”). • • Guidelines for Configuring Service Filters on page 230 Guidelines for Applying Service Filters on page 232 290 Copyright © 2011. • Description Required Privilege Level Related Documentation Interface-Specific Firewall Filter Instances Overview on page 177 service-filter Syntax service-filter filter-name { term term-name { from { match-conditions. Description Options and hyphens (-) and can be up to 255 characters long. Configure service filters. . } then { actions. [edit firewall family family-name filter filter-name]. numbers. Configure interface-specific names for firewall counters. Required Privilege Level Related Documentation firewall—To view this statement in the configuration. Logical systems support introduced in Junos OS Release 9.3. filter-name—Name that identifies the service filter. interface-control—To add this statement to the configuration. interface—To view this statement in the configuration. [edit logical-systems logical-system-name firewall family family-name filter filter-name] Release Information Statement introduced before Junos OS Release 7. } } } [edit firewall family (inet | inet6].4. The remaining statements are explained separately. Logical systems support introduced in Junos OS Release 9.3.

Required Privilege Level Related Documentation firewall—To view this statement in the configuration. Inc. [edit logical-systems logical-system-name firewall family inet] Hierarchy Level Release Information Statement introduced in Junos OS Release 7. • • Guidelines for Configuring Simple Filters on page 251 Guidelines for Applying Simple Filters on page 254 Copyright © 2011. Description Options and hyphens (-) and can be up to 255 characters long.3. firewall-control—To add this statement to the configuration. } then { actions. numbers. Logical systems support introduced in Junos OS Release 9. The remaining statements are explained separately. } } } [edit firewall family inet]. filter-name—Name that identifies the simple filter. Juniper Networks. The name can contain letters. enclose it in quotation marks (“ ”). Configure simple filters. To include spaces in the name.6. 291 .Chapter 9: Summary of Stateless Firewall Filter Configuration Statements simple-filter Syntax simple-filter filter-name { term term-name { from { match-conditions.

match-conditions-mpls-ipv4-address—(MPLS-tagged IPv4 traffic only) One or more IP address match conditions to match on the IPv4 packet header. [edit logical-systems logical-system-name firewall family family-name simple-filter filter-name] Hierarchy Level Release Information Statement introduced before Junos OS Release 7. } } [edit firewall family family-name filter filter-name]. Logical systems support introduced in Junos OS Release 9.Junos OS 11. you can specify one or more nonterminating actions supported for the specified filter type. As an option. Inc. . [edit logical-systems logical-system-name firewall family family-name service-filter filter-name]. If not included. [edit firewall family family-name service-filter filter-name]. Supports network-based service in a core network with IPv4 packets as an inner payload of an MPLS packet with labels stacked up to five deep. [edit firewall family family-name simple-filter filter-name].6. filter option introduced in Junos OS Release 7.4. Juniper Networks. all packets are considered to match and the actions and action modifiers in the then statement are taken. You can specify Description Options one terminating action supported for the specified filter type. reference another standard stateless firewall filter from within this term. } } } then { actions.3. 292 Copyright © 2011. If you do not specify a terminating action. match-conditions—One or more conditions to use to make a match on a packet. filter-name—(Optional) For family family-name filter filter-name only. actions—(Optional) Actions to perform on the packet if conditions match. the packets that match the conditions in the from statement are accepted by default.4 Firewall Filter and Policer Configuration Guide term Syntax term term-name { from { match-conditions. protocol (tcp | udp) { match conditions-mpls-ipv4-port. from—(Optional) Match packet fields to values. [edit logical-systems logical-system-name firewall family family-name filter filter-name]. ip-version ipv4 { match-conditions-mpls-ipv4-address. ip-version ipv4 support introduced in Junos OS Release 10.1. Define a firewall filter term.

Required Privilege Level Related Documentation firewall—To view this statement in the configuration. The name can contain letters. To include spaces in the name. firewall-control—To add this statement to the configuration. enclose it in quotation marks (“ ”). Inc. and hyphens (-) and can be up to 64 characters long.Chapter 9: Summary of Stateless Firewall Filter Configuration Statements match-conditions-mpls-ipv4-port—(MPLS-tagged IPv4 traffic only) One or more UDP or TCP port match conditions to use to match a packet in an MPLS flow. then—(Optional) Actions to take on matching packets. 293 . Supports network-based service in a core network with IPv4 packets as an inner payload of an MPLS packet with labels stacked up to five deep. term-name—Name that identifies the term. If not included and a packet matches all the conditions in the from statement. Juniper Networks. numbers. • • • • Guidelines for Configuring Standard Firewall Filters on page 21 Guidelines for Configuring Service Filters on page 230 Guidelines for Configuring Simple Filters on page 251 Guidelines for Configuring and Applying Firewall Filters in Logical Systems on page 262 Copyright © 2011. the packet is accepted.

. Inc.4 Firewall Filter and Policer Configuration Guide 294 Copyright © 2011.Junos OS 11. Juniper Networks.

295 . Juniper Networks.PART 2 Traffic Policers • • • • • • Introduction to Traffic Policers on page 297 Single-Rate Two-Color Policer Configuration on page 327 Three-Color Policer Configuration on page 399 Logical and Physical Interface Policer Configuration on page 415 Layer 2 Policer Configuration on page 437 Summary of Policer Configuration Statements on page 455 Copyright © 2011. Inc.

.Junos OS 11. Juniper Networks.4 Firewall Filter and Policer Configuration Guide 296 Copyright © 2011. Inc.

also known rate limiting. Packets in a traffic flow that does not conform to traffic limits are either discarded or marked with a different forwarding class or packet loss priority (PLP) level. you can apply a policer to specific IP packets in a Layer 3 traffic flow at a logical interface by using a stateless firewall filter. is an essential component of network access security that is designed to thwart denial-of-service (DoS) attacks. Juniper Networks. also known as classes of service.CHAPTER 10 Introduction to Traffic Policers • • • • • • Traffic Policing Overview on page 297 Traffic Policer Types on page 301 Order of Policer and Firewall Filter Operations on page 304 Introduction to Policer Configuration on page 305 Introduction to Policer Rate Limits and Actions on page 316 Supported Standards for Policing on page 326 Traffic Policing Overview This topic covers the following information: • • • • • Congestion Management for IP Traffic Flows on page 297 Traffic Limits on page 298 Traffic Color Marking on page 299 Forwarding Classes and PLP Levels on page 300 Policer Application to Traffic on page 300 Congestion Management for IP Traffic Flows Traffic policing. Traffic policing enables you to control the maximum rate of IP traffic sent or received on an interface and also to partition network traffic into multiple priority levels. Copyright © 2011. With the exception of policers configured to rate-limit aggregate traffic (all protocol families and logical interfaces configured on a physical interface). Inc. 297 . With the exception of policers configured to rate-limit based on physical interface media rate. you can apply a policer to all IP packets in a Layer 2 or Layer 3 traffic flow at a logical interface. A policer defines a set of traffic rate limits and sets consequences for traffic that does not conform to the configured limits.

4 Firewall Filter and Policer Configuration Guide You can apply a policer to inbound or outbound interface traffic. In the token-bucket model. . Inc. • Figure 4: Network Traffic and Burst Rates As shown in the figure above. The depth of the bucket in bytes controls the amount of back-to-back bursting allowed. a higher packet loss priority (PLP) level. the bucket represents the policing function.Junos OS 11. or both. When sufficient tokens are present in the bucket. Traffic Limits Junos OS policers use the token-bucket algorithm to enforce a limit on average transmit or receive rate of IP traffic at an interface while allowing bursts of traffic up to a maximum value based on the overall traffic load. and tokens in the bucket are “cashed in” for the ability to transmit or receive traffic at the interface. a traffic flow continues unrestricted. You specify this highest average traffic rate as the bandwidth limit of the policer. Tokens are added to the bucket at a fixed rate. If the traffic arrival rate is so high that at some point insufficient tokens are present in the bucket. You specify this factor as the burst-size limit of the policer. Otherwise. This second limit affects the average transmit or receive rate by limiting the number of bytes permitted in a transmission burst for a given interval of time. Each token represents a “credit” for some number of bits. Bursts exceeding the current burst-size limit are dropped until there are sufficient tokens available to permit the burst to proceed. Policers applied to outbound traffic control the bandwidth used. then the traffic flow is no longer conforming to the traffic limit. Policers applied to inbound traffic help to conserve resources by dropping traffic that does not need to be routed through a network. an interface is either transmitting (bursting at full rate) or it is not. Juniper Networks. but only up to the specified depth of the bucket. Dropping inbound traffic also helps to thwart denial-of-service (DoS) attacks. packets might be dropped or else re-marked with a lower forwarding class. • The rate at which tokens are added to the bucket represents the highest average transmit or receive rate in bits per second allowed for a given service level. a UPC bar code is a good facsimile of what traffic looks like on the line. The token-bucket algorithm offers more flexibility than the leaky-bucket algorithm in that you can allow a specified amount of bursting before starting to discard packets or apply a penalty to packet output-queuing priority or packet drop priority. The black lines represent periods of data transmission and the white space represents periods of silence when the token bucket can replenish. 298 Copyright © 2011.

assigned to a configured forwarding class or set to a configured PLP level (or both). Inc. You can also configure a three-color-marking policer to discard the packets in a red flow instead of forwarding them with a high PLP setting. Instead. three-color-marking policers categorize a second type of nonconforming traffic: yellow. You cannot configure any policer actions for yellow traffic. packets with a low PLP level are less likely to be discarded than those with a medium-low. • Three-color-marking policers categorize traffic as conforming to the traffic limits (green). Red—Two-color-marking policers do not perform any implicit actions on packets in a red flow. you can configure a two-color-marking policer to handle the packets in a red flow by setting the PLP level to either low or high. A two-color-marking policer categorizes traffic as either conforming to the traffic limits (green) or violating the traffic limits (red): • Green—Two-color-marking policers implicitly set the packets in a green flow to the low PLP level. you can specify two additional PLP levels for packets in a red flow: medium-low or medium-high. 299 . • • Red—Unlike two-color-marking policers. On MX Series. three-color-marking policers implicitly set the packets in a green flow to the low PLP level. or exceeding the traffic limits but within an allowed range (yellow): • Green—Like two-color-marking policers. Juniper Networks. and M320 routers and M7i and M10i routers with the Enhanced CFEB (CFEB-E) only. If packets encounter downstream congestion. Copyright © 2011. assigning the packets to any forwarding class already configured. Traffic Color Marking Based on the particular set of traffic limits configured. or high PLP level. or simply discarded. and you cannot configure any policer actions for conforming traffic. a policer identifies a traffic flow as belonging to one of either two or three categories that are similar to the colors of a traffic light used to control automobile traffic. Three-color-marking policers implicitly set the packets in a yellow flow to the medium-high PLP level so that the packets incur a less severe penalty than those in a red flow. medium-high. which is the highest PLP value.Chapter 10: Introduction to Traffic Policers Depending on the type of policer used. Two-rate three-color policing categorizes as yellow traffic that exceeds the traffic limits while conforming to both a second defined burst-size limit and a second defined bandwidth limit. violating the traffic limits (red). packets in a policed traffic flow that surpasses the defined limits might be implicitly set to a higher PLP level. or both. three-color-marking policers implicitly set the packets in a red flow to the high PLP level. M120. and you cannot configure any policer actions for conforming traffic. You can configure a two-color-marking policer to simply discard packets if the traffic flow is red. Single-rate three-color policing categorizes as yellow traffic that exceeds the traffic limits while conforming to a second defined burst-size limit. Alternatively. those packets are handled according to the actions specified in the policer configuration. Yellow—Unlike two-color-marking policers.

regardless of protocol family or any match conditions. and MPLS traffic.4 Firewall Filter and Policer Configuration Guide Two-color-marking policers allows bursts of traffic for short periods. Inc. You can later use the same policer name to provide the same policer configuration each time you want to use it. packets of a given forwarding class are transmitted through a specific output queue. NOTE: Forwarding-class or loss-priority assignments performed by a policer or a stateless firewall filter override any such assignments performed on the ingress by the CoS default IP precedence classification at all logical interfaces or by any configured behavior aggregate (BA) classifier that is explicitly mapped to a logical interface. the policer is applied to all packets of the filter-specific protocol family that match the conditions specified in the filter configuration. and each output queue is associated with a transmission service level defined in a scheduler. For router interfaces that carry IPv4. Based on CoS configurations. Juniper Networks. whereas three-color-marking policers allow more sustained bursts of traffic. The Junos CoS features include a set of mechanisms that you can use to provide differentiated services when best-effort traffic delivery is insufficient. you can configure CoS features to take in a single flow of traffic entering at the edge of your network and provide different levels of service across the network—internal forwarding and scheduling (queuing) for output—based on the forwarding class assignments and PLP levels of the individual packets. Packet loss priority values affect the scheduling of a packet without affecting the packet’s relative ordering within the traffic flow. IPv6. when packets in an output queue encounter congestion.Junos OS 11. • You can apply a policer directly to an interface so that traffic rate-limiting applies to all traffic on that interface. When you apply the standard filter to the input or output at a logical interface. With this method of applying a policer. 300 Copyright © 2011. You can apply a policer to a traffic flow in either of two ways: • You can configure a standard stateless firewall filter that specifies the policer policer-name nonterminating action or the three-color-policer (single-rate | two-rate) policer-name nonterminating action. you can define specific classes of traffic on an interface and apply traffic rate-limiting to each class. packets with higher loss-priority values are more likely to be dropped by the random early detection (RED) algorithm. This eliminates the need to define the same policer values more than once. Policer Application to Traffic After you have defined and named a policer. Forwarding Classes and PLP Levels A packet’s forwarding class assignment and PLP level are used by the Junos OS class of service (CoS) features. Based on other CoS configurations. it is stored as a template. .

meaning that you reference the policer in a stateless firewall filter term and then apply the filter to a logical interface at the protocol family level. Basic Single-Rate Two-Color Policer You can apply a basic single-rate two-color policer to Layer 3 traffic in either of two ways: as an interface policer or as a firewall filter policer. You can apply the policer as an interface policer. and the search for policers occurs in this order: • • • Queue level Logical interface level Layer 2 (MAC) level “Stateless Firewall Filter Overview on page 5” in the Junos OS Firewall Filter and Policer Configuration Guide Related Documentation • • • • Traffic Policer Types on page 301 Order of Policer and Firewall Filter Operations on page 304 Packet Flow Through the CoS Process Overview Traffic Policer Types This topic covers the following information: • • • • Single-Rate Two-Color Policers on page 301 Three-Color Policers on page 302 Hierarchical Policers on page 303 Two-Color and Three-Color Policer Options on page 303 Single-Rate Two-Color Policers You can use a single-rate two-color policer. meaning that you apply the policer directly to a logical interface at the protocol family level. Packets in a green flow are implicitly set to a low loss priority and then transmitted. Copyright © 2011. or “policer” when used without qualification. If you want to apply the policer to selected packets only. to rate-limit a traffic flow to an average bits-per-second arrival rate (specified by the single specified bandwidth limit) while allowing bursts of traffic for short periods (controlled by the single specified burst-size limit). set to a specified loss priority. Inc. Only a single policer is applied to a packet at the egress queue. Packets in a red flow can be marked—set to a specified forwarding class. Juniper Networks.Chapter 10: Introduction to Traffic Policers You can configure policers at the queue. logical interface. Packets in a red flow are handled according to actions specified in the policer configuration. or both—or they can be discarded. you can apply the policer as a firewall filter policer. 301 . This type of policer categorizes a traffic flow as either green (conforming) or red (nonconforming). A single-rate two-color policer is most useful for metering traffic at the port (physical interface) level. or Layer 2 (MAC) level.

A single-rate three-color policer is most useful when a service is structured according to packet length. A two-rate three-color policer defines a committed bandwidth limit and burst-size limit plus a peak bandwidth limit and burst-size limit. Logical Bandwidth Policer A logical bandwidth policer is a bandwidth policer for which the effective bandwidth limit is calculated based on the logical interface configured shaping rate. The main difference between a single-rate and a two-rate policer is that the single-rate policer allows bursts of traffic for short periods. while the two-rate policer allows more sustained bursts of traffic. any count or policer actions act on the traffic stream entering or exiting each individual interface. A Two Rate Three Color Marker. Three-Color Policers The Junos OS supports two types of three-color policers: single-rate and two-rate. . Traffic that conforms to the committed traffic limits is categorized as green (conforming). Traffic that exceeds the peak traffic limits is categorized as red. which allows bursts of traffic for longer periods. Single-rate policing is implemented using a single token-bucket model. When you apply an interface-specific filter to multiple logical interfaces on supported routing platforms. Traffic that conforms to the bandwidth limit while allowing bursts of traffic as controlled by the excess burst-size limit is categorized as yellow. All other traffic is categorized as red. Two-rate policing is implemented using a dual token-bucket model. yellow. 302 Copyright © 2011. and red). Inc. and the firewall filter must be configured as an interface-specific filter. A Single Rate Three Color Marker. A single-rate three-color policer defines a committed bandwidth limit and burst-size limit plus an excess burst-size limit. Traffic that exceeds the committed traffic limits but remains below the peak traffic limits is categorized as yellow. Traffic that conforms to the committed traffic limits is categorized as green (conforming). the effective bandwidth limit is calculated based on either the physical interface media rate or the logical interface configured shaping rate. You can apply the policer as a firewall filter policer only. and red). You use this type of policer to rate-limit a traffic flow to a single rate and three traffic categories (green. Single-Rate Three-Color Policers The single-rate three-color type of policer is defined in RFC 2697. not peak arrival rate. yellow.Junos OS 11. Two-Rate Three-Color Policers The two-rate three-color type of policer is defined in RFC 2698. so that periods of relatively low traffic must occur between traffic bursts to allow the token bucket to refill. You use this type of policer to rate-limit a traffic flow to two rates and three traffic categories (green. regardless of the sum of traffic on the multiple interfaces. When you apply the policer (as an interface policer or as a firewall filter policer) to a logical interface at the protocol family level. Juniper Networks.4 Firewall Filter and Policer Configuration Guide Bandwidth Policer A bandwidth policer is simply a single-rate two-color policer that is defined using a bandwidth limit specified as a percentage value rather than as an absolute number of bits per second.

This feature enables you to use a single policer instance to perform aggregate policing for different protocol families and different logical interfaces on the same physical interface. and M320 edge routers with incoming Flexible PIC Concentrators (FPCs) as SFPC and outgoing FPCs as FFPC. Juniper Networks. T640. You apply a physical interface policer to a logical interface at the protocol level through a physical interface filter only. Hierarchical Policers You can use a hierarchical policer to rate-limit ingress Layer 2 traffic at a physical or logical interface and apply different policing actions based on whether the packets are classified for expedited forwarding (EF) or for a lower priority output queue. You can also apply the policer at the logical interface protocol family level.Chapter 10: Introduction to Traffic Policers A two-rate three-color policer is most useful when a service is structured according to arrival rates and not necessarily packet length. Inc. regardless of the protocol family. 303 . but rate limiting is performed aggregately for all logical interfaces and protocol families configured on the underlying physical interface. • You can apply the policer at the interface logical unit level to rate-limit all traffic types. Two-Color and Three-Color Policer Options Both two-color and three-color policers can be configured with the following options: • • • • Logical Interface (Aggregate) Policers on page 303 Physical Interface Policers on page 303 Policers Applied to Layer 2 Traffic on page 304 Multifield Classification on page 304 Logical Interface (Aggregate) Policers A logical interface policer—also called an aggregate policer—is a two-color or three-color policer that you can apply to multiple protocol families on the same logical interface without creating multiple instances of the policer. even if the logical interfaces belong to different routing instances. This feature is supported on SONET interfaces hosted on M40e. and T1600 core routers with Enhanced Intelligent Queuing (IQE) PICs. and on T320. M120. see “Applying Filters to Forwarding Tables” in the “Traffic Sampling. Forwarding. • You can apply a logical interface policer to unicast traffic only. and Monitoring” section of the Junos OS Routing Policy Configuration Guide. Physical Interface Policers A physical interface policer is a two-color or three-color policer that applies to all logical interfaces and protocol families configured on a physical interface. to rate-limit traffic for a specific protocol family. You apply a logical interface policer directly to a logical interface configuration (and not by referencing the policer in a stateless firewall filter and then applying the filter to the logical interface). For information about configuring a stateless firewall filter for flooded traffic. Copyright © 2011.

The CoS scheduling configuration assigns packets to output queues based on forwarding class. you can also apply single-rate two-color policers and three-color policers (both single-rate and two-rate) to Layer 2 input or output traffic. 304 Copyright © 2011. output queue fullness percentage. You cannot apply a two-color or three-color policer to Layer 2 traffic as a stateless firewall filter action. Inc. including CoS values. and not at the protocol level. The CoS random early detection (RED) process uses the drop probability configuration. the order of precedence of operations is such that policers applied directly to the logical interface are evaluated before input filters but after output filters. You must configure the two-color or three-color policer as a logical interface policer and reference the policer in the interface configuration at the logical unit level. a packet loss priority level. and packet loss priority to drop packets as needed to control congestion at the output stage.Junos OS 11. which is sometimes referred to as class-of-service (CoS) value traffic classification. Multifield classification is used instead of BA classification when you need to classify packets based on information in the packet other than the CoS values only. • If an input firewall filter is configured on the same logical interface as a policer.4 Firewall Filter and Policer Configuration Guide Policers Applied to Layer 2 Traffic In addition to hierarchical policing. or both. Juniper Networks. . or both. Multifield classification is configured using a stateless firewall filter term that matches on any packet header fields and associates matched packets with a forwarding class. In this case. Multifield classification can be based on multiple fields in the IP packet header. Multifield Classification Like behavior aggregate (BA) classification. Related Documentation • • • • • • • Traffic Policing Overview on page 297 Order of Policer and Firewall Filter Operations on page 304 Two-Color Policer Configuration Overview on page 307 Three-Color Policer Configuration Overview on page 311 Hierarchical Policer Configuration Overview on page 314 Two-Color Policing at Layer 2 Overview on page 444 Three-Color Policing at Layer 2 Overview on page 446 Order of Policer and Firewall Filter Operations You can apply a both a traffic policer and a stateless firewall filter (with or without policing actions) to a single logical interface at the same time. BA classification is based on a CoS value in the IP packet header. a loss priority. The forwarding class or loss priority can be set by a firewall filter action or by a policer referenced as a firewall filter action. multifield classification is a method of classifying incoming traffic by associating each packet with a forwarding class. BA classification and multifield classification use different fields of a packet to perform traffic classification. the policer is executed first.

} Copyright © 2011.. from { . subnet-prefix-length prefix-length. Inc. Figure 5 on page 305 illustrates the order of policer and firewall filter processing at the same interface.. ipv4-firewall-filter-match-conditions . term term-name { filter filter-name. policer policer-name.. prefix-action name { count. interface-specific.Chapter 10: Introduction to Traffic Policers • If an output firewall filter is configured on the same logical interface as a policer. the firewall filter is executed first. destination-prefix-length prefix-length. Figure 5: Incoming and Outgoing Policers and Firewall Filters Related Documentation • • • Two-Color Policer Configuration Overview on page 307 Three-Color Policer Configuration Overview on page 311 Hierarchical Policer Configuration Overview on page 314 Introduction to Policer Configuration • • • • • Statement Hierarchy for Configuring Policers on page 305 Two-Color Policer Configuration Overview on page 307 Three-Color Policer Configuration Overview on page 311 Hierarchical Policer Configuration Overview on page 314 Guidelines for Applying Traffic Policers on page 316 Statement Hierarchy for Configuring Policers firewall { family (any | bridge | ccc | inet | inet6 | mpls | vpls) { filter filter-name { . Juniper Networks. source-prefix-length prefix-length.... protocol-family-specific-firewall-filter-configuration .. } } } filter filter-name { accounting-profile [ profile-names ]. 305 .. physical-interface-filter.

physical-interface-policer. } } premium { if-exceeding { bandwidth-limit bps. } } three-color-policer policer-name { action { loss-priority high then discard. next term. } then { discard. } } } hierarchical-policer policer-name { aggregate { if-exceeding { bandwidth-limit-limit bps. 306 Copyright © 2011.. forwarding-class class-name. } logical-interface-policer. loss-priority (high | low | medium-high | medium-low). . Juniper Networks. } load-balance-group group-name { next-hop-group [ group-names ]. ipv4-firewall-filter-terminating-actions . then { discard. if-exceeding { (bandwidth-limit bps | bandwidth-percent percentage). } logical-bandwidth-policer. } } } interface-set interface-set-name { interface-name. burst-size-limit bytes. physical-interface-policer. loss-priority (high | low | medium-high | medium-low). } policer policer-name { filter-specific. forwarding-class class-name.Junos OS 11.. logical-interface-policer.. Inc.. ..4 Firewall Filter and Policer Configuration Guide then { . } then { discard... burst-size-limit bytes. ipv4-firewall-filter-nonterminating-actions . burst-size-limit bytes..

peak-burst-size bytes. Juniper Networks. committed-information-rate bps. burst-size-limit bytes. Inc. Interface policer verification: • Use the show interfaces (detail | extensive) operational mode command. loss-priority supported-value. } then { discard. Firewall filter configuration (*) • If applying to multiple interfaces. } } } Related Documentation • • • • Two-Color Policer Configuration Overview on page 307 Three-Color Policer Configuration Overview on page 311 Hierarchical Policer Configuration Overview on page 314 Guidelines for Applying Traffic Policers on page 316 Two-Color Policer Configuration Overview Table 30 on page 307 describes the hierarchy levels at which you can configure and apply single-rate two-color policers to Layer 3 traffic. excess-burst-size bytes. } } Method A—Apply as an interface policer at the protocol family level: [edit interfaces] interface-name { unit unit-number { family family-name { policer { input policer-name. committed-information-rate bps. forwarding-class class-name. output policer-name. Basic policer configuration: [edit firewall] policer policer-name { if-exceeding { bandwidth-limit bps. peak-information-rate bps. Copyright © 2011.Chapter 10: Introduction to Traffic Policers single-rate { (color-aware | color-blind). see “Two-Color Policing at Layer 2 Overview” on page 444. 307 . committed-burst-size bytes. For information about applying single-rate two-color policers to Layer 2 traffic. } } } } Policer configuration: • Layer 3 Application Key Points Use bandwidth-limit bps to specify an absolute value. Table 30: Two-Color Policer Configuration and Application Overview Policer Configuration Single-Rate Two-Color Policer Defines traffic rate limiting that you can apply to Layer 3 protocol-specific traffic at a logical interface. } two-rate { (color-aware | color-blind). include the interface-specific statement to create unique policers and counters for each interface. committed-burst-size bytes. Can be applied as an interface policer or as a firewall filter policer.

• Use the show firewall filter filter-name operational mode command. . } } } [edit interfaces] interface-name { unit unit-number { family family-name { filter { input filter-name. output filter-name.4 Firewall Filter and Policer Configuration Guide Table 30: Two-Color Policer Configuration and Application Overview (continued) Policer Configuration Layer 3 Application Method B—Apply as a firewall filter policer at the protocol family level: [edit firewall] family family-name { filter filter-name { interface-specific. protocol-configuration .. Juniper Networks....Junos OS 11. Firewall filter policer verification: • Use the show interfaces (detail | extensive) operational mode command. } . 308 Copyright © 2011.. Inc. match-conditions . # (*) from { . } then { policer policer-name.. } } } Key Points • Use the show policer operational mode command...

.. bandwidth policing rate-limits traffic based on a percentage of the physical interface media rate. } } • To rate-limit traffic based on a percentage of the logical interface configured shaping rate.. • Use the show firewall filter filter-name operational mode command.. Firewall filter configuration: • Percentage bandwidth policers can only be referenced by filters configured with the interface-specific statement. } then { discard. } } } } Method B—Apply as a firewall filter policer at the protocol family level: [edit firewall] family family-name { filter filter-name { interface-specific. Inc. match-conditions . Can be applied as an interface policer or as a firewall filter policer where the filter is either interface-specific or a physical interface filter. } } } [edit interfaces] interface-name { unit unit-number { family family-name { filter { input filter-name. Bandwidth policer configuration: [edit firewall] policer policer-name { logical-bandwidth-policer. } then { policer policer-name. } } } Policer configuration: • if-exceeding { bandwidth-percent (1. from { . but the bandwidth limit is specified as a percentage value. Layer 3 Application Key Points Method A—Apply as an interface policer at the protocol family level: [edit interfaces] interface-name { unit unit-number { family family-name { policer { input policer-name. output policer-name.100). Copyright © 2011. By default. Interface policer verification: • Use the show interfaces (detail | extensive) operational mode command.. loss-priority supported-value. Firewall filter policer verification: • Use the show interfaces (detail | extensive) operational mode command... • Use the show policer operational mode command. forwarding-class class-name. Juniper Networks.. } . protocol-configuration . also include the logical-bandwidth-policer statement. 309 . Use the bandwidth-percent percentage statement instead of the bandwidth-limit bps statement.. output filter-name. Bandwidth can be based on physical interface line rate (the default) or the logical interface shaping rate. burst-size-limit bytes.Chapter 10: Introduction to Traffic Policers Table 30: Two-Color Policer Configuration and Application Overview (continued) Policer Configuration Bandwidth Policer Defines traffic rate limiting that you can apply to Layer 3 protocol-specific traffic at a logical interface.

Can be applied directly to a logical interface configuration only. • Use the show policer operational mode command. Juniper Networks. forwarding-class class-name. } } To rate-limit all traffic types. } then { discard. • Interface policer verification: • Use the show interfaces (detail | extensive) operational mode command. 310 Copyright © 2011. output policer-name. output policer-name. } family family-name { policer { # One protocol input policer-name.Junos OS 11. Inc. . regardless of the protocol family. apply the logical interface policer at the protocol family level. Layer 3 Application Key Points Apply as an interface policer only: [edit interfaces] interface-name { unit unit-number { policer { # All protocols input policer-name. apply the logical interface policer at the logical unit level. Two options for interface policer application: • if-exceeding { bandwidth-limit bps. To rate-limit traffic of a specific protocol family. } } } } Policer configuration: • Include the logical-interface-policer statement. Logical interface policer configuration: [edit firewall] policer policer-name { logical-interface-policer. burst-size-limit bytes.4 Firewall Filter and Policer Configuration Guide Table 30: Two-Color Policer Configuration and Application Overview (continued) Policer Configuration Logical Interface (Aggregate) Policer Defines traffic rate limiting that you can apply to multiple protocol families on the same logical interface without creating multiple instances of the policer. loss-priority supported-value.

. • Use the show firewall filter filter-name operational mode command. Related Documentation • • • • • • • Basic Single-Rate Two-Color Policers on page 327 Bandwidth Policers on page 343 Filter-Specific Counters and Policers on page 352 Prefix-Specific Counting and Policing Actions on page 359 Multifield Classification on page 375 Policer Overhead to Account for Rate Shaping in the Traffic Manager on page 390 Two-Color and Three-Color Physical Interface Policers on page 427 Three-Color Policer Configuration Overview Table 31 on page 312 describes the hierarchy levels at which you can configure and apply single-rate tricolor-marking (single-rate TCM) policers and two-rate tricolor-marking Copyright © 2011.. output filter-name. Firewall filter policer verification: • Use the show interfaces (detail | extensive) operational mode command. even if the interfaces belong to different routing instances.. } . } } from { . Policer configuration: • Include the physical-interface-policer statement. burst-size-limit bytes.Chapter 10: Introduction to Traffic Policers Table 30: Two-Color Policer Configuration and Application Overview (continued) Policer Configuration Physical Interface Policer Defines traffic rate limiting that applies to all logical interfaces and protocol families configured on a physical interface.. Physical interface policer configuration: [edit firewall] policer policer-name { physical-interface-policer... loss-priority supported-value. Can be applied as a firewall filter policer referenced from a physical interface filter only... } then { policer policer-name. 311 . Firewall filter configuration: • if-exceeding { bandwidth-limit bps. Application: • Apply the filter to the input or output of a logical interface at the protocol family level. } then { discard. } } } Include the physical-interface-filter statement. forwarding-class class-name. Inc. Layer 3 Application Key Points Apply as a firewall filter policer referenced from a physical interface filter that you apply at the protocol family level: [edit firewall] family family-name { filter filter-name { physical-interface-filter. match-conditions . protocol-configuration . } } } [edit interfaces] interface-name { unit number { family family-name { filter { input filter-name. Juniper Networks.

Table 31: Three-Color Policer Configuration and Application Overview Policer Configuration Single-Rate Three-Color Policer Defines traffic rate limiting that you can apply to Layer 3 protocol-specific traffic at a logical interface.. } then { three-color-policer { single-rate policer-name. Provides moderate allowances for short periods of traffic that exceed the committed burst size. Can be applied as a firewall filter policer only. excess-burst-size bytes. . Inc. see “Three-Color Policing at Layer 2 Overview” on page 446. } } } } } Apply the filter to a logical interface at the protocol family level: [edit interfaces] interface-name { unit unit-number { family family-name { filter { input filter-name... For information about applying three-color policers to Layer 2 traffic. Juniper Networks. Basic single-rate TCM policer configuration: [edit firewall] three-color-policer policer-name { single-rate { (color-aware | color-blind).4 Firewall Filter and Policer Configuration Guide (two-rate TCM) policers to Layer 3 traffic. } } Reference the policer from a firewall filter. committed-burst-size bytes. } } } } Policer configuration: • Layer 3 Application Key Points Include the single-rate (color-aware | color-blind) statement.Junos OS 11.. committed-information-rate bps. output filter-name. and apply the filter to a protocol family on a logical interface: [edit firewall] family family-name { filter filter-name { term term-name { from { . Firewall filter configuration: • Include the three-color-policer single-rate policer-name action. 312 Copyright © 2011. Applying the firewall filter to the logical interface: • Include the filter (input | output) filter-name statement. match-conditions . } action { loss-priority high then discard.

committed-information-rate bps.Chapter 10: Introduction to Traffic Policers Table 31: Three-Color Policer Configuration and Application Overview (continued) Policer Configuration Layer 3 Application Key Points Single-Rate Three-Color Physical Interface Policer Defines traffic rate limiting that applies to all logical interfaces and protocol families configured on a physical interface. } } } } } [edit interfaces] interface-name { unit number { family family-name { filter { input filter-name.. Juniper Networks. Copyright © 2011. Can be applied as a firewall filter policer only. } action { loss-priority high then discard. even if the interfaces belong to different routing instances. match-conditions . committed-burst-size bytes... single-rate { (color-aware | color-blind). use the show firewall filter filter-name operational mode command. and apply the filter to a protocol family on a logical interface: [edit firewall] family family-name { filter filter-name { physical-interface-filter Policer configuration: • Include the physical-interface-policer statement. output filter-name. Application: • Include the filter (input | output) filter-name statement. Physical interface single-rate TCM policer: [edit firewall] three-color-policer policer-name { physical-interface-policer. } } Reference the policer from a physical interface filter only. 313 . } then { three-color-policer { single-rate policer-name. Inc. Verification • To verify. } } } } Include the physical-interface-filter statement. Firewall filter configuration: • term term-name { from { .. excess-burst-size bytes.

Junos OS 11. match-conditions . Applying the firewall filter to the logical interface: • Include the filter (input | output) filter-name statement. Juniper Networks. } then { three-color-policer { two-rate policer-name. peak-information-rate bps. output filter-name. . and apply the filter to a protocol family on a logical interface: [edit firewall] family family-name { filter filter-name { term term-name { from { . } } } } } [edit interfaces] interface-name { unit unit-number { family family-name { filter { input filter-name.. committed-burst-size bytes. Can be applied as a firewall filter policer only. Firewall filter configuration: • Include the three-color-policer two-rate policer-name action. } } } } Policer configuration: • Layer 3 Application Key Points Include the two-rate (color-aware | color-blind) statement. 314 Copyright © 2011. Basic two-rate TCM policer configuration: [edit firewall] three-color-policer policer-name { two-rate { (color-aware | color-blind). Provides moderate allowances for sustained periods of traffic that exceed the committed bandwidth limit or burst size. } } Reference the policer from a firewall filter.4 Firewall Filter and Policer Configuration Guide Table 31: Three-Color Policer Configuration and Application Overview (continued) Policer Configuration Basic Two-Rate Three-Color Policer Defines traffic rate limiting that you can apply to Layer 3 protocol-specific traffic at a logical interface.. Related Documentation • • • • • Three-Color Policer Configuration Guidelines on page 399 Basic Single-Rate Three-Color Policers on page 401 Basic Two-Rate Three-Color Policers on page 407 Two-Color and Three-Color Logical Interface Policers on page 415 Two-Color and Three-Color Physical Interface Policers on page 427 Hierarchical Policer Configuration Overview Table 32 on page 315 describes the hierarchy levels at which you can configure and apply hierarchical policers. committed-information-rate bps... } action { loss-priority high then discard. Inc. peak-burst-size bytes.

Include the layer2-policer configuration statement at the [edit interfaces interface-name] Aggregate and premium policing components of a hierarchical policer: [edit firewall] hierarchical-policer policer-name { aggregate { if-exceeding { bandwidth-limit bps. } then { discard. NOTE: You must configure at least one protocol family for the logical interface. } then { discard. Include the layer2-policer configuration statement at the [edit interfaces interface-name unit unit-number] hierarchy level. Interfaces on DPCs in MX Series routers. Layer 3 traffic. Juniper Networks. SONET interfaces hosted on T320. 315 . Option A—Apply directly to Layer 2 input traffic on a physical interface: [edit interfaces] interface-name { layer2-policer { input-hierarchical-policer policer-name. } } Hierarchically rate-limit Layer 2 ingress traffic for all protocol families and logical interfaces configured on a physical interface. Ethernet interfaces on Gigabit Ethernet Intelligent Queuing 2 (IQ2) and Ethernet Enhanced IQ2 (IQ2E) PICs.Chapter 10: Introduction to Traffic Policers Table 32: Hierarchical Policer Configuration and Application Summary Policer Configuration Hierarchical Policer Hierarchically rate-limits Layer 2 ingress traffic for all protocol families. loss-priority supported-value. burst-size-limit bytes. } } } hierarchy level. Supported on the following interfaces: • • • • Layer 2 Application Key Points SONET interfaces hosted on M40e. Inc. forwarding-class class-name. Option B—Apply directly to Layer 2 input traffic on a logical interface. T640. M120. and M320 edge routers with incoming FPCs as SFPC and outgoing FPCs as FFPC. } } premium { if-exceeding { bandwidth-limit bps. } } } Hierarchically rate-limit Layer 2 ingress traffic for all protocol families configured on a specific logical interface. or at a specific protocol level of the interface hierarchy. [edit interfaces] interface-name { unit unit-number { layer2-policer { input-hierarchical-policer policer-name. Related Documentation • Hierarchical Policers on page 437 Copyright © 2011. you cannot also apply a hierarchical policer to any of the member logical interfaces. Cannot be applied to egress traffic. and T1600 core routers with Enhanced Intelligent Queuing (IQE) PICs. burst-size-limit bytes. NOTE: If you apply a hierarchical policer at a physical interface.

based on the configuration. For each policer type. With BA classification.Junos OS 11. Juniper Networks. Forwarding. applying policers to both a port and the logical interfaces of that port—is not allowed. you are not allowed to apply a policer and a hierarchical policer in the same direction at the same logical interface. Inc. provided no behavior aggregate (BA) classification—traffic classification based on CoS values in the packet headers—is applied to the logical interface. The interface might be a physical interface or logical interface. Policers can be applied to unicast packets only. With BA classification.4 Firewall Filter and Policer Configuration Guide Guidelines for Applying Traffic Policers The following general guidelines pertain to applying traffic policers: • Only one type of policer can be applied to the input or output of the same physical or logical interface. 316 Copyright © 2011. the miscellaneous traffic (the traffic not matching any of the BA classification DSCP/EXP bits) is policed as non-EF traffic. The policer should be independent of BA classification. Without BA classification. Statement Hierarchy for Configuring Policers on page 305 Two-Color Policer Configuration Overview on page 307 Three-Color Policer Configuration Overview on page 311 Hierarchical Policer Configuration Overview on page 314 • • • • • Related Documentation • • • • Introduction to Policer Rate Limits and Actions • • • • • Policer Bandwidth and Burst-Size Limits on page 316 Policer Color-Marking and Actions on page 318 Single Token Bucket Algorithm on page 319 Dual Token Bucket Algorithms on page 321 Calculation of Policer Burst-Size Limit on page 323 Policer Bandwidth and Burst-Size Limits Table 33 on page 317 lists each of the Junos OS policer types supported. For information about configuring a filter for flooded traffic. a physical or logical interface can support up to 64 policers. No separate policers are installed for this traffic. A maximum of 64 policers is supported per physical or logical interface. see “Applying Filters to Forwarding Tables” in the “Traffic Sampling. Chaining of policers—that is. the table summarizes the bandwidth limits and burst-size limits used to rate-limit traffic. and Monitoring” section of the Junos OS Routing Policy Configuration Guide. all traffic on an interface is treated either as expedited forwarding (EF) or non-EF. . For example.

larger burst size. MX. and T Series routers: 8000. MX.. MX.. M. For a single-rate two-color policer only... M120. Juniper Networks.100000000000 1500. each with a bandwidth limit and an allowed burst size for conforming traffic. and T Series routers: 1500. MX. higher bandwidth limit. M. T640. T640. larger burst size and a second. and T Series routers: 1500. M. M.. 317 .100000000000 Two-Rate Three-Color Policer Defines a committed rate limit: a bandwidth limit and an allowed burst size for conforming traffic. you can specify the bandwidth limit as a percentage value from 1 through 100 instead of as an absolute number of bits per second. and T Series routers: 1500. committed-information-rate bps. and T1600 core routers with Enhanced Intelligent Queuing (IQE) PICs: 32000. M. M... M. MX. M40e. M120.100000000000 1500. Also defines a peak rate limit: a second. MX. MX.50000000000 1500. and T Series routers: Bandwidth Limits Burst-Size Limits burst-size-limit bytes. MX...100 percent Single-Rate Three-Color Policer Defines a single rate limit: a bandwidth limit and an allowed burst size for conforming traffic. and M320 (with FFPC and SFPC) edge routers and T320.. M40e. and T Series routers: committed-burst-size bytes. These additional rate-limit components are used to differentiate between two categories of nonconforming traffic (yellow or red).. and T Series routers: 1500.Chapter 10: Introduction to Traffic Policers Table 33: Policer Bandwidth Limits and Burst-Size Limits Policer Type Single-Rate Two-Color Policer Defines a single rate limit: a bandwidth limit and an allowed burst size for conforming traffic.. committed-information-rate bps.100000000000 Hierarchical Policer Defines two policers. M.50000000000 bandwidth-percent 1500. Inc. Different policing actions are applied based on whether the packets are classified for expedited forwarding (EF) or for a lower priority. Also defines a second. bandwidth-limit bps.2147450880 Related Documentation • • Policer Color-Marking and Actions on page 318 Calculation of Policer Burst-Size Limit on page 323 Copyright © 2011.100000000000 excess-burst-size bytes.100000000000 peak-information-rate bps. Rate-limits ingress Layer 2 traffic at a SONET physical or logical interface hosted on supported routing platforms only. and T Series routers: committed-burst-size bytes. MX. and T Series routers: 1500.10000000000 1. and M320 (with FFPC and SFPC) edge routers and T320. bandwidth-limit bps. The effective bandwidth limit is calculated as a percentage of either the physical interface media rate or the logical interface configured shaping rate. This second burst size is used to differentiate between two categories of nonconforming traffic (yellow or red).100000000000 peak-burst-size bytes. M. and T1600 core routers with Enhanced Intelligent Queuing (IQE) PICs: burst-size-limit bytes.

Single-Rate Three-Color Policer • • • Committed information rate (CIR) Committed burst size (CBS) Excess burst size (EBS) Green Conforms to the CIR and CBS Yellow Exceeds the CIR and CBS but conforms to the EBS Red Exceeds the EBS Set PLP to low – Set PLP to medium-high – Set PLP to high • Discard the packet. Set PLP to low or high. Assign to a forwarding class. . Two-Rate Three-Color Policer • • • • Committed information rate (CIR) Committed burst size (CBS) Peak information rate (PIR) Peak burst size (PBS) 318 Copyright © 2011. you can also set the PLP to medium-low or medium-high. Juniper Networks. the table summarizes the color-marking criteria used to categorize a traffic flow and.Junos OS 11. On some platforms. for each color. Inc.4 Firewall Filter and Policer Configuration Guide Policer Color-Marking and Actions Table 34 on page 318 lists each of the Junos OS policer types supported. For each policer type. the actions taken on packets in that type of traffic flow. Table 34: Implicit and Configurable Policer Actions Based on Color Marking Policer Rate Limits and Color Marking Single-Rate Two-Color Policer • • Implicit Action Configurable Actions Bandwidth limit Burst size Green Conforms to rate and burst size limits Red Exceeds rate and burst size limits Set PLP to low – – • • • Discard the packet.

Assign to a forwarding class. Related Documentation • • Policer Bandwidth and Burst-Size Limits on page 316 Calculation of Policer Burst-Size Limit on page 323 Single Token Bucket Algorithm This topic covers the following information: • • • Token Bucket Concepts on page 320 Single Token Bucket Algorithm on page 320 Conformance Measurement for Two-Color Marking on page 321 Copyright © 2011. Juniper Networks. On some platforms. you can also set the PLP to medium-low or medium-high. Hierarchical Policer Aggregate policer • • Bandwidth limit Burst size Green Conforms to rate limits Red Exceeds rate limits Set PLP to low – – • • • Discard the packet.Chapter 10: Introduction to Traffic Policers Table 34: Implicit and Configurable Policer Actions Based on Color Marking (continued) Policer Rate Limits and Color Marking Green Conforms to the CIR and CBS Yellow Exceeds the CIR and CBS. but conforms to the PIR Red Exceeds the PIR and PBS Implicit Action Set PLP to low Configurable Actions – Set PLP to medium-high – Set PLP to high • Discard the packet. Premium policer • • Bandwidth limit Burst size Green Conforms to rate limits Red Exceeds rate limits Set PLP to low – – • Discard the packet. 319 . Inc. Set PLP to low or high.

you can use the bandwidth-percent percentage statement to specify the bandwidth limit as a percentage of either the physical interface port speed or the configured logical interface shaping rate. packets might be dropped or else re-marked with a lower forwarding class. The token bucket depth represents the single burst size configured for the policer. If the bucket is filled to capacity. . but only up to the specified depth of the bucket. You can specify the bandwidth limit as an absolute number of bits per second by including the bandwidth-limit bps statement. Junos OS policers measure traffic-flow conformance to a policing rate limit by using a token bucket algorithm: • The bucket represents a rate-limiting function of the policer on the interface input or output traffic. for single-rate two-color policers only. • • When the bucket contains insufficient tokens for receiving or transmitting the traffic at the interface. Each token in the bucket represents a “credit” for some number of bits. whereas an algorithm based dual token buckets allows more sustained bursts of traffic. a hierarchical policer limits traffic throughput at an interface based on how aggregate and premium traffic subflows conform to aggregate and premium rate-limit values specified in the policer configuration. For both two-color policer types. Similarly. • • • An algorithm based on a single token bucket allows burst of traffic for short periods. Juniper Networks. arriving tokens “overflow” the bucket and are lost. and packets in a non-conforming traffic flow are categorized as red.Junos OS 11. Alternatively. the rate limits and actions specified in the policer configuration are used to enforce a limit on the average throughput rate at the interface while also allowing bursts of traffic up to a maximum number of bytes based on the overall traffic load. packets in a conforming traffic flow are categorized as green. Single Token Bucket Algorithm A single-rate two-color policer limits traffic throughput at an interface based on how the traffic conforms to rate-limit values specified in the policer configuration. The single token bucket algorithm measures traffic-flow conformance to a two-color policer rate limit as follows: • The token arrival rate represents the single bandwidth limit configured for the policer. The token bucket depth defines the capacity of the bucket in bytes. or both. and tokens in the bucket are “cashed in” for the ability to receive or transmit traffic that conforms to a rate limit configured for the policer. You specify the burst size by including the burst-size-limit bytes statement. Inc. 320 Copyright © 2011. a higher packet loss priority (PLP) level.4 Firewall Filter and Policer Configuration Guide Token Bucket Concepts When you apply traffic policing to the input or output traffic at an interface. The token arrival rate is the fixed bits-per-second rate at which tokens are added to the token bucket.

a specified PLP. Packets in a conforming traffic flow (categorized as green traffic) are implicitly marked with a packet loss priority (PLP) level of low and then passed through the interface. Juniper Networks. If sufficient tokens remain in the bucket. the flow is considered conforming traffic. 321 . During periods of relatively low traffic (traffic that arrives at or departs from the interface at average rates below the token arrival rate). and then passed through the interface. The token bucket is initially filled to capacity. Inc. or both. packets might be implicitly discarded. Related Documentation • • • • • • • • Two-Color Policer Configuration Overview on page 307 Hierarchical Policer Configuration Overview on page 314 Policer Color-Marking and Actions on page 318 bandwidth-limit (Hierarchical Policer) on page 458 bandwidth-limit (Policer) on page 459 bandwidth-percent on page 461 burst-size-limit (Hierarchical Policer) on page 463 burst-size-limit (Policer) on page 464 Dual Token Bucket Algorithms This topic covers the following information: • • • • Token Bucket Concepts on page 322 Guaranteed Bandwidth for Three-Color Marking on page 322 Nonconformance Measurement for Single-Rate Three-Color Marking on page 322 Nonconformance Measurement for Two-Rate Three-Color Marking on page 323 Copyright © 2011. but only up to the configured token bucket depth. NOTE: The number of tokens remaining in the bucket at any given time is a function of the token bucket depth and the overall traffic load. conformance to a two-color policer rate limit depends on the tokens in the bucket. a traffic flow whose average arrival or departure rate does not exceed the token arrival rate (bandwidth limit) is considered conforming traffic. the flow is considered non-conforming traffic. Packets in a non-conforming traffic flow (categorized as red traffic) are handled according to policing actions. For a traffic flow whose average arrival or departure rate exceeds the token arrival rate.Chapter 10: Introduction to Traffic Policers Conformance Measurement for Two-Color Marking In two-color-marking policing. and so the policer allows an initial traffic burst (back-to-back traffic at average rates that exceed the token arrival rate) up to the size of the token bucket depth. If the bucket does not contain sufficient tokens. unused tokens accumulate in the bucket. or the packets might be re-marked with a specified forwarding class. Depending on the configuration of the two-color policer.

. If any unused bandwidth capacity overflows the first bucket. the excess accumulates in a second token bucket. The token arrival rate is the fixed bits-per-second rate at which tokens are added to the token bucket. and tokens in the bucket are “cashed in” for the ability to receive or transmit traffic that conforms to a rate limit configured for the policer. A burst of traffic at an average rate that exceeds the CIR is also categorized as green provided that sufficient unused bandwidth capacity is available in the first token bucket. Juniper Networks. Packets in a yellow flow are implicitly marked with medium-high PLP and then passed through the interface. but only up to the specified depth of the bucket. The committed burst size (CBS) defines the maximum number of bytes for which unused amounts of the guaranteed bandwidth can be accumulated in the first token bucket. A flow of traffic at an average rate that conforms to the CIR is categorized green. and packets in a green flow are implicitly marked with low packet loss priority (PLP) and then passed through the interface. Junos OS policers measure traffic-flow conformance to a policing rate limit by using a token bucket algorithm: • The bucket represents a rate-limiting function of the policer on the interface input or output traffic. the rate limits and actions specified in the policer configuration are used to enforce a limit on the average throughput rate at the interface while also allowing bursts of traffic up to a maximum number of bytes based on the overall traffic load. Inc.4 Firewall Filter and Policer Configuration Guide Token Bucket Concepts When you apply traffic policing to the input or output traffic at an interface. whereas an algorithm based dual token buckets allows more sustained bursts of traffic. any unused bandwidth capacity accumulates in the first token bucket. 322 Copyright © 2011. Each token in the bucket represents a “credit” for some number of bits. • • • An algorithm based on a single token bucket allows burst of traffic for short periods. A traffic flow is categorized yellow if its average rate exceeds the CIR and the available bandwidth capacity accumulated in the first bucket if sufficient unused bandwidth capacity is available in the second token bucket. but only up to a configured number of bytes. The token bucket depth defines the capacity of the bucket in bytes. Guaranteed Bandwidth for Three-Color Marking A committed information rate (CIR) defines the guaranteed bandwidth for traffic arriving at or departing from the interface under normal line conditions. During periods of relatively low traffic (traffic that arrives at or departs from the interface at average rates below the CIR). Nonconformance Measurement for Single-Rate Three-Color Marking Single-rate three-color policer configurations specify a second burst size—the excess burst size (EBS)—that defines the maximum number of bytes for which the second token bucket can accumulate unused bandwidth that overflows from the first bucket.Junos OS 11.

A traffic flow is categorized red if it exceeds the PIR and the available peak bandwidth capacity accumulated in the second token bucket. Packets in a yellow flow are implicitly marked with medium-high PLP and then passed through the interface. A traffic flow is categorized yellow if it exceeds the CIR and the available committed bandwidth capacity accumulated in the first token bucket but conforms to the PIR. Nonconformance Measurement for Two-Rate Three-Color Marking Two-rate three-color policer configurations include a second rate limit—the peak-information-rate (PIR)—that you set to the expected average data rate for traffic arriving at or departing from the interface under peak conditions. Juniper Networks. Packets in a red flow are implicitly marked with high PLP and then either passed through the interface or optionally discarded. Packets in a red flow are implicitly marked with high PLP and then either passed through the interface or optionally discarded. Related Documentation • • • • • • • Three-Color Policer Configuration Overview on page 311 Policer Color-Marking and Actions on page 318 committed-burst-size on page 468 committed-information-rate on page 470 excess-burst-size on page 472 peak-burst-size on page 488 peak-information-rate on page 490 Calculation of Policer Burst-Size Limit This topic covers the following information: • • • Guidelines for Choosing a Burst-Size Limit on page 323 Burst-Size Limit Based on the Line Rate of the Interface on page 325 Burst-Size Limit Based on the MTU of Traffic on the Interface on page 325 Guidelines for Choosing a Burst-Size Limit A policer burst-size limit controls the number of bytes of traffic that can pass through a policed interface unrestricted when a burst of traffic pushes the average transmit or receive rate above the configured bandwidth limit. 323 . Inc. but only up to the maximum number of bytes specified by the PBS. any unused peak bandwidth capacity accumulates in the second token bucket. The actual number of bytes of bursty Copyright © 2011.Chapter 10: Introduction to Traffic Policers A traffic flow is categorized red its average rate exceeds the CIR and the available bandwidth capacity accumulated in the second bucket. Two-rate three-color policer configurations also include a second burst size—the peak burst size (PBS)—that defines the maximum number of bytes for which the second token bucket can accumulate unused peak bandwidth capacity. During periods of relatively little peak traffic (traffic that arrives at or departs from the interface at average rates that exceed the PIR).

Junos OS implements two-color policers using a single token bucket algorithm and implements three-color policers using a dual token bucket algorithm. the bits-per-second rate configured as a bandwidth limit is conceptualized the token arrival rate for a token bucket. The amount of time to allow a burst of traffic at the full line rate of a policed interface should not be lower than 5 milliseconds. In cases where the line rate of the target interface is unknown. unused tokens accumulate in the bucket.Junos OS 11. Inc. Juniper Networks. too few packets will be rate-limited. If you set the burst-size limit too high. The number of tokens remaining in the bucket at any given time is a function of the token bucket depth and the overall traffic load. The token bucket is initially filled to capacity. and the number of bytes configured as a policer burst-size limit is conceptualized as the bucket depth for the corresponding bucket. and so the policer allows an initial traffic burst (back-to-back traffic at average rates that exceed the token arrival rate) up to the size of the token bucket depth. The following general guidelines apply to choosing a policer burst-size limit: • A burst-size limit should not be set lower than 10 times the maximum transmission unit (MTU) of the traffic on the interface to be policed. too many packets will be subjected to rate-limiting. depending on the overall traffic load. see “Policer Bandwidth and Burst-Size Limits” on page 316. For more information. NOTE: If you set the burst-size limit too low. . The minimum and maximum values you can specify for a policer burst-size limit depends on the policer type (two-color. or hierarchical). but only up to the configured token bucket depth. 324 Copyright © 2011. you can choose a burst-size limit based on the MTU of the traffic on the target interface.4 Firewall Filter and Policer Configuration Guide traffic allowed to pass through a policed interface can vary from zero to the configured burst-size limit. three-color. • • BEST PRACTICE: The preferred method for choosing a burst-size limit is based on the line rate of the interface on which you apply the policer and the amount of time you want to allow a burst of traffic at the full line rate. During periods of relatively low traffic (traffic that arrives at or departs from the interface at average rates below the token arrival rate). In both of these models.

At the minimum.000.005 seconds x 1 byte / 8 bits = 625. and then divide by 8 bits to convert from bits to bytes. 325 .000.005 seconds) as the starting point for the allowable amount of time for a burst of traffic.000.000 bytes or greater. suppose that you are configuring a policer for an interface that carries traffic with an MTU of 4700 bytes.000 bytes Fast Ethernet Gigabit Ethernet 10-Gigabit Ethernet 100 Mbps 5 ms 1000 Mbps 5 ms 10.500 bytes 1. Related Documentation • • • Policer Bandwidth and Burst-Size Limits on page 316 Policer Color-Marking and Actions on page 318 Single Token Bucket Algorithm on page 319 Copyright © 2011.005 seconds x 1 byte / 8 bits = 28.Chapter 10: Introduction to Traffic Policers Burst-Size Limit Based on the Line Rate of the Interface To calculate the burst-size limit based on the line rate of the interface: • Multiply the interface line rate (in bits per second) by the amount of time (in seconds) to allow a burst of traffic at the full line rate.125 bytes 100. burst-size limit in bytes = interface media rate x allowable time for bursty traffic / 8 bits We recommend that you use a value of 5 ms (0. The recommended burst-size limit is 47.000 bps x 0.000 bps x 0. Inc.000. Table 35 on page 325 shows example calculations of burst-size limits for various physical interface types.000 bpsm x 0.000 bytes 10.000.000.000 bps x 0.005 seconds x 1 byte / 8 bits = 62. Table 35: Example Calculations of Policer Burst-Size Limit Target Interface Type DS3 Line Rate 45 Mbps Allowed Burst Period 5 ms Calculation of Policer Burst-Size Limit Based on a Target Interface Line Rate and an Allowed Burst Period 45.005 seconds x 1 byte / 8 bits = 6.000 Mbps 5 ms Burst-Size Limit Based on the MTU of Traffic on the Interface To calculate the burst-size limit based on the MTU of traffic on the interface: • Multiply the interface traffic MTU by a factor of 10 or greater. burst-size limit in bytes = interface traffic MTU x 10 For example. the burst size should be at least one interface MTU. Juniper Networks.250.

. which can be used to select different per-hop forwarding treatments for the packet.4 Firewall Filter and Policer Configuration Guide • Dual Token Bucket Algorithms on page 321 Supported Standards for Policing Three-color policers are part of an assured forwarding (AF) per-hop-behavior (PHB) classification system for a Differentiated Services (DiffServ) environment. Juniper Networks. Within the DSCP field. Inc. the most significant 6 bits of the type-of-service (ToS) octet in the IP header contain a value called the Differentiated Services code point (DSCP). Assured Forwarding PHB Group RFC 2598. 326 Copyright © 2011. A Two Rate Three Color Marker • • • • In a DiffServ environment. the most significant 3 bits are interpreted as the IP precedence field. An Expedited Forwarding PHB RFC 2698. An Architecture for Differentiated Service RFC 2597. which is described and defined in the following RFCs: • RFC 2474. Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers RFC 2475.Junos OS 11.

327 . Burst-size limit—The maximum size permitted for bursts of data. the effective bandwidth limit is calculated as a percentage of either the physical interface media rate or the logical interface configured shaping rate. If a percentage value is specified. You can specify the bandwidth limit as an absolute number of bits per second or as a percentage value from 1 through 100. • • • • • • Basic Single-Rate Two-Color Policers on page 327 Bandwidth Policers on page 343 Filter-Specific Counters and Policers on page 352 Prefix-Specific Counting and Policing Actions on page 359 Multifield Classification on page 375 Policer Overhead to Account for Rate Shaping in the Traffic Manager on page 390 Basic Single-Rate Two-Color Policers • • • Single-Rate Two-Color Policer Overview on page 327 Example: Configuring a Single-Rate Two-Color Policer on page 328 Example: Configuring Interface and Firewall Filter Policers at the Same Interface on page 334 Single-Rate Two-Color Policer Overview Single-rate two color policing enforces a configured rate of traffic flow for a particular service level by applying implicit or configured actions to traffic that does not conform to the limits. • Copyright © 2011. When you apply a single-rate two-color policer to the input or output traffic at an interface. Juniper Networks. the policer meters the traffic flow to the rate limit defined by the following components: • Bandwidth limit—The average number of bits per second permitted for packets received or transmitted at the interface. Inc.CHAPTER 11 Single-Rate Two-Color Policer Configuration This chapter covers two-color policing applied to Layer 3 traffic.

Inc. . you should know the line rate of the interface (preferred) or else the maximum transmission unit (MTU) of the traffic on the target interface. or the action might be to re-mark the packet with a specified forwarding class.4 Firewall Filter and Policer Configuration Guide For a traffic flow that conforms to the configured limits (categorized as green traffic). you can estimate a starting value of 10 times the MTU. To rate-limit Layer 3 traffic. you can apply a two-color policer as a logical interface policer only. As described in “Calculation of Policer Burst-Size Limit” on page 323. a specified PLP. Also assume that you do not know the line rate of the target interface. To set the maximum burst size of the policer. 328 Copyright © 2011. and then transmit the packet. You cannot apply a two-color policer to Layer 2 traffic through a firewall filter. Juniper Networks. you can apply a two-color policer in the following ways: • • Directly to a logical interface. at a specific protocol level. For a traffic flow that exceeds the configured limits (categorized as red traffic). packets are handled according to the traffic-policing actions configured for the policer. you configure a single-rate two-color policer and then use an IPv4 firewall filter to apply the policer to all traffic except for BGP messages. Topology Assume that you know the traffic flow needs to be rate-limited to an average bandwidth of 9 Mbps. packets are implicitly marked with a packet loss priority (PLP) level of low and are allowed to pass through the interface unrestricted.Junos OS 11. To rate-limit Layer 2 traffic. but you do know that the MTU of traffic on the interface is 4700 bytes. As the action of a standard stateless firewall filter that is applied to a logical interface. The action might be to discard the packet. You apply the firewall filter to the input and output of the same logical interface. • • • • Requirements on page 328 Overview on page 328 Configuration on page 329 Verification on page 333 Requirements No special configuration beyond device initialization is required before configuring this example. or both. at a specific protocol level. Overview In this example. Example: Configuring a Single-Rate Two-Color Policer This example shows how to configure a single-rate two-color policer that you apply to a logical interface as a firewall filter action.

remove any line breaks.39. Inc.Chapter 11: Single-Rate Two-Color Policer Configuration Configuration The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI. 329 . and then paste the commands into the CLI at the [edit] hierarchy level. [edit] user@host# edit interfaces so-1/3/0 unit 0 family inet address 10. see “Using the CLI Editor in Configuration Mode” on page 15.1/16 2.1. set interfaces so-1/3/0 unit 0 family inet address 10.1. Commit the configuration. copy the following configuration commands into a text file. To configure this example. Monitor the traffic flow at the interface (press ’q’ to terminate monitoring).0 The traffic statistics report the input and output rates before applying interface rate limiting. perform the following tasks: • Configuring the Logical Interface and Monitoring the Traffic Rate Without Policing on page 329 Configuring the Basic Single-Rate Two-Color Policer on page 330 Referencing the Policer from a Term in a Stateless Firewall Filter on page 331 Applying the Firewall Filter to the Input and Output of the Logical Interface on page 332 • • • CLI Quick Configuration To quickly configure this example.1/16 set firewall policer p-9m-47k-discard if-exceeding bandwidth-limit 9m set firewall policer p-9m-47k-discard if-exceeding burst-size-limit 47k set firewall policer p-9m-47k-discard then discard set firewall family inet filter rate-limit-in term t1 from protocol tcp set firewall family inet filter rate-limit-in term t1 from port bgp set firewall family inet filter rate-limit-in term t1 then accept set firewall family inet filter rate-limit-in term t2 then policer p-9m-47k-discard set firewall family inet filter rate-limit-in term t2 then accept set interfaces so-1/3/0 unit 0 family inet filter input rate-limit-in set interfaces so-1/3/0 unit 0 family inet filter output rate-limit-in Configuring the Logical Interface and Monitoring the Traffic Rate Without Policing Step-by-Step Procedure To configure the logical interface and monitor the traffic rate: 1. Configure IPv4 on the logical interface. [edit] user@host# commit 3.39. Copyright © 2011. [edit] user@host# run monitor interface so-1/3/0. Juniper Networks.

which does not require any of the following statements: • filter-specific—You can include this statement so that.1/16 } } } Configuring the Basic Single-Rate Two-Color Policer Step-by-Step Procedure To configure the basic single-rate two-color policer: 1. If the command output does not display the intended configuration. Inc. [edit firewall policer p-9m-47k-discard] 330 Copyright © 2011. . • logical-bandwidth-policer—Include this statement only if the policer bandwidth limit is specified as a percentage value (using the bandwidth-percent percent statement) and you want the bandwidth limit to be based on the configured shaping rate for the target logical interface. [edit] user@host# edit firewall policer p-9m-47k-discard NOTE: This example illustrates a basic two-color policer. 2.Junos OS 11.1. • logical-interface-policer—Include this statement only if you apply the policer directly to a physical or logical interface to rate-limit traffic for any configured protocol family based on the physical interface media rate. [edit] user@host# show interfaces so-3/3/0 { unit 0 { family inet { address 10. • physical-interface-policer—Include this statement if you apply the policer to packets filtered by a standard stateless firewall filter term and you want the policer to meter the aggregate traffic (all protocol families and logical interfaces configured on the underlying physical interface).39. Juniper Networks. Enable configuration of a single-rate two-color policer.4 Firewall Filter and Policer Configuration Guide Results Confirm the configuration of the logical interface by entering the show interfaces configuration mode command. a single instance of the policer is used by all terms within the same firewall filter. Configure the policer to rate-limit to an average bandwidth of 9 Mbps and a burst size of 47 KB. when this policer is applied as a firewall filter policer. repeat the instructions in this procedure to correct the configuration.

Configure the first term to accept all BGP traffic. Juniper Networks. see “Calculation of Policer Burst-Size Limit” on page 323. 3. the forwarding class assignment. BGP messages are transported over TCP port 179. Inc. If the command output does not display the intended configuration. or both. 331 . For a single-rate two-color policer. When the traffic flow conforms to these limits. the flow is categorized as green. packets in a green flow are implicitly set to a low packet loss priority (PLP) level. } Referencing the Policer from a Term in a Stateless Firewall Filter Step-by-Step Procedure To reference the policer from a term in a stateless firewall filter: 1. you can set the PLP level. [edit firewall family inet filter rate-limit-in] user@host# set term t1 from protocol tcp user@host# set term t1 from port bgp user@host# set term t1 then accept The BGP traffic is not rate-limited to avoid having the BGP session time out because the packet is discarded by the policer. } then discard. [edit firewall policer p-9m-47k-discard] user@host# set then discard Instead of discarding the traffic that exceeds the traffic limits. Configure the policer to discard packets in a red traffic flow. [edit] user@host# edit firewall family inet filter rate-limit-in 2. Enable configuration of the stateless firewall filter. repeat the instructions in this procedure to correct the configuration.Chapter 11: Single-Rate Two-Color Policer Configuration user@host# set if-exceeding bandwidth-limit 9m user@host# set if-exceeding burst-size-limit 47k For information about configuring the burst size. [edit firewall family inet filter rate-limit-in] user@host# set term t2 then policer p-9m-47k-discard user@host# set term t2 then accept Copyright © 2011. [edit] user@host# show firewall policer p-9m-47k-discard { if-exceeding { bandwidth-limit 9m. Configure the second term to rate-limit all other traffic using the policer. burst-size-limit 47k. Results Confirm the configuration of the policer by entering the show firewall configuration mode command. 3.

} term t2 { then { policer p-9m-47k-discard. . port bgp. repeat the instructions in this procedure to correct the configuration. Apply the stateless firewall filter. accept. If the command output does not display the intended configuration. [edit] user@host# edit interfaces so-1/3/0 unit 0 family inet 2. } then accept. } Applying the Firewall Filter to the Input and Output of the Logical Interface Step-by-Step Procedure To apply the stateless firewall filter to the input and output of the logical interface: 1. Enable configuration of IPv4 on the logical interface.4 Firewall Filter and Policer Configuration Guide Results Confirm the configuration of the firewall filter by entering the show firewall configuration mode command. burst-size-limit 47k. [edit] user@host# show interfaces so-3/3/0 { unit 0 { family inet { filter { 332 Copyright © 2011. } } } } policer p-9m-47k-discard { if-exceeding { bandwidth-limit 9m. [edit] user@host# show firewall family inet { filter rate-limit-in { term t1 { from { protocol tcp. If the command output does not display the intended configuration. Juniper Networks. [edit interfaces so-1/3/0 unit 0 family inet] user@host# set filter input rate-limit-in user@host# set filter output rate-limit-in Results Confirm the configuration of the logical interface by entering the show interfaces configuration mode command. Inc. } then discard. repeat the instructions in this procedure to correct the configuration.Junos OS 11.

1.Chapter 11: Single-Rate Two-Color Policer Configuration input rate-limit-in. } address 10. Juniper Networks. Action Monitor the traffic flow at the interface (press ’q’ to terminate monitoring). 333 .0 The traffic statistics report the input and output rate after applying interface rate limiting. } } } If you are done configuring the device. and the number of packets Copyright © 2011. output rate-limit-in. To ensure that the configured traffic limits are throttling the traffic rate as intended: 1. Inc. enter commit from configuration mode. the name of the filter term (t2) under which the policer action is specified. 2. • • Monitoring and Adjusting Policing of the Logical Interface on page 333 Displaying the Number of Packets Processed by the Policer at the Logical Interface on page 333 Monitoring and Adjusting Policing of the Logical Interface Purpose Ensure that the traffic limits configured in the policer are throttling the input and output rate as you intended. [edit] user@host# run monitor interface so-1/3/0. Adjust the burst-size limit if necessary. Displaying the Number of Packets Processed by the Policer at the Logical Interface Purpose Verify the traffic flow through the logical interface and that the policer is evaluated when packets are received on the logical interface.1/16. Use the show firewall operational mode command for the filter you applied to the logical interface: [edit] user@host# run show firewall filter rate-limit-in Filter: rate-limit-in Policers: Name p-9m-47k-discard-t2 Action Packets 32863 The command output displays the name of policer (p-9m-47k-discard). Verification Confirm that the configuration is working properly.39. If the policer appears to be throttling the input and output rate more than you intended. increase the burst size (possibly doubling it) and then check again.

Two policers are applied to the interface through a firewall filter. By default. • • • • Requirements on page 334 Overview on page 334 Configuration on page 335 Verification on page 341 Requirements No special configuration beyond device initialization is required before configuring this example. Inc.Junos OS 11.4 Firewall Filter and Policer Configuration Guide that matched the filter term. Juniper Networks. Only single-rate two-color policers can be configured with a percentage bandwidth specification. to rate-limit traffic to 1 Mbps with a burst size of 5000 bytes. You configure the policer named p-ftp-10p-500k-discard to rate-limit traffic to a 10 percent bandwidth with a burst size of 500 KB by discarding packets that do not conform to these limits. and you apply these policers to IPv4 input traffic at the logical interface by using an IPv4 standard stateless firewall filter. You configure another firewall-filter term to apply this policer to File Transfer Protocol (FTP) packets. . • A policer that you configure with a bandwidth limit expressed as a percentage value (rather than as an absolute bandwidth value) is called a bandwidth policer. Example: Configuring Interface and Firewall Filter Policers at the Same Interface This example shows how to configure three single-rate two-color policers and apply the policers to the IPv4 input traffic at the same single-tag virtual LAN (VLAN) logical interface. the policer is said to be applied as a firewall-filter policer. the policer is said to be applied as an interface policer. 334 Copyright © 2011. When you apply a policer directly to protocol-specific traffic at a logical interface. You configure one of the firewall filter terms to apply this policer to Internet Control Message Protocol (ICMP) packets. This is only the number of out-of-specification (out-of-spec) packet counts. When you apply a policer to protocol-specific traffic at a logical interface through a firewall filter action. You configure the other two policers to allow burst sizes of 500 KB. a bandwidth policer rate-limits traffic to the specified percentage of the line rate of the physical interface underlying the target logical interface. You configure one policer. named p-all-1m-5k-discard. You apply this policer directly to IPv4 input traffic at the logical interface. Overview In this example. • You configure the policer named p-icmp-500k-500k-discard to rate-limit traffic to 500 Kbps with a burst size of 500 K bytes by discarding packets that do not conform to these limits. and one policer is applied directly to the interface. not all packets policed by the policer. you configure three single-rate two-color policers and apply the policers to the IPv4 input traffic at the same single-tag VLAN logical interface.

20. 335 . and then paste the commands into the CLI at the [edit] hierarchy level. unique policers and counters would be created for each interface to which the filter is applied. see “Using the CLI Editor in Configuration Mode” on page 15. This means that the policer you configure with the 10-percent bandwidth-limit (the policer that you apply to FTP packets) rate-limits the FTP traffic on this interface to 10 Mbps. copy the following configuration commands into a text file.Chapter 11: Single-Rate Two-Color Policer Configuration Topology You configure the target logical interface as a single-tag VLAN logical interface on a Fast Ethernet interface operating at 100 Mbps.240. if this firewall filter were to be applied to multiple interfaces instead of just the Fast Ethernet interface in this example. the firewall filter that references this policer must be configured as an interface-specific filter. Therefore. The firewall filter that you configure to reference two of the policers must be configured as an interface-specific filter. remove any line breaks. set interfaces fe-0/1/1 vlan-tagging set interfaces fe-0/1/1 unit 0 vlan-id 100 set interfaces fe-0/1/1 unit 0 family inet address 10. you do not configure the bandwidth policer as a logical-bandwidth policer.1/24 set firewall policer p-all-1m-5k-discard if-exceeding bandwidth-limit 1m set firewall policer p-all-1m-5k-discard if-exceeding burst-size-limit 5k set firewall policer p-all-1m-5k-discard then discard set firewall policer p-ftp-10p-500k-discard if-exceeding bandwidth-percent 10 set firewall policer p-ftp-10p-500k-discard if-exceeding burst-size-limit 500k set firewall policer p-ftp-10p-500k-discard then discard set firewall policer p-icmp-500k-500k-discard if-exceeding bandwidth-limit 500k set firewall policer p-icmp-500k-500k-discard if-exceeding burst-size-limit 500k set firewall policer p-icmp-500k-500k-discard then discard Copyright © 2011. Juniper Networks. To configure this example. Configuration The following example requires you to navigate various levels in the configuration hierarchy.15. the percentage is based on the physical media rate rather than on the configured shaping rate of the logical interface. Thus. Because the policer that is used to rate-limit FTP packets specifies the bandwidth limit as a percentage value. For information about navigating the CLI. Inc.20. perform the following tasks: • • • • Configuring the Single-Tag VLAN Logical Interface on page 336 Configuring the Three Policers on page 337 Configuring the IPv4 Firewall Filter on page 339 Applying the Interface Policer and Firewall Filter Policers to the Logical Interface on page 340 CLI Quick Configuration To quickly configure this example.1/24 set interfaces fe-0/1/1 unit 1 vlan-id 101 set interfaces fe-0/1/1 unit 1 family inet address 10. NOTE: In this example.

Enable single-tag VLAN framing.1/24.15.1/24 Results Confirm the configuration of the VLAN by entering the show interfaces configuration mode command. [edit interfaces fe-0/1/1] user@host# set unit 0 family inet address 10.240.1/24.20.4 Firewall Filter and Policer Configuration Guide set firewall family inet filter filter-ipv4-with-limits interface-specific set firewall family inet filter filter-ipv4-with-limits term t-ftp from protocol tcp set firewall family inet filter filter-ipv4-with-limits term t-ftp from port ftp set firewall family inet filter filter-ipv4-with-limits term t-ftp from port ftp-data set firewall family inet filter filter-ipv4-with-limits term t-ftp then policer p-ftp-10p-500k-discard set firewall family inet filter filter-ipv4-with-limits term t-icmp from protocol icmp set firewall family inet filter filter-ipv4-with-limits term t-icmp then policer p-icmp-500k-500k-discard set firewall family inet filter filter-ipv4-with-limits term catch-all then accept set interfaces fe-0/1/1 unit 1 family inet filter input filter-ipv4-with-limits set interfaces fe-0/1/1 unit 1 family inet policer input p-all-1m-5k-discard Configuring the Single-Tag VLAN Logical Interface Step-by-Step Procedure To configure the single-tag VLAN logical interface: 1. [edit interfaces fe-0/1/1] user@host# set vlan-tagging 3.20.Junos OS 11. Inc.20. 336 Copyright © 2011. Configure IPv4 on the single-tag VLAN logical interfaces. Enable configuration of the Fast Ethernet interface. [edit interfaces fe-0/1/1] user@host# set unit 0 vlan-id 100 user@host# set unit 1 vlan-id 101 4. [edit] user@host# edit interfaces fe-0/1/1 2.240. If the command output does not display the intended configuration. . family inet { address 10. Juniper Networks.20. [edit] user@host# show interfaces fe-0/1/1 { vlan-tagging. unit 0 { vlan-id 100.1/24 user@host# set unit 1 family inet address 10. } } unit 1 { vlan-id 101. repeat the instructions in this procedure to correct the configuration.15. family inet { address 10. Bind VLAN IDs to the logical interfaces.

Chapter 11: Single-Rate Two-Color Policer Configuration } } } Configuring the Three Policers Step-by-Step Procedure To configure the three policers: 1. [edit] user@host# edit firewall policer p-all-1m-5k-discard 2. Juniper Networks. NOTE: You apply this policer directly to all IPv4 input traffic at the single-tag VLAN logical interface. Enable configuration of a two-color policer that discards packets that do not conform to a bandwidth specified as “10 percent” and a burst size of 500. You apply this policer as the action of an IPv4 firewall filter term that matches FTP packets from TCP. so the packets will not be filtered before being subjected to rate limiting. [edit firewall policer p-ftp-10p-500k-discard] user@host# set if-exceeding bandwidth-percent 10 user@host# set if-exceeding burst-size-limit 500k user@host# set then discard Because the bandwidth limit is specified as a percentage.000 bytes. the firewall filter that references this policer must be configured as an interface-specific filter. Inc. Configure policing limits and actions. You apply this policer only to the FTP traffic at the single-tag VLAN logical interface. Configure the first policer. Copyright © 2011. 337 . [edit firewall policer p-all-1m-5k-discard] user@host# set if-exceeding bandwidth-limit 1m user@host# set if-exceeding burst-size-limit 5k user@host# set then discard 3. Enable configuration of a two-color policer that discards packets that do not conform to a bandwidth of 1 Mbps and a burst size of 5000 bytes. [edit firewall policer p-all-1m-5k-discard] user@host# up [edit] user@host# edit firewall policer p-ftp-10p-500k-discard 4.

[edit firewall policer p-icmp-500k-500k-discard] user@host# set if-exceeding bandwidth-limit 500k user@host# set if-exceeding burst-size-limit 500k user@host# set then discard Results Confirm the configuration of the policers by entering the show firewall configuration mode command. } then discard.4 Firewall Filter and Policer Configuration Guide NOTE: If you wanted this policer to rate-limit to 10 percent of the logical interface configured shaping rate (rather than to 10 percent of the physical interface media rate). [edit] user@host# show firewall policer p-all-1m-5k-discard { if-exceeding { bandwidth-limit 1m. } policer p-icmp-500k-500k-discard { if-exceeding { bandwidth-limit 500k. This type of policer is called a logical-bandwidth policer. Enable configuration of the IPv4 firewall filter policer for ICMP packets. } 338 Copyright © 2011. Inc. burst-size-limit 500k. If the command output does not display the intended configuration. 5. [edit firewall policer p-ftp-10p-500k-discard] user@host# up [edit] user@host# edit firewall policer p-icmp-500k-500k-discard 6. } policer p-ftp-10p-500k-discard { if-exceeding { bandwidth-percent 10. } then discard. } then discard. burst-size-limit 5k. Juniper Networks.Junos OS 11. Configure policing limits and actions. you would need to include the logical-bandwidth-policer statement at the [edit firewall policer p-all-1m-5k-discard] hierarchy level. repeat the instructions in this procedure to correct the configuration. burst-size-limit 500k. .

[edit firewall family inet filter filter-ipv4-with-limits] user@host# set interface-specific The firewall filter must be interface-specific because one of the policers referenced is configured with a bandwidth limit expressed as a percentage value. 3. [edit firewall family inet filter filter-ipv4-with-limits term t-ftp] user@host# up [edit firewall family inet filter filter-ipv4-with-limits] user@host# edit term t-icmp 6. Enable configuration of the IPv4 firewall filter. Configure the filter term to match FTP packets. Configure the filter term for ICMP packets [edit firewall family inet filter filter-ipv4-with-limits term t-icmp] user@host# set from protocol icmp user@host# set then policer p-icmp-500k-500k-discard 7.Chapter 11: Single-Rate Two-Color Policer Configuration Configuring the IPv4 Firewall Filter Step-by-Step Procedure To configure the IPv4 firewall filter: 1. 339 . [edit firewall family inet filter filter-ipv4-with-limits term t-icmp] user@host# up [edit firewall family inet filter filter-ipv4-with-limits] user@host# set term catch-all then accept Copyright © 2011. 4. Configure the firewall filter as interface-specific. Inc. [edit firewall family inet filter filter-ipv4-with-limits] user@host# edit term t-ftp [edit firewall family inet filter filter-ipv4-with-limits term t-ftp] user@host# set from protocol tcp user@host# set from port [ ftp ftp-data ] FTP messages are sent over TCP port 20 (ftp) and received over TCP port 21 (ftp-data). Enable configuration of a filter term to rate-limit FTP packets. Configure a filter term to accept all other packets without policing. Enable configuration of a filter term to rate-limit ICMP packets. Juniper Networks. [edit firewall family inet filter filter-ipv4-with-limits term t-ftp] user@host# set then policer p-ftp-10p-500k-discard 5. [edit] user@host# edit firewall family inet filter filter-ipv4-with-limits 2.

Enable configuration of IPv4 on the logical interface. port [ ftp ftp-data ]. Juniper Networks. } } } policer p-all-1m-5k-discard { if-exceeding { bandwidth-limit 1m. burst-size-limit 500k. } then discard. [edit] user@host# show firewall family inet { filter filter-ipv4-with-limits { interface-specific. } then discard. If the command output does not display the intended configuration. } term catch-all { then accept. term t-ftp { from { protocol tcp. } then discard.Junos OS 11. . } term t-icmp { from { protocol icmp. } then policer p-ftp-10p-500k-discard. repeat the instructions in this procedure to correct the configuration. Inc. } policer p-ftp-10p-500k-discard { if-exceeding { bandwidth-percent 10. burst-size-limit 5k. } then policer p-icmp-500k-500k-discard. burst-size-limit 500k. } policer p-icmp-500k-500k-discard { if-exceeding { bandwidth-limit 500k. } Applying the Interface Policer and Firewall Filter Policers to the Logical Interface Step-by-Step Procedure To apply the three policers to the VLAN: 1. [edit] 340 Copyright © 2011.4 Firewall Filter and Policer Configuration Guide Results Confirm the configuration of the firewall filter by entering the show firewall configuration mode command.

Chapter 11: Single-Rate Two-Color Policer Configuration user@host# edit interfaces fe-0/1/1 unit 1 family inet 2.1/24. family inet { address 10. 341 . [edit interfaces fe-0/1/1 unit 1 family inet] user@host# set filter input filter-ipv4-with-limits 3.0 are evaluated against the interface policer before they are evaluated against the firewall filter policers. [edit interfaces fe-0/1/1 unit 1 family inet] user@host# set policer input p-all-1m-5k-discard Input packets at fe-0/1/1. enter commit from configuration mode. Juniper Networks. If the command output does not display the intended configuration.20. } policer { input p-all-1m-5k-discard.240. • • • • Displaying Policers Applied Directly to the Logical Interface on page 342 Displaying Statistics for the Policer Applied Directly to the Logical Interface on page 342 Displaying the Policers and Firewall Filters Applied to an Interface on page 342 Displaying Statistics for the Firewall Filter Policers on page 343 Copyright © 2011.15. Results Confirm the configuration of the interface by entering the show interfaces configuration mode command. } address 10. see “Order of Policer and Firewall Filter Operations” on page 304. } } unit 1 { vlan-id 101.20. Verification Confirm that the configuration is working properly. Inc. Apply the interface policer to the interface.1/24. [edit] user@host# show interfaces fe-0/1/1 { vlan-tagging. repeat the instructions in this procedure to correct the configuration. unit 0 { vlan-id 100. family inet { filter { input filter-ipv4-with-limits. For more information. } } } If you are done configuring the device. Apply the firewall filter policers to the interface.

Use the show policer operational mode command and optionally specify the name of the policer. Use the show interfaces policers operational mode command for logical interface fe-0/1/1.1-inet-i Action In this example. user@host> show policer p-all-1m-5k-discard-fe-0/1/1.1-inet-i Policers: Name Packets p-all-1m-5k-discard-fe-0/1/1. Displaying Statistics for the Policer Applied Directly to the Logical Interface Purpose Action Verify the number of packets evaluated by the interface policer.1 up up inet p-all-1m-5k-discard-fe-0/1/1. Under the Protocol inet section of the command output section.4 Firewall Filter and Policer Configuration Guide Displaying Policers Applied Directly to the Logical Interface Purpose Verify that the interface policer is evaluated when packets are received on the logical interface.1.1. Juniper Networks.1-inet-i 5 Displaying the Policers and Firewall Filters Applied to an Interface Purpose Verify that the firewall filter filter-ipv4-with-limits is applied to the IPv4 input traffic at logical interface fe-0/1/1. the interface policer is applied to logical interface traffic in the input direction only. The command output section for the Proto column and Input Policer column shows that the policer p-all-1m-5k-discard is evaluated when packets are received on the logical interface.1 (Index 83) (SNMP ifIndex 545) (Generation 153) Flags: SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.1 Interface Admin Link Proto Input Policer Output Policer fe-0/1/1.Junos OS 11. and include the detail option. The command output displays the number of packets evaluated by each configured policer (or the specified policer). the Input Filters and Policer lines display the names of filter and policer applied to the logical interface in the input direction. .100 ] Encapsulation: ENET2 Traffic statistics: Input bytes : 0 Output bytes : 46 Input packets: 0 Output packets: 1 Local statistics: Input bytes : 0 Output bytes : 46 Input packets: 0 Output packets: 1 Transit statistics: Action 342 Copyright © 2011. user@host> show interfaces statistics fe-0/1/1.1 detail Logical interface fe-0/1/1. in each direction. Inc. Use the show interfaces statistics operational mode command for logical interface fe-0/1/1. user@host> show interfaces policers fe-0/1/1.1.

1-i Packets 0 0 The command output displays the names of the policers (p-ftp-10p-500k-discard and p-icmp-500k-500k-discard). Local: 10. Juniper Networks. not all packets policed by the policer.20.1-i Policers: Name p-ftp-10p-500k-discard-t-ftp-fe-0/1/1.130/24.1-i Filter: filter-ipv4-with-limits-fe-0/1/1. respectively) under which the policer action is specified. Route table: 0 Flags: Sendbcast-pkt-to-re Input Filters: filter-ipv4-with-limits-fe-0/1/1. MTU: 1500. Generation: 169 In this example.1.Chapter 11: Single-Rate Two-Color Policer Configuration Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps Protocol inet. This is only the number of out-of-specification (out-of-spec) packet counts.1-i p-icmp-500k-500k-discard-t-icmp-fe-0/1/1.1-inet-i Addresses.20. combined with the names of the filter terms (t-ftp and t-icmp.20.1-i Policer: Input: p-all-1m-5k-discard-fe-0/1/1. The policer-specific output lines display the number of packets that matched the filter term. Generation: 176. Inc. Use the show firewall operational mode command for the filter you applied to the logical interface.130. Displaying Statistics for the Firewall Filter Policers Purpose Action Verify the number of packets evaluated by the firewall filter policers.255. Flags: Is-Preferred Is-Primary Destination: 10. the two firewall filter policers are applied to logical interface traffic in the input direction only. Broadcast: 10. Related Documentation • • • • • Order of Policer and Firewall Filter Operations on page 304 Statement Hierarchy for Configuring Policers on page 305 Two-Color Policer Configuration Overview on page 307 Guidelines for Applying Traffic Policers on page 316 Calculation of Policer Burst-Size Limit on page 323 Bandwidth Policers • • Bandwidth Policer Overview on page 344 Example: Configuring a Logical Bandwidth Policer on page 345 Copyright © 2011. 343 . [edit] user@host> show firewall filter filter-ipv4-with-limits-fe-0/1/1.130.

a bandwidth policer calculates the percentage bandwidth limit based on the physical interface port speed. • If you reference a bandwidth policer from a stateless firewall filter term. rate-limits traffic to a bandwidth limit that is calculated as a percentage of either the physical interface media rate or the logical interface configured shaping rate.Junos OS 11. To configure a bandwidth policer to calculate the percentage bandwidth limit based on the configured logical interface shaping rate instead. you include the bandwidth-percent percentage statement in place of the bandwidth-limit bps statement. called a bandwidth policer. you must include the interface-specific statement in the firewall filter configuration. • NOTE: If you configure a logical-bandwidth policer and then apply the policer to a logical interface that is not configured with a shaping rate. even if you include the logical-bandwidth-policer statement in the bandwidth policer configuration. you can specify the bandwidth limit as a percentage value from 1 through 100 instead of as an absolute number of bits per second. Guidelines for Configuring a Bandwidth Policer The following guidelines apply to configuring a bandwidth policer: • To specify a percentage bandwidth limit. then the policer rate-limits traffic on that logical interface to calculate the percentage bandwidth limit based on the physical interface port speed. A logical interface shaping rate causes the specified amount of bandwidth to be allocated to the logical interface. This type of bandwidth policer is called a logical bandwidth policer. By default. Guidelines for Applying a Bandwidth Policer The following guidelines pertain to applying a bandwidth policer to traffic: • You can use a bandwidth policer to rate-limit protocol-specific traffic (not family any) at the input or output of a logical interface. This type of two-color policer. • 344 Copyright © 2011. Inc. include the logical-bandwidth-policer statement at the [edit firewall policer policer-name] hierarchy level. You can apply a bandwidth policer directly to protocol-specific input or output traffic at a logical interface.4 Firewall Filter and Policer Configuration Guide Bandwidth Policer Overview For a single-rate two-color policer only. . You can configure a logical interface shaping rate by including the shaping-rate bps statement at the [edit class-of-service interfaces interface interface-name unit logical-unit-number] hierarchy level. Juniper Networks.

you configure a single-rate two-color policer that specifies the bandwidth limit as a percentage value rather than as an absolute number of bits per second. • • You cannot apply a bandwidth policer to an aggregate interface. make sure that you have two logical units available on a Gigabit Ethernet interface. This type of policer is called a bandwidth policer. To apply a logical bandwidth policer to a logical interface. Inc. a bandwidth policer enforces a bandwidth limit based on the line rate of the underlying physical interface. include the shaping-rate bps statement at the [edit class-of-service interfaces interface interface-name unit logical-unit-number] hierarchy level. you can reference the bandwidth policer from a stateless firewall filter term and then apply the filter to logical interface traffic for a specific protocol family. NOTE: If you configure a policer bandwidth limit as a percentage but a shaping rate is not configured for the target logical interface. • • • • Requirements on page 345 Overview on page 345 Configuration on page 346 Verification on page 350 Requirements Before you begin. you must include the interface-specific statement in the firewall filter configuration. Overview In this example. a tunnel interface. or a software interface.Chapter 11: Single-Rate Two-Color Policer Configuration • To send only selected packets to a bandwidth policer. This class-of-service (CoS) configuration statement causes the specified amount of bandwidth to be allocated to the logical interface. Example: Configuring a Logical Bandwidth Policer This example shows how to configure a logical bandwidth policer. Juniper Networks. By default. To configure this type of bandwidth policer. you can apply the policer directly to the logical interface at the protocol family level or (if you only need to rate-limit Copyright © 2011. 345 . called a logical bandwidth policer. You cannot use a bandwidth policer for forwarding-table filters. you include the logical-bandwidth-policer statement in the policer configuration. As an option. you can configure a bandwidth policer to enforce a bandwidth limit based on the configured shaping rate of the logical interface. • To reference a logical bandwidth policer from a firewall filter. the policer bandwidth limit is calculated as a percentage of the physical interface media rate. even if you enable the logical-bandwidth policing feature. To configure a logical interface shaping rate.

and then you apply the policer to input and output traffic at the logical units configured on ge-1/3/0. copy the following configuration commands into a text file.1. you allocate 2 Mbps of bandwidth. Configuration The following example requires you to navigate various levels in the configuration hierarchy. remove any line breaks.0. . if you apply a 50 percent bandwidth policer to input or output traffic at a Gigabit Ethernet logical interface without rate shaping. For logical interface ge-1/3/0.1/30 set interfaces ge-1/3/0 unit 1 vlan-id 200 set interfaces ge-1/3/0 unit 1 family inet address 172.1. On logical interface ge-1/3/0. You also configure a logical bandwidth policer with a bandwidth limit of 50 percent and a maximum burst size of 125.0. the policer rate-limits to a bandwidth limit calculated as 50 percent of the physical interface media rate. To configure this example. For logical interface ge-1/3/0. see “Using the CLI Editor in Configuration Mode” on page 15.1. the policer rate-limits to a bandwidth limit of 2 Mbps (50 percent of the 4 Mbps shaping rate configured for the logical interface). the policer applies a bandwidth limit of 500 Mbps (50 percent of 1000 Mbps).1/30 set class-of-service interfaces ge-1/3/0 unit 0 shaping-rate 4m set class-of-service interfaces ge-1/3/0 unit 1 shaping-rate 2m set firewall policer LB-policer logical-bandwidth-policer set firewall policer LB-policer if-exceeding bandwidth-percent 50 set firewall policer LB-policer if-exceeding burst-size-limit 125k 346 Copyright © 2011.2.Junos OS 11. set interfaces ge-1/3/0 per-unit-scheduler set interfaces ge-1/3/0 vlan-tagging set interfaces ge-1/3/0 unit 0 vlan-id 100 set interfaces ge-1/3/0 unit 0 family inet address 172.4 Firewall Filter and Policer Configuration Guide filtered packets) you can reference the policer from a stateless firewall filter configured to operate in interface-specific mode. you allocate 4 Mbps of bandwidth. you configure two logical interfaces on a single Gigabit Ethernet interface and configure a shaping rate on each logical interface.1. Juniper Networks. For information about navigating the CLI. For example.0. Topology In this example.1. the policer rate-limits traffic to a bandwidth limit of 1 Mbps (50 percent of the 2 Mbps shaping rate configured for the logical interface).000 bytes. perform the following tasks: • • Configuring the Logical Interfaces on page 347 Configuring Traffic Rate-Shaping by Specifying the Amount of Bandwidth to be Allocated to the Logical Interface on page 348 Configuring the Logical Bandwidth Policer on page 348 Applying the Logical Bandwidth Policers to the Logical Interfaces on page 349 • • CLI Quick Configuration To quickly configure this example. Inc. and then paste the commands into the CLI at the [edit] hierarchy level. On logical interface ge-1/3/0. If no shaping rate is configured for a target logical interface.

family inet { address 172.1.1. Configure the first logical interface. family inet { address 172.1.1/30 Results Confirm the configuration of the interfaces by entering the show interfaces configuration mode command. If the command output does not display the intended configuration.Chapter 11: Single-Rate Two-Color Policer Configuration set firewall policer LB-policer then discard set interfaces ge-1/3/0 unit 0 family inet policer input LB-policer set interfaces ge-1/3/0 unit 0 family inet policer output LB-policer set interfaces ge-1/3/0 unit 1 family inet policer input LB-policer set interfaces ge-1/3/0 unit 1 family inet policer output LB-policer Configuring the Logical Interfaces Step-by-Step Procedure To configure the logical interfaces: 1. Inc.2. Juniper Networks.1. [edit] user@host# edit interfaces ge-1/3/0 [edit interfaces ge-1/3/0] user@host# set per-unit-scheduler user@host# set vlan-tagging 2. } } } Copyright © 2011. vlan-tagging.2. Configure the second logical interface.1. } } unit 1 { vlan-id 200.1/30 3.1. repeat the instructions in this procedure to correct the configuration.1/30. unit 0 { vlan-id 100.1/30. [edit interfaces ge-1/3/0] user@host# set unit 0 vlan-id 100 user@host# set unit 0 family inet address 172. [edit interfaces ge-1/3/0] user@host# set unit 1 vlan-id 200 user@host# set unit 1 family inet address 172. Enable configuration of the physical interface. [edit] user@host# show interfaces ge-1/3/0 { per-unit-scheduler. 347 .

[edit firewall policer LB-policer] user@host# set if-exceeding bandwidth-percent 50 user@host# set if-exceeding burst-size-limit 125k 348 Copyright © 2011. Configure rate shaping for the logical interfaces. [edit] user@host# edit firewall policer LB-policer 2. 3.Junos OS 11. . Enable configuration of a single-rate two-color policer. Configure the policer as a logical-bandwidth policer. [edit] user@host# show class-of-service interfaces { ge-1/3/0 { unit 0 { shaping-rate 4m. } } } Configuring the Logical Bandwidth Policer Step-by-Step Procedure To configure the logical bandwidth policer: 1.0 and 2 Mbps of bandwidth to logical unit ge-1/3/0. repeat the instructions in this procedure to correct the configuration. If the command output does not display the intended configuration. [edit] user@host# set unit 0 shaping-rate 4m user@host# set unit 1 shaping-rate 2m These statements allocate 4 Mbps of bandwidth to logical unit ge-1/3/0. Configure the policer traffic limits and actions. [edit] user@host# edit class-of-service interfaces ge-1/3/0 2. Enable CoS configuration on the physical interface. Inc. Juniper Networks. Results Confirm the configuration of the rate shaping by entering the show class-of-service configuration mode command. [edit firewall policer LB-policer] user@host# set logical-bandwidth-policer This applies the rate-limiting to logical interfaces.1.4 Firewall Filter and Policer Configuration Guide Configuring Traffic Rate-Shaping by Specifying the Amount of Bandwidth to be Allocated to the Logical Interface Step-by-Step Procedure To configure rate shaping by specifying the bandwidth to be allocated to the logical interface: 1. } unit 1 { shaping-rate 2m.

} Applying the Logical Bandwidth Policers to the Logical Interfaces Step-by-Step Procedure To configure the logical bandwidth policers to the logical interfaces: 1. If the command output does not display the intended configuration.1. if-exceeding { bandwidth-percent 50. } address 172. [edit] user@host# show firewall policer LB-policer { logical-bandwidth-policer. burst-size-limit 125k. family inet { policer { input LB-policer. unit 0 { vlan-id 100. repeat the instructions in this procedure to correct the configuration. vlan-tagging. [edit] user@host# show interfaces ge-1/3/0 { per-unit-scheduler. Apply the policing to the second logical interface. [edit interfaces ge-1/3/0] user@host# set unit 1 family inet policer input LB-policer user@host# set unit 1 family inet policer output LB-policer Results Confirm the configuration of the interfaces by entering the show interfaces configuration mode command. Apply the logical bandwidth policer to the first logical interface.1. repeat the instructions in this procedure to correct the configuration. output LB-policer.1/30. } then discard.Chapter 11: Single-Rate Two-Color Policer Configuration user@host# set then discard Results Confirm the configuration of the policer by entering the show firewall configuration mode command. [edit] user@host# edit interfaces ge-1/3/0 2. Juniper Networks. If the command output does not display the intended configuration. Inc. } Copyright © 2011. Enable configuration of the interface. [edit interfaces ge-1/3/0] user@host# set unit 0 family inet policer input LB-policer user@host# set unit 0 family inet policer output LB-policer 3. 349 .

family inet { policer { input LB-policer. • • Displaying Traffic Statistics and Policers for the Logical Interface on page 350 Displaying Statistics for the Policer on page 351 Displaying Traffic Statistics and Policers for the Logical Interface Purpose Verify the traffic flow through the logical interface and that the policer is evaluated when packets are received on the logical interface.1/30.1.4 Firewall Filter and Policer Configuration Guide } unit 1 { vlan-id 200. Verification Confirm that the configuration is working properly.0-inet-o In this example.1. Use the show interfaces operational mode command for logical interfaces ge-1/3/0. The command output section for Traffic statistics lists the number of bytes and packets received and transmitted on the logical interface. user@host> show interfaces ge-1/3/0.0 and ge-1/3/0. Inc. output LB-policer.0-inet-i Output: LB-policer-ge-1/3/0. } } } If you are done configuring the device.100 ] Encapsulation: ENET2 Traffic statistics: Input bytes : 0 Output bytes : 46 Input packets: 0 Output packets: 1 Local statistics: Input bytes : 0 Output bytes : 46 Input packets: 0 Output packets: 1 Transit statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps 350 Copyright © 2011. Juniper Networks. .0 detail Logical interface ge-1/3/0.0 (Index 80) (SNMP ifIndex 154) (Generation 150) Flags: SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.2. the policer is applied to logical interface traffic in both the input and output directions. and include the detail or extensive option.Junos OS 11. enter commit from configuration mode. and the Protocol inet section contains a Policer field that lists the policer LB-policer as an input or output policer as follows: • • Action Input: LB-policer-ge-1/3/0. } address 172.

MTU: 1500. Inc. Local: 172.0-inet-o Addresses. MTU: 1500. in each direction.1.1-inet-o The -inet-i suffix denotes a policer applied to logical interface input traffic. Broadcast: 172. Route table: 0 Flags: Sendbcast-pkt-to-re Policer: Input: LB-policer-ge-1/3/0.0/30.3.1.1-inet-o Addresses.1-inet-i.0-inet-i.2. Route table: 0 Flags: Sendbcast-pkt-to-re Policer: Input: LB-policer-ge-1/3/0. the input and output policer names are displayed as follows: • • • • LB-policer-ge-1/3/0.1.1.2.200 ] Encapsulation: ENET2 Traffic statistics: Input bytes : 0 Output bytes : 46 Input packets: 0 Output packets: 1 Local statistics: Input bytes : 0 Output bytes : 46 Input packets: 0 Output packets: 1 Transit statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps Protocol inet.0 and logical interface ge-1/3/0.1. Generation: 167 Displaying Statistics for the Policer Purpose Action Verify the number of packets evaluated by the policer. the policer is applied to both input and output traffic on logical interface ge-1/3/0.1. Generation: 165 user@host> show interfaces ge-1/3/0.3. Output: LB-policer-ge-1/3/0. 351 .1-inet-i LB-policer-ge-1/3/0.1.2.1.1. In this example. Flags: Is-Preferred Is-Primary Destination: 172.1.1. Generation: 174. Copyright © 2011. while the -inet-o suffix denotes a policer applied to logical interface output traffic. For the policer LB-policer. Broadcast: 172. Juniper Networks. Use the show policer operational mode command and optionally specify the name of the policer. Generation: 175. Local: 172. Output: LB-policer-ge-1/3/0.1 detail Logical interface ge-1/3/0.0/30.0-inet-i LB-policer-ge-1/3/0.0-inet-o LB-policer-ge-1/3/0.1 (Index 81) (SNMP ifIndex 543) (Generation 151) Flags: SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.Chapter 11: Single-Rate Two-Color Policer Configuration Input packets: 0 0 pps Output packets: 0 0 pps Protocol inet.1. Flags: Is-Preferred Is-Primary Destination: 172. The command output displays the number of packets evaluated by each configured policer (or the specified policer).

To enable a single-rate two-color policer to operate in filter-specific mode.Junos OS 11. a policer operates in term-specific mode so that. For an IPv4 firewall filter with multiple terms that reference the same policer. Juniper Networks. the Junos OS creates a separate policer instance for every filter term that references the policer.1-inet-i LB-policer-ge-1/3/0.4 Firewall Filter and Policer Configuration Guide user@host> show policer Policers: Name __default_arp_policer__ LB-policer-ge-1/3/0. NOTE: Term-specific mode and filter-specific mode also apply to prefix-specific policer sets. for a given firewall filter.0-inet-i LB-policer-ge-1/3/0. As an option.0-inet-o LB-policer-ge-1/3/0. . configuring the policer to operate in filter-specific mode enables you to count and monitor the activity of the policer at the firewall filter level.1-inet-o Packets 0 0 0 0 0 Related Documentation • • • • • Statement Hierarchy for Configuring Policers on page 305 Two-Color Policer Configuration Overview on page 307 Guidelines for Applying Traffic Policers on page 316 bandwidth-percent on page 461 “interface-specific on page 290” in the Junos OS Firewall Filter and Policer Configuration Guide • • logical-bandwidth-policer on page 482 shaping-rate (Applying to an Interface) in the Junos OS Class of Service Configuration Guide Filter-Specific Counters and Policers • • Filter-Specific Policer Overview on page 352 Example: Configuring a Stateless Firewall Filter to Protect Against TCP and ICMP Floods on page 353 Filter-Specific Policer Overview By default. you can include the filter-specific statement at the following hierarchy levels: • • [edit firewall policer policer-name] [edit logical-systems logical-system-name firewall policer policer-name] 352 Copyright © 2011. you can configure a policer to operate in filter-specific mode so that a single policer instance is used by all terms (within the same firewall filter) that reference the policer. Inc.

000.168. echo response packets.000. Packets that exceed the traffic rate are discarded.000 bps and the burst size to 15.000 bytes. All of these ICMP packets are counted in the icmp-counter counter. unreachable packets. • icmp-term—Polices echo request packets.000 bytes. Example: Configuring a Stateless Firewall Filter to Protect Against TCP and ICMP Floods This example shows how to create a stateless firewall filter that protects against TCP and ICMP denial-of-service attacks. connection release packets (FIN flag bit equals 1). the bandwidth limit can be from 32.0/24. NOTE: You can move terms within the firewall filter by using the insert command. Inc.000 bps to 32. This example includes the following policers: • tcp-connection-policer—Limits the traffic rate of the TCP packets to 500. Policed packets include connection request packets (SYN and ACK flag bits equal 1 and 0). Overview In this example.Chapter 11: Single-Rate Two-Color Policer Configuration You can reference filter-specific policers from IPv4 (family inet) firewall filters only.2.000. 353 . See insert in the Junos OS CLI User Guide. and connection reset packets (RST flag bit equals 1). When specifying limits.500 bytes through 100.000 bytes. m (1. Copyright © 2011. These addresses are defined in the trusted-addresses prefix list.122.000. • • • • Requirements on page 353 Overview on page 353 Configuration on page 354 Verification on page 357 Requirements No special configuration beyond device initialization is required before configuring stateless firewall filters.000.0/24 or 10. Each policer is incorporated into the action of a filter term. Packets that exceed the traffic rate are discarded. and time-exceeded packets.000).000 bps and the burst size to 15.000).000. This example includes the following terms: • tcp-connection-term—Polices certain TCP packets with a source address of 192. Juniper Networks.000. you create a stateless firewall filter called protect-RE that polices TCP and ICMP packets.000). Use the following abbreviations when specifying limits: k (1.1. and g (1. • icmp-policer—Limits the traffic rate of the ICMP packets to 1.000 bps and the burst-size limit can be from 1.

Then configure the terms as described in “Example: Configuring a Stateless Firewall Filter to Accept Traffic from Trusted Sources” on page 118.Junos OS 11.4 Firewall Filter and Policer Configuration Guide If you want to include the terms created in this procedure in the protect-RE firewall filter configured in “Example: Configuring a Stateless Firewall Filter to Accept Traffic from Trusted Sources” on page 118. copy the following commands to a text file.1. NOTE: You can move terms within the firewall filter by using the insert command. [edit] set firewall family inet filter protect-RE term tcp-connection-term from source-prefix-list trusted-addresses set firewall family inet filter protect-RE term tcp-connection-term from protocol tcp set firewall family inet filter protect-RE term tcp-connection-term from tcp-flags "(syn & !ack) | fin | rst" set firewall family inet filter protect-RE term tcp-connection-term then policer tcp-connection-policer set firewall family inet filter protect-RE term tcp-connection-term then accept set firewall family inet filter protect-RE term icmp-term from protocol icmp set firewall family inet filter protect-RE term icmp-term from icmp-type echo-request set firewall family inet filter protect-RE term icmp-term from icmp-type echo-reply set firewall family inet filter protect-RE term icmp-term from icmp-type unreachable set firewall family inet filter protect-RE term icmp-term from icmp-type time-exceeded set firewall family inet filter protect-RE term icmp-term then policer icmp-policer set firewall family inet filter protect-RE term icmp-term then count icmp-counter set firewall family inet filter protect-RE term icmp-term then accept set firewall policer tcp-connection-policer filter-specific set firewall policer tcp-connection-policer if-exceeding bandwidth-limit 1m set firewall policer tcp-connection-policer if-exceeding burst-size-limit 15k set firewall policer tcp-connection-policer then discard set firewall policer icmp-policer filter-specific set firewall policer icmp-policer if-exceeding bandwidth-limit 1m set firewall policer icmp-policer if-exceeding burst-size-limit 15k set firewall policer icmp-policer then discard set policy-options prefix-list trusted-addresses 10. Configuration CLI Quick Configuration To quickly configure the stateless firewall filter. Inc. Define the first policer. This approach ensures that the rate-limiting terms are included as the first two terms in the firewall filter.2.0/24 Step-by-Step Procedure The following example requires you to navigate various levels in the configuration hierarchy. Juniper Networks. and then paste the commands into the CLI. [edit] 354 Copyright © 2011. For information about navigating the CLI.122. remove any line breaks. See insert in the Junos OS CLI User Guide. perform the configuration tasks in this example first.168. see “Using the CLI Editor in Configuration Mode” on page 15. . To configure stateless firewall filter policers: 1.0/24 set policy-options prefix-list trusted-addresses 192.

Chapter 11: Single-Rate Two-Color Policer Configuration user@host# edit firewall policer tcp-connection-policer 2. [edit firewall family inet filter protect-RE term tcp-connection-term] user@host# set then policer tcp-connection-policer accept Copyright © 2011. Define the rate limits for the policer. [edit] user@host# edit firewall policer icmp-policer 5. Define protocol match conditions for the term. Define the prefix list. Define the action for the policer. Define the actions for the term. [edit firewall family inet filter protect-RE term tcp-connection-term] user@host# set from protocol tcp tcp-flags "(syn & !ack) | fin | rst" 12. Define the second policer. Define the first term for the filter. [edit firewall policer tcp-connection-policer] user@host# set filter-specific user@host# set if-exceeding burst-size-limit 15k bandwidth-limit 1m 4. [edit firewall family inet filter protect-RE] user@host# edit term tcp-connection-term 10. [edit firewall policer icmp-policer] user@host# set then discard 6.122.168. [edit] user@host# set policy-options prefix-list trusted-addresses 192.1. Set the rate limits for the policer. Define the source address match condition for the term. 355 . [edit firewall family inet filter protect-RE term tcp-connection-term] user@host# set from source-prefix-list trusted-addresses 11.2. Define the action for the policer.0/24 8. [edit firewall policer icmp-policer] user@host# set filter-specific user@host# set if-exceeding burst-size-limit 15k bandwidth-limit 1m 7.0/24 user@host# set policy-options prefix-list trusted-addresses 10. [edit] user@host# edit firewall family inet filter protect-RE 9. Create the stateless firewall filter. Inc. Juniper Networks. [edit firewall policer tcp-connection-policer] user@host# set then discard 3.

[edit] user@host# edit firewall family inet filter protect-RE term icmp-term 14. repeat the instructions in this example to correct the configuration. . Juniper Networks. } then { policer tcp-connection-policer. [edit firewall family inet filter protect-RE term icmp-term] user@host# set from icmp-type [echo-request echo-reply unreachable time-exceeded] 16. count icmp-counter. Define the action for the term.Junos OS 11. accept. [edit firewall family inet filter protect-RE term icmp-term] user@host# set then policer icmp-policer count icmp-counter accept Results Confirm your configuration by entering the show firewall command and the show policy-options command from configuration mode. Define the second term. [edit firewall family inet filter protect-RE term icmp-term] user@host# set from protocol icmp 15. if-exceeding { 356 Copyright © 2011. Inc. } then { policer icmp-policer. accept.4 Firewall Filter and Policer Configuration Guide 13. icmp-type [ echo-request echo-reply unreachable time-exceeded ]. } protocol tcp. } } } } policer tcp-connection-policer { filter-specific. If the output does not display the intended configuration. tcp-flags "(syn & !ack) | fin | rst". Define the protocol for the term. user@host# show firewall family inet { filter protect-RE { term tcp-connection-term { from { source-prefix-list { trusted-addresses. Define the match conditions for the term. } } term icmp-term { from { protocol icmp.

Chapter 11: Single-Rate Two-Color Policer Configuration

bandwidth-limit 1m; burst-size-limit 15k; } then discard; } policer icmp-policer { filter-specific; if-exceeding { bandwidth-limit 1m; burst-size-limit 15k; } then discard; } user@host# show policy-options prefix-list trusted-addresses { 10.2.1.0/24; 192.168.122.0/24; }

If you are done configuring the device, enter commit from configuration mode.

Verification
Confirm that the configuration is working properly.
• • •

Displaying Stateless Firewall Filter Configurations on page 357 Verifying a TCP and ICMP Flood Firewall Filter on page 357 Displaying Firewall Filter Statistics on page 358

Displaying Stateless Firewall Filter Configurations Purpose Action Meaning Verify the configuration of the firewall filter. From configuration mode, enter the show firewall command. Verify that the output shows the intended configuration of the firewall filter. In addition, verify that the terms are listed in the order in which you want the packets to be tested. You can move terms within a firewall filter by using the insert CLI command. Verifying a TCP and ICMP Flood Firewall Filter Purpose Action Verify that the actions of the firewall filter terms are taken. Send packets to the device that match the terms. In addition, verify that the filter actions are not taken for packets that do not match.

Verify that the device can establish only TCP sessions with a host at an IP address that matches 192.168.122.0/24 or 10.2.1.0/24. For example, log in to the device with the telnet host-name command from another host with one of these address prefixes. Use the ping host-name command to verify that the device responds only to ICMP packets (such as ping requests) that do not exceed the policer traffic rates.

Copyright © 2011, Juniper Networks, Inc.

357

Junos OS 11.4 Firewall Filter and Policer Configuration Guide

Use the ping host-name size bytes command to exceed the policer traffic rates by sending ping requests with large data payloads.

Sample Output
user@host> telnet 192.168.249.71 Trying 192.168.249.71... Connected to host.acme.net. Escape character is '^]'. host (ttyp0) login: user Password: --- JUNOS 6.4-20040521.1 built 2004-05-21 09:38:12 UTC user@host> user@host> ping 192.168.249.71 PING host-ge-000.acme.net (192.168.249.71): 56 data bytes 64 bytes from 192.168.249.71: icmp_seq=0 ttl=253 time=11.946 ms 64 bytes from 192.168.249.71: icmp_seq=1 ttl=253 time=19.474 ms 64 bytes from 192.168.249.71: icmp_seq=2 ttl=253 time=14.639 ms ... user@host> ping 192.168.249.71 size 20000 PING host-ge-000.acme.net (192.168.249.71): 20000 data bytes ^C --- host-ge-000.acme.net ping statistics --12 packets transmitted, 0 packets received, 100% packet loss

Meaning

Verify the following information:
• • •

You can successfully log in to the device using Telnet. The device sends responses to the ping host command. The device does not send responses to the ping host size 20000 command.

Displaying Firewall Filter Statistics Purpose Action Verify that packets are being policed and counted. From operational mode, enter the show firewall filter filter-name command.

Sample Output
user@host> show firewall filter protect-RE Filter: protect-RE Counters: Name icmp-counter Policers: Name

Bytes 1040000 Packets

Packets 5600

358

Copyright © 2011, Juniper Networks, Inc.

Chapter 11: Single-Rate Two-Color Policer Configuration

tcp-connection-policer icmp-policer

643254873 7391

Meaning

Verify the following information:
• •

Next to Filter, the name of the firewall filter is correct. Under Counters:
• •

Under Name, the names of any counters configured in the firewall filter are correct. Under Bytes, the number of bytes that match the filter term containing the count counter-name action are shown. Under Packets, the number of packets that match the filter term containing the count counter-name action are shown.

Under Policers:
• •

Under Name, the names of any policers configured in the firewall filter are correct. Under Packets, the number of packets that match the conditions specified for the policer are shown.

Related Documentation

• • • •

Statement Hierarchy for Configuring Policers on page 305 Two-Color Policer Configuration Overview on page 307 Guidelines for Applying Traffic Policers on page 316 Prefix-Specific Counting and Policing Actions on page 359

Prefix-Specific Counting and Policing Actions
• • • •

Prefix-Specific Counting and Policing Overview on page 359 Filter-Specific Counter and Policer Set Overview on page 362 Example: Configuring Prefix-Specific Counting and Policing on page 362 Prefix-Specific Counting and Policing Configuration Scenarios on page 369

Prefix-Specific Counting and Policing Overview
This topic covers the following information:
• • •

Separate Counting and Policing for Each IPv4 Address Range on page 359 Prefix-Specific Action Configuration on page 360 Counter and Policer Set Size and Indexing on page 361

Separate Counting and Policing for Each IPv4 Address Range
Prefix-specific counting and policing enables you to configure an IPv4 firewall filter term that matches on a source or destination address, applies a single-rate two-color policer as the term action, but associates the matched packet with a specific counter and policer instance based on the source or destination in the packet header. You can implicitly

Copyright © 2011, Juniper Networks, Inc.

359

Junos OS 11.4 Firewall Filter and Policer Configuration Guide

create a separate counter or policer instance for a single address or for a group of addresses.

NOTE: J Series Services Routers do not support prefix-specific counting and policing.

Prefix-specific counting and policing uses a prefix-specific action configuration that specifies the name of the policer you want to apply, whether prefix-specific counting is to be enabled, and a source or destination address prefix range. The prefix range specifies between 1 and 16 sequential set bits of an IPv4 address mask. The length of the prefix range determines the size of the counter and policer set, which consists of as few as 2 or as many as 65,536 counter and policer instances. The position of the bits of the prefix range determines the indexing of filter-matched packets into the set of instances.

NOTE: A prefix-specific action is specific to a source or destination prefix range, but it is not specific to a particular source or destination address range, and it is not specific to a particular interface.

To apply a prefix-specific action to the traffic at an interface, you configure a firewall filter term that matches on source or destination addresses, and then you apply the firewall filter to the interface. The flow of filtered traffic is rate-limited using prefix-specific counter and policer instances that are selected per packet based on the source or destination address in the header of the filtered packet.

Prefix-Specific Action Configuration
To configure a prefix-specific action, you specify the following information:

Prefix-specific action name—Name that can be referenced as the action of an IPv4 standard firewall filter term that matches packets on source or destination addresses. Policer name—Name of a single-rate two-color policer for which you want to implicitly create prefix-specific instances.

NOTE: For aggregated Ethernet interfaces, you can configure a prefix-specific action that references a logical interface policer (also called an aggregate policer). You can reference this type of prefix-specific action from an IPv4 standard firewall filter and then apply the filter at the aggregate level of the interface.

• •

Counting option—Option to include if you want to enable prefix-specific counters. Filter-specific option—Option to include if you want a single counter and policer set to be shared across all terms in the firewall filter. A prefix-specific action that operates in this way is said to operate in filter-specific mode. If you do not enable this option,

360

Copyright © 2011, Juniper Networks, Inc.

Chapter 11: Single-Rate Two-Color Policer Configuration

the prefix-specific action operates in term-specific mode, meaning that a separate counter and policer set is created for each filter term that references the prefix-specific action.

Source address prefix length—Length of the address prefix, from 0 through 32, to be used with a packet matched on the source address. Destination address prefix length—Length of the address prefix, from 0 through 32, to be used with a packet matched on the destination address. Subnet prefix length—Length of the subnet prefix, from 0 through 32, to be used with a packet matched on either the source or destination address.

You must configure source and destination address prefix lengths to be from 1 to 16 bits longer than the subnet prefix length. If you configure source or destination address prefix lengths to be more than 16 bits beyond the configured subnet prefix length, an error occurs when you try to commit the configuration.

Counter and Policer Set Size and Indexing
The number of prefix-specific actions (counters or policers) implicitly created for a prefix-specific action is determined by the length of the address prefix and the length of the subnet prefix: SizeofCounterandPolicerSet=2^(source-or-destination-prefix-length - subnet-prefix-length) Table 36 on page 361 shows examples of counter and policer set size and indexing.

Table 36: Examples of Counter and Policer Set Size and Indexing
Example Prefix Lengths Specified in the Prefix-Specific Action
source-prefix-length = 32 subnet-prefix-length = 16

Calculation of Counter or Policer Set Size
Size=2^(32-16)=2^16=65,536instances NOTE: This calculation shows the largest counter or policer set size supported.

Indexing of Instances
Instance 0: Instance 1: Instance 65535: x.x.0.0 x.x.0.1 x.x.255.255

source-prefix-length = 32 subnet-prefix-length = 24

Size = 2^(32 - 24) = 2^8 = 256 instances

Instance 0: Instance 1: Instance 255:

x.x.x.0 x.x.x.1 x.x.x.255 x.x.x.0 x.x.x.1 x.x.x.127

source-prefix-length = 32 subnet-prefix-length = 25

Size = 2^(32 - 25) = 2^7 = 128 instances

Instance 0: Instance 1: Instance 127:

Copyright © 2011, Juniper Networks, Inc.

361

Junos OS 11.4 Firewall Filter and Policer Configuration Guide

Table 36: Examples of Counter and Policer Set Size and Indexing (continued)
Example Prefix Lengths Specified in the Prefix-Specific Action
source-prefix-length = 24 subnet-prefix-length = 20

Calculation of Counter or Policer Set Size
Size = 2^(24 - 20) = 2^4 = 16 instances

Indexing of Instances
Instance 0: Instance 1: Instance 15: x.x.0.x x.x.1.x x.x.15.x

Filter-Specific Counter and Policer Set Overview
By default, a prefix-specific policer set operates in term-specific mode so that, for a given firewall filter, the Junos OS creates a separate counter and policer set for every filter term that references the prefix-specific action. As an option, you can configure a prefix-specific policer set to operate in filter-specific mode so that a single prefix-specific policer set is used by all terms (within the same firewall filter) that reference the policer. For an IPv4 firewall filter with multiple terms that reference the same prefix-specific policer set, configuring the policer set to operate in filter-specific mode enables you to count and monitor the activity of the policer set at the firewall filter level.

NOTE: Term-specific mode and filter-specific mode also apply to policers. See “Filter-Specific Policer Overview” on page 352.

To enable a prefix-specific policer set to operate in filter-specific mode, you can include the filter-specific statement at following the hierarchy levels:
• •

[edit firewall family inet prefix-action prefix-action-name] [edit logical-systems logical-system-name firewall family inet prefix-action prefix-action-name]

You can reference filter-specific, prefix-specific policer sets from IPv4 (family inet) firewall filters only.

Example: Configuring Prefix-Specific Counting and Policing
This example shows how to configure prefix-specific counting and policing.
• • • •

Requirements on page 363 Overview on page 363 Configuration on page 364 Verification on page 368

362

Copyright © 2011, Juniper Networks, Inc.

Chapter 11: Single-Rate Two-Color Policer Configuration

Requirements
No special configuration beyond device initialization is required before configuring this example.

Overview
In this example, you configure prefix-specific counting and policing based on the last octet of the source address field in packets matched by an IPv4 firewall filter. The single-rate two-color policer named 1Mbps-policer rate-limits traffic to a bandwidth of 1,000,000 bps and a burst-size limit of 63,000 bytes, discarding any packets in a traffic flow that exceeds the traffic limits. Independent of the IPv4 addresses contained in any packets passed from a firewall filter, the prefix-specific action named psa-1Mbps-per-source-24-32-256 specifies a set of 256 counters and policers, numbered from 0 through 255. For each packet, the last octet of the source address field is used to index into the associated prefix-specific counter and policer in the set:

Packets with a source address ending with the octet 0x0000 00000 index the first counter and policer in the set. Packets with a source address ending with the octet 0x0000 0001 index the second counter and policer in the set. Packets with a source address ending with the octet 0x1111 1111 index the last counter and policer in the set.

The limit-source-one-24 firewall filter contains a single term that matches all packets from the /24 subnet of source address 10.10.10.0, passing these packets to the prefix-specific action psa-1Mbps-per-source-24-32-256. Topology In this example, because the filter term matches the /24 subnet of a single source address, each counting and policing instance in the prefix-specific set is used for only one source address.
• •

Packets with a source address 10.10.10.0 index the first counter and policer in the set. Packets with a source address 10.10.10.1 index the second counter and policer in the set. Packets with a source address 10.10.10.255 index the last counter and policer in the set.

This example shows the simplest case of prefix-specific actions, in which the filter term matches on one address with a prefix length that is the same as the prefix length specified in the prefix-specific action for indexing into the set of prefix-specific counters and policers. For descriptions of other configurations for prefix-specific counting and policing, see “Prefix-Specific Counting and Policing Configuration Scenarios” on page 369.

Copyright © 2011, Juniper Networks, Inc.

363

Junos OS 11.4 Firewall Filter and Policer Configuration Guide

Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see “Using the CLI Editor in Configuration Mode” on page 15. To configure this example, perform the following tasks:
• • • •

Configuring a Policer for Prefix-Specific Counting and Policing on page 364 Configuring a Prefix-Specific Action Based on the Policer on page 365 Configuring an IPv4 Filter That References the Prefix-Specific Action on page 366 Applying the Firewall Filter to IPv4 Input Traffic at a Logical Interface on page 367

CLI Quick Configuration

To quickly configure this example, copy the following configuration commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.
set firewall policer 1Mbps-policer if-exceeding bandwidth-limit 1m set firewall policer 1Mbps-policer if-exceeding burst-size-limit 63k set firewall policer 1Mbps-policer then discard set firewall family inet prefix-action psa-1Mbps-per-source-24-32-256 policer 1Mbps-policer set firewall family inet prefix-action psa-1Mbps-per-source-24-32-256 count set firewall family inet prefix-action psa-1Mbps-per-source-24-32-256 subnet-prefix-length 24 set firewall family inet prefix-action psa-1Mbps-per-source-24-32-256 source-prefix-length 32 set firewall family inet filter limit-source-one-24 term one from source-address 10.10.10.0/24 set firewall family inet filter limit-source-one-24 term one then prefix-action psa-1Mbps-per-source-24-32-256 set interfaces so-0/0/2 unit 0 family inet filter input limit-source-one-24 set interfaces so-0/0/2 unit 0 family inet address 10.39.1.1/16

Configuring a Policer for Prefix-Specific Counting and Policing Step-by-Step Procedure To configure a policer to be used for prefix-specific counting and policing:
1.

Enable configuration of a single-rate two-color policer.
[edit] user@host# edit firewall policer 1Mbps-policer

2.

Define the traffic limit.
[edit firewall policer 1Mbps-policer] user@host# set if-exceeding bandwidth-limit 1m user@host# set if-exceeding burst-size-limit 63k

Packets in a traffic flow that conforms to this limit are passed with the PLP set to low.
3.

Define the actions for nonconforming traffic.
[edit firewall policer 1Mbps-policer] user@host# set then discard

364

Copyright © 2011, Juniper Networks, Inc.

Chapter 11: Single-Rate Two-Color Policer Configuration

Packets in a traffic flow that exceeds this limit are discarded. Other configurable actions for a single-rate two-color policer are to set the forwarding class and to set the PLP level. Results Confirm the configuration of the policer by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.
[edit] user@host# show firewall policer 1Mbps-policer { if-exceeding { bandwidth-limit 1m; burst-size-limit 63k; } then discard; }

Configuring a Prefix-Specific Action Based on the Policer Step-by-Step Procedure To configure a prefix-specific action that references the policer and specifies a portion of a source address prefix:
1.

Enable configuration of a prefix-specific action.
[edit] user@host# edit firewall family inet prefix-action psa-1Mbps-per-source-24-32-256

Prefix-specific counting and policing can be defined for IPv4 traffic only.
2.

Reference the policer for which a prefix-specific set is to be created.
[edit firewall family inet prefix-action psa-1Mbps-per-source-24-32-256] user@host# set policer 1Mbps-policer user@host# set count

NOTE: For aggregated Ethernet interfaces, you can configure a prefix-specific action that references a logical interface policer (also called an aggregate policer). You can reference this type of prefix-specific action from an IPv4 standard firewall filter and then apply the filter at the aggregate level of the interface.

3.

Specify the prefix range on which IPv4 addresses are to be indexed to the counter and policer set.
[edit firewall family inet prefix-action psa-1Mbps-per-source-24-32-256] user@host# set source-prefix-length 32 user@host# set subnet-prefix-length 24

Copyright © 2011, Juniper Networks, Inc.

365

Junos OS 11.4 Firewall Filter and Policer Configuration Guide

Results

Confirm the configuration of the prefix-specific action by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.
[edit] user@host# show firewall policer 1Mbps-policer { if-exceeding { bandwidth-limit 1m; burst-size-limit 63k; } then discard; } family inet { prefix-action psa-1Mbps-per-source-24-32-256 { policer 1Mbps-policer; subnet-prefix-length 24; source-prefix-length 32; } }

Configuring an IPv4 Filter That References the Prefix-Specific Action Step-by-Step Procedure To configure an IPv4 standard firewall filter that references the prefix-specific action:
1.

Enable configuration of the IPv4 standard firewall filter.
[edit] user@host# edit firewall family inet filter limit-source-one-24

Prefix-specific counting and policing can be defined for IPv4 traffic only.
2.

Configure the filter term to match on the packet source address or destination address.
[edit firewall family inet filter limit-source-one-24] user@host# set term one from source-address 10.10.10.0/24

3.

Configure the filter term to reference the prefix-specific action.
[edit firewall family inet filter limit-source-one-24] user@host# set term one then prefix-action psa-1Mbps-per-source-24-32-256

You could also use the next term action to configure all Hypertext Transfer Protocol (HTTP) traffic to each host to transmit at 500 Kbps and have the total HTTP traffic limited to 1 Mbps. Results Confirm the configuration of the prefix-specific action by entering the show firewall configuration mode command. If the command output does not display the intended configuration, repeat the instructions in this procedure to correct the configuration.
[edit] user@host# show firewall policer 1Mbps-policer { if-exceeding { bandwidth-limit 1m; burst-size-limit 63k;

366

Copyright © 2011, Juniper Networks, Inc.

If the command output does not display the intended configuration. } family inet { prefix-action psa-1Mbps-per-source-24-32-256 { policer 1Mbps-policer. source-prefix-length 32. Juniper Networks. [edit] user@host# edit interfaces so-0/0/2 unit 0 family inet 2. 367 .0/24. } } } Copyright © 2011.1.39. } } then prefix-action psa-1Mbps-per-source-24-32-256.39. Inc. Enable configuration of IPv4 on the logical interface.10.10. } filter limit-source-one-24 { term one { from { source-address { 10.Chapter 11: Single-Rate Two-Color Policer Configuration } then discard. } } } Applying the Firewall Filter to IPv4 Input Traffic at a Logical Interface Step-by-Step Procedure To apply the firewall filter to IPv4 input traffic at a logical interface: 1. Apply the IPv4 standard stateless firewall filter. } address 10. [edit] user@host# show interfaces so-0/0/2 { unit 0 { family inet { filter { input limit-source-one-24. Configure an IP address. repeat the instructions in this procedure to correct the configuration. [edit interfaces so-0/0/2 unit 0 family inet] user@host# set address 10.1/16. [edit interfaces so-0/0/2 unit 0 family inet] user@host# set filter input limit-source-one-24 Results Confirm the configuration of the prefix-specific action by entering the show interfaces configuration mode command. subnet-prefix-length 24.1.1/16 3.

39. Broadcast: 10.0 (Index 79) (SNMP ifIndex 510) (Generation 149) Flags: Hardware-Down Point-To-Point SNMP-Traps 0x4000 Encapsulation: PPP Protocol inet. Juniper Networks.39.39/16.1.Junos OS 11. the example policer 1Mbps-policer is configured as term-specific.1. In the show firewall prefix-action-stats 368 Copyright © 2011. • • Displaying the Firewall Filters Applied to an Interface on page 368 Displaying Prefix-Specific Actions Statistics for the Firewall Filter on page 368 Displaying the Firewall Filters Applied to an Interface Purpose Verify that the firewall filter limit-source-one-24 is applied to the IPv4 input traffic at logical interface so-0/0/2. you can use the from set-index to set-index command option to specify the starting and ending counter or policer to be displayed. the Input Filters field displays limit-source-one-24. each policer in the set is identified as follows: prefix-specific-action-name-term-name-set-index For a filter-specific policer. Protocol-Down Input Filters: limit-source-one-24 Addresses. The command output displays the specified filter name followed by a listing of the number of bytes and packets processed by each policer in the policer set. For a term-specific policer. Generation: 163 Action Displaying Prefix-Specific Actions Statistics for the Firewall Filter Purpose Action Verify the number of packets evaluated by the policer. enter commit from configuration mode.0. Inc.255.4 Firewall Filter and Policer Configuration Guide If you are done configuring the device.255. MTU: 4470. indicating that the filter is applied to IPv4 traffic in the input direction: user@host> show interfaces statistics so-0/0/2. each policer is identified in the command output as follows: prefix-specific-action-name-set-index Because the example prefix-specific action psa-1Mbps-per-source-24-32-256 is referenced by only one term of the example filter limit-source-one-24.0 detail Logical interface so-0/0/2. and include the detail option. As an option. . Use the show interfaces statistics operational mode command for logical interface so-0/0/2.0. Flags: Dest-route-down Is-Preferred Is-Primary Destination: 10. In the command output section for Protocol inet. Use the show firewall prefix-action-stats filter filter-name prefix-action name operational mode command to display statistics about a prefix-specific action configured on a firewall filter. A policer set is indexed from 0 through 65535. Generation: 173. Route table: 0 Flags: Sendbcast-pkt-to-re. Local: 10. Verification Confirm that the configuration is working properly.

369 .1 .255 Copyright © 2011. Inc. Juniper Networks.Chapter 11: Single-Rate Two-Color Policer Configuration command output. the policer statistics are displayed as psa-1Mbps-per-source-24-32-256-one-0.10. user@host> show firewall prefix-action-stats filter limit-source-one-24 prefix-action psa-1Mbps-per-source-24-32-256 from 0 to 9 Filter: limit-source-one-24 Counters: Name Bytes Packets psa-1Mbps-per-source-24-32-256-one-0 0 0 psa-1Mbps-per-source-24-32-256-one-1 0 0 psa-1Mbps-per-source-24-32-256-one-2 0 0 psa-1Mbps-per-source-24-32-256-one-3 0 0 psa-1Mbps-per-source-24-32-256-one-4 0 0 psa-1Mbps-per-source-24-32-256-one-5 0 0 psa-1Mbps-per-source-24-32-256-one-6 0 0 psa-1Mbps-per-source-24-32-256-one-7 0 0 psa-1Mbps-per-source-24-32-256-one-8 0 0 psa-1Mbps-per-source-24-32-256-one-9 0 0 Prefix-Specific Counting and Policing Configuration Scenarios This topic covers the following information: • • • Prefix Length of the Action and Prefix Length of Addresses in Filtered Packets on page 369 Scenario 1: Firewall Filter Term Matches on Multiple Addresses on page 370 Scenario 2: Subnet Prefix Is Longer Than the Prefix in the Filter Match Condition on page 372 Scenario 3: Subnet Prefix Is Shorter Than the Prefix in the Firewall Filter Match Condition on page 373 • Prefix Length of the Action and Prefix Length of Addresses in Filtered Packets Table 37 on page 369 describes the relationship between the prefix length specified in the prefix-specific action and the prefix length of the addresses matched by the firewall filter term that references the prefix-specific action.0/24 Instance 0 Instance 1: ..10. 10. Table 37: Summary of Prefix-Specific Action Scenarios Counter and Policer Set Packet-Filtering Criteria Indexing of Instances Prefix-specific action scenario: “Example: Configuring Prefix-Specific Counting and Policing” on page 362 source-prefix-length = 32 subnet-prefix-length = 24 Set size: 2^8 = 256 Instance numbers: 0 ..255 source-address = 10.10.0 10.10.10. psa-1Mbps-per-source-24-32-256-one-1. Instance 255: 10.10.. and so on through psa-1Mbps-per-source-24-32-256-one-255..10.10.

10.10. Inc.11.x.10.x..120 .10.127 Prefix-specific action scenario: “Scenario 3: Subnet Prefix Is Shorter Than the Prefix in the Firewall Filter Match Condition” on page 373 source-prefix-length = 32 subnet-prefix-length = 24 Set size: 2^8 = 256 Instance numbers: 0 .10.10.10.255 source-address = 10.10.10. Instance 1: .0 through 10..10.10.0/24 source-address = 10. in which a single-term firewall 370 Copyright © 2011..10.10..1 .1 .10.Junos OS 11. 10.255 For addresses in the /16 subnet.1. 10. Instance 0 10.11.0. 10. Instance 127: 10.255.11.10.10.10.127 Instances 128 – 255: unused Scenario 1: Firewall Filter Term Matches on Multiple Addresses The complete example.10. x ranges from 0 through 255.10.11.0 . 10.10.0/24 Instance 0 10.10.127 source-address = 10. “Example: Configuring Prefix-Specific Counting and Policing” on page 362..10.10. Prefix-specific action scenario: “Scenario 2: Subnet Prefix Is Longer Than the Prefix in the Filter Match Condition” on page 372 source-prefix-length = 32 subnet-prefix-length = 25 Set size: 2^7 = 128 Instance numbers: 0 .10...255 source-address = 10.0/25 NOTE: Only packets with source addresses ranging from 10..4 Firewall Filter and Policer Configuration Guide Table 37: Summary of Prefix-Specific Action Scenarios (continued) Counter and Policer Set Packet-Filtering Criteria Indexing of Instances Prefix-specific action scenario: “Scenario 1: Firewall Filter Term Matches on Multiple Addresses” on page 370 source-prefix-length = 32 subnet-prefix-length = 24 Set size: 2^8 = 256 Instance numbers: 0 .10.10.0 10. Instance 255: 10. 10.10. 10.0/16 Instance 1: 10.10. shows the simplest case of prefix-specific actions.128 10.10..10.10.10.127 are passed to the prefix-specific action. . Instance 127: 10..0..10.0..x. Instance 0 Instance 1: . 10.255.1.10. Juniper Networks.

11. subnet-prefix-length 24. where x ranges from 0 through 255.0/24 and 10.11.10.11.0.0.0/16. Inc.x. the prefix-specific action that references the policer.10.10. packets that match the source address 10.10. burst-size-limit 63k.0/16 subnets as follows: • The first counter and policer in the set are indexed by packets with source addresses 10.10.0. In this case. Unlike the example. • • The following configuration shows the statements for configuring the single-rate two-color policer.10. The second counter and policer in the set are indexed by packets with source addresses 10.0. The 256th (last) counter and policer in the set are indexed by packets with source addresses 10.1. this scenario describes a configuration in which a single-term firewall filter matches on two IPv4 source addresses. } } Copyright © 2011.255.1 and 10.10. where x ranges from 0 through 255.10.0. and the IPv4 standard stateless firewall filter that references the prefix-specific action: [edit] firewall { policer 1Mbps-policer { if-exceeding { bandwidth-limit 1m. } family inet { prefix-action psa-1Mbps-per-source-24-32-256 { policer 1Mbps-policer.0 and 10. The filter-matched packets that are passed to the prefix-specific action index into the counter and policer set in such a way that the counting and policing instances are shared by packets that contain source addresses across the 10.10. 10.0.11.11.x. NOTE: Unlike packets that match the source address 10. source-prefix-length 32. 371 .11. Juniper Networks.10.0/16 are in a many-to-one correspondence with the instances in the counter and policer set. where x ranges from 0 through 255. the additional condition matches on a source address with a prefix length that is different from the subnet prefix length defined in the prefix-specific action. In addition. the additional condition matches on the /16 subnet of the source address 10.0/24.x.255 and 10. } filter limit-source-two-24-16 { term one { from { source-address { 10.0/24. } then discard.11.Chapter 11: Single-Rate Two-Color Policer Configuration filter matches on one address with a prefix length that is the same as the subnet prefix length specified in the prefix-specific action.10.10.

10.128.10. the prefix-specific action defines a subnet-prefix value of 25.255. while the firewall filter matches on a source address in the /24 subnet. this scenario describes a configuration in which the prefix-specific action defines a subnet prefix length that is longer than the prefix of the source address matched by the firewall filter.255. In this case. while the prefix-specific action specifies a set of only 128 counters and policers.10.10.39. Juniper Networks.129.10.10. Inc. in which the single-term firewall filter matches on one address with a prefix length that is the same as the subnet prefix length specified in the prefix-specific action. the prefix-specific action that references the policer. The filter-matched packets that are passed to the prefix-specific action index into the counter and policer set in such a way that the counting and policing instances are shared by packets that contain either of two source addresses within the 10. } address 10. } } } } interfaces { so-0/0/2 { unit 0 { family inet { filter { input limit-source-two-24-16.10. and the IPv4 standard stateless firewall filter that references the prefix-specific action: [edit] 372 Copyright © 2011. Unlike the example.1/16.10. } } } } Scenario 2: Subnet Prefix Is Longer Than the Prefix in the Filter Match Condition The complete example. • • The following configuration shows the statements for configuring the single-rate two-color policer.Junos OS 11.10. .10. “Example: Configuring Prefix-Specific Counting and Policing” on page 362. numbered from 0 through 127. The 128th (last) counter and policer in the set are indexed by packets with source addresses 10.1.10. The second counter and policer in the set are indexed by packets with source addresses 10.127 and 10.10. shows the simplest case of prefix-specific actions.10.0 and 10.10.0/24 subnet: • The first counter and policer in the set are indexed by packets with source addresses 10.1 and 10.0 through 10. NOTE: The firewall filter passes the prefix-specific action packets with source addresses that range from 10.10.4 Firewall Filter and Policer Configuration Guide then prefix-action psa-1Mbps-per-source-24-32-256.10.10.10.

} address 10. Juniper Networks. Copyright © 2011. “Example: Configuring Prefix-Specific Counting and Policing” on page 362.10. } } } } Scenario 3: Subnet Prefix Is Shorter Than the Prefix in the Firewall Filter Match Condition The complete example.1. in which the single-term firewall filter matches on one address with a prefix length that is the same as the subnet prefix length specified in the prefix-specific action. } filter limit-source-one-24 { term one { from { source-address { 10. 373 .0. the filter term matches on the /25 subnet of the source address 10.1/16. In this case. shows the simplest case of prefix-specific actions.10.Chapter 11: Single-Rate Two-Color Policer Configuration firewall { policer 1Mbps-policer { if-exceeding { bandwidth-limit 1m. burst-size-limit 63k. } } then prefix-action psa-1Mbps-per-source-25-32-128. Inc. source-prefix-length 32. Unlike the example. subnet-prefix-length 25. } family inet { prefix-action psa-1Mbps-per-source-25-32-128 { policer 1Mbps-policer. } then discard.10. this scenario describes a configuration in which the prefix-specific action defines a subnet prefix length that is shorter than the prefix of the source address matched by the firewall filter. } } } } interfaces { so-0/0/2 { unit 0 { family inet { filter { input limit-source-one-24.0/24.39.10.

10.1 and 10. while the prefix-specific action specifies a set of 256 counters and policers. Inc.10.10. Juniper Networks. The upper half of the set (instances numbered from 128 through 255) are not indexed by packets passed to the prefix-specific action from this particular firewall filter. } family inet { prefix-action psa-1Mbps-per-source-24-32-256 { policer 1Mbps-policer.4 Firewall Filter and Policer Configuration Guide NOTE: The firewall filter passes the prefix-specific action only packets with source addresses that range from 10. . The second counter and policer in the set are indexed by packets with source address 10. and the IPv4 standard stateless firewall filter that references the prefix-specific action: [edit] firewall { policer 1Mbps-policer { if-exceeding { bandwidth-limit 1m.0/25. numbered from 0 through 255.10. } then discard.10.127. • • • The following configuration shows the statements for configuring the single-rate two-color policer.10.10. source-prefix-length 32.129. The matched packets that are passed to the prefix-specific action index into the lower half of the counter and policer set only: • The first counter and policer in the set are indexed by packets with source address 10.10. the prefix-specific action that references the policer.10.10. } } then prefix-action psa-1Mbps-per-source-24-32-256. } } } } interfaces { so-0/0/2 { 374 Copyright © 2011. The 128th counter and policer in the set are indexed by packets with source address 10.10.0 through 10. burst-size-limit 63k.127. } filter limit-source-one-25 { term one { from { source-address { 10.10. subnet-prefix-length 24.0.Junos OS 11.10.10.

or both: • Based on the associated forwarding class. and packet PLP to drop packet as needed to control congestion at the output stage. The CoS random early detection (RED) process uses the drop probability configuration.1/16. • Copyright © 2011.1. Inc. each packet carries a lower or higher likelihood of being dropped if congestion occurs.Chapter 11: Single-Rate Two-Color Policer Configuration unit 0 { family inet { filter { input limit-source-one-25. output queue fullness percentage. Juniper Networks. Based on the associated PLP.39. and the router services the output queues according to the associated scheduling you configure. a packet loss priority (PLP) level. } address 10. } } } } Related Documentation • • • Statement Hierarchy for Configuring Policers on page 305 Two-Color Policer Configuration Overview on page 307 Guidelines for Applying Traffic Policers on page 316 Multifield Classification • • • • • Multifield Classification Overview on page 375 Multifield Classification Requirements and Restrictions on page 377 Multifield Classification Limitations on M Series Routers on page 378 Example: Configuring Multifield Classification on page 380 Example: Configuring and Applying a Firewall Filter for a Multifield Classifier on page 386 Multifield Classification Overview This topic covers the following information: • • • Forwarding Classes and PLP Levels on page 375 Multifield Classification and BA Classification on page 376 Multifield Classification Used In Conjunction with Policers on page 376 Forwarding Classes and PLP Levels You can configure the Junos OS class of service (CoS) features to classify incoming traffic by associating each packet with a forwarding class. 375 . each packet is assigned to an output queue.

4 Firewall Filter and Policer Configuration Guide Multifield Classification and BA Classification The Junos OS supports two general types of packet classification: behavior aggregate (BA) classification and multifield classification: • BA classification. Multifield Classification Used In Conjunction with Policers To configure multifield classification in conjunction with rate limiting. • NOTE: BA classification of a packet can be overridden by the stateless firewall filter actions forwarding-class and loss-priority. IP precedence value. including the DSCP value (for IPv4 only). For more information about these actions.1p value. the MPLS EXP bits. the filter-matched packets in the traffic flow are rate-limited to the policer-specified traffic limits. depending on the type of policer and how the policer is configured to handle nonconforming traffic. a firewall filter term can specify the packet classification actions for matching packets through the use of a policer nonterminating action that references a single-rate two-color policer. refers to a method of packet classification that uses a CoS configuration to set the forwarding class or PLP of a packet based on the CoS value in the IP packet header. The CoS value examined for BA classification purposes can be the Differentiated Services code point (DSCP) value. Multifield classification refers to a method of packet classification that uses a standard stateless firewall filter configuration to set the forwarding class or PLP for each packet entering or exiting the interface based on multiple fields in the IP packet header. Juniper Networks. When multifield classification is configured to perform classification through a policer. see . and IEEE 802. set to a specified PLP level. or the packets can be set to a specified forwarding class. Packets in a conforming flow of filter-matched packets are implicitly set to a low PLP.1p bits. DSCP IPv6 value. Inc. Multifield classification is used instead of BA classification when you need to classify packets based on information in the packet information other than the CoS values only. and the IEEE 802. With multifield classification.Junos OS 11. or CoS value traffic classification. . or both. 376 Copyright © 2011. the IP precedence value. Multifield classification commonly matches on IP address fields. the IP protocol type field. or the port number in the UDP or TCP pseudoheader field. Packets in a nonconforming traffic flow can be discarded. MPLS EXP bits. The default classifier is based on the IP precedence value. a firewall filter term can specify the packet classification actions for matching packets though the use of the forwarding-class class-name or loss-priority (high | medium-high | medium-low | low) nonterminating actions in the term’s then clause.

Consequently. You also configure a single-rate two-color policer that acts on a red traffic flow by re-marking (setting the forwarding class. This means that the multifield classification specified by the firewall filter is performed on input packets that have already been re-marked once by policing actions. As an example. the input policer is executed before the input firewall filter. make sure that you consider the order of policer and firewall filter operations. 377 .Chapter 11: Single-Rate Two-Color Policer Configuration NOTE: Before you apply a firewall filter that performs multifield classification and also a policer to the same logical interface and for the same traffic direction. You apply the policer as an interface policer at the input of the same logical interface to which you apply the firewall filter. consider the following scenario: • You configure a firewall filter that performs multifield classification (acts on matched packets by setting the forwarding class. the PLP. or both) based on the packet's existing forwarding class or PLP. • Because of the order of policer and firewall operations. Juniper Networks. the PLP. Inc. Multifield Classification Requirements and Restrictions This topic covers the following information: • • • Supported Platforms on page 377 CoS Tricolor Marking Requirement on page 378 Restrictions on page 378 Supported Platforms The loss-priority firewall filter action is supported on the following routing platforms only: • • • • M7i and M10i routers with the Enhanced CFEB (CFEB-E) M120 and M320 routers MX Series routers T Series routers with Enhanced II Flexible PIC Concentrators (FPCs) Copyright © 2011. any input packet that matches the conditions specified in a firewall filter term is then subject to a second re-marking according to the forwarding-class or loss-priority nonterminating actions also specified in that term. or both) rather than discarding those packets. You apply the firewall filter at the input of a logical interface.

accept. in the following configuration. as defined in RFC 2698: • On an M320 router. and T Series routers. you cannot commit a configuration that includes the loss-priority firewall filter action unless you enable the CoS tricolor marking feature. These two nonterminating actions are mutually exclusive. Multifield Classification Limitations on M Series Routers This topic covers the following information: • • Problem: Output-Filter Matching on Input-Filter Classification on page 378 Workaround: Configure All Actions in the Ingress Filter on page 379 Problem: Output-Filter Matching on Input-Filter Classification On M Series routers (except M120 routers). you cannot set the loss-priority firewall filter action to medium-low or medium-high unless you enable the CoS tricolor marking feature. including M120 routers. On all routing platforms that support the loss-priority firewall filter action. you cannot classify packets with an output filter match based on the ingress classification that is set with an input filter applied to the same IPv4 logical interface. Inc. [edit] user@host # show firewall family inet { filter ingress { term 1 { then { forwarding-class expedited-forwarding. include the tri-color statement at the [edit class-of-service] hierarchy level. It works on all other routing platforms. } } filter egress { 378 Copyright © 2011. .4 Firewall Filter and Policer Configuration Guide CoS Tricolor Marking Requirement The loss-priority firewall filter action has platform-specific requirements dependencies on the CoS tricolor marking feature. Juniper Networks. the filter called ingress assigns all incoming IPv4 packets to the expedited-forwarding class.Junos OS 11. This configuration does not work on most M Series routers. MX Series routers. For example. Restrictions You cannot configure the loss-priority and three-color-policer nonterminating actions for the same firewall filter term. The filter called egress counts all packets that were assigned to the expedited-forwarding class in the ingress filter. . • To enable the CoS tricolor marking feature. } } term 2 { then accept.

} term 2 { then accept. } } } [edit] user@host# show interfaces ge-1/2/0 { unit 0 { family inet { filter { input ingress. count ef. 379 . Inc. user@host # show firewall family inet { filter ingress { term 1 { then { forwarding-class expedited-forwarding. } } term 2 { then accept. you can configure all of the actions in the ingress filter. } } } } Workaround: Configure All Actions in the Ingress Filter As a workaround. Juniper Networks. accept. output egress. } } } [edit] user@host# show interfaces ge-1/2/0 { unit 0 { family inet { filter { input ingress. } } } } Copyright © 2011.Chapter 11: Single-Rate Two-Color Policer Configuration term 1 { from { forwarding-class expedited-forwarding. } then count ef.

Inc. 2. • • • • Requirements on page 380 Overview on page 381 Configuration on page 382 Verification on page 386 Requirements Before you begin.0 on one of the following routing platforms: • • • • MX Series router M120 or M320 router M7i or M10i router with the Enhanced CFEB (CFEB-E) T Series router with Enhanced II Flexible PIC Concentrator (FPC) b. Juniper Networks. configure this example on logical interface ge-1/2/0. a.4 Firewall Filter and Policer Configuration Guide Example: Configuring Multifield Classification This example shows how to configure multifield classification of IPv4 traffic by using firewall filter actions and two firewall filter policers. make sure that the CoS tricolor marking feature is enabled.Junos OS 11. 380 Copyright © 2011. To enable the CoS tricolor marking feature. To be able to set a loss-priority firewall filter action to medium-low or medium-high. make sure that your environment supports the features shown in this example: 1. To be able to set a loss-priority firewall filter action. Make sure that the following forwarding classes are assigned to output queues: • • expedited-forwarding assured-forwarding Forwarding-class assignments are configured at the [edit class-of-service forwarding-classes queue queue-number] hierarchy level. The expedited-forwarding and assured-forwarding forwarding classes must be scheduled on the underlying physical interface ge-1/2/0. . NOTE: You cannot commit a configuration that assigns the same forwarding class to two different queues. The loss-priority firewall filter action must be supported on the router and configurable to all four values. include the tri-color statement at the [edit class-of-service] hierarchy level. a.

and then transmitted.0/24 or 10.0/24 or 10. This policer specifies that packets in a nonconforming flow are marked for the expedited-forwarding forwarding class and set to the high loss priority. ef-policer and af-policer. Juniper Networks. • isp2-customers—The second filter term matches packets with the source address 10.0/24.1. A scheduler defines the amount of interface bandwidth assigned to the queue. Copyright © 2011. Matched packets are passed to ef-policer. and the random early detection (RED) drop profiles associated with the queue.4. The IPv4 standard stateless firewall filter mfc-filter defines three filter terms: • isp1-customers—The first filter term matches packets with the source address 10. • You configure output queue schedulers at the [edit class-of-service schedulers] hierarchy level. • c. Make sure that output-queue scheduling is applied to the physical interface ge-1/2/0. you apply multifield classification to the IPv4 traffic on logical interface ge-1/2/0. Matched packets are assigned to the expedited-forwarding forwarding class and set to the low loss priority.1. Make sure that the output queues to which the forwarding classes are assigned are associated with schedulers. You associate output queue schedulers with forwarding classes by means of a scheduler map that you configure at the [edit class-of-service scheduler-maps map-name] hierarchy level. a policer that rate-limits traffic to a bandwidth limit of 300 Kbps with a burst-size limit of 50 KB. the size of the memory buffer allocated for storing packets.3. you apply multifield classification to the input IPv4 traffic at a logical interface by using stateless firewall filter actions and two firewall filter policers that are referenced from the firewall filter.2. Topology In this example. Based on the source address field.1. Overview In this example. You apply a scheduler map to a physical interface at the [edit class-of-service interfaces ge-1/2/0 scheduler-map map-name] hierarchy level. Neither of the policers discards nonconforming traffic.0. the priority of the queue. 381 . set to a specific loss priority. packets are either set to the low loss priority or else policed. NOTE: Single-rate two-color policers always transmit packets in a conforming traffic flow after implicitly setting a low loss priority.Chapter 11: Single-Rate Two-Color Policer Configuration b.1.1. Inc. Packets in nonconforming flows are marked for a specific forwarding class (expedited-forwarding or assured-forwarding). The classification rules are specified in the IPv4 stateless firewall filter mfc-filter and two single-rate two-color policers.0/24.

To configure this example. Define traffic limits for expedited-forwarding traffic.1. For information about navigating the CLI.1.1. and then paste the commands into the CLI at the [edit] hierarchy level. Configuration The following example requires you to navigate various levels in the configuration hierarchy.Junos OS 11.1. This policer specifies that packets in a nonconforming flow are marked for the assured-forwarding forwarding class and set to the medium-high loss priority.1/24 set interfaces ge-1/2/0 unit 0 family inet filter input mfc-filter Configuring Policers to Rate-Limit Expedited-Forwarding and Assured-Forwarding Traffic Step-by-Step Procedure To configure policers to rate-limit expedited-forwarding and assured-forwarding traffic: 1.0/24 set firewall family inet filter mfc-filter term isp1-customers from source-address 10.168.2. remove any line breaks. Inc.4 Firewall Filter and Policer Configuration Guide • other-customers—The third and final filter term passes all other packets to af-policer.0/24 set firewall family inet filter mfc-filter term isp2-customers then policer ef-policer set firewall family inet filter mfc-filter term other-customers then policer af-policer set interfaces ge-1/2/0 unit 0 family inet address 192. set firewall policer ef-policer if-exceeding bandwidth-limit 300k set firewall policer ef-policer if-exceeding burst-size-limit 50k set firewall policer ef-policer then loss-priority high set firewall policer ef-policer then forwarding-class expedited-forwarding set firewall policer af-policer if-exceeding bandwidth-limit 300k set firewall policer af-policer if-exceeding burst-size-limit 50k set firewall policer af-policer then loss-priority high set firewall policer af-policer then forwarding-class assured-forwarding set firewall family inet filter mfc-filter term isp1-customers from source-address 10.3. copy the following configuration commands into a text file. Juniper Networks. .0/24 set firewall family inet filter mfc-filter term isp1-customers then loss-priority low set firewall family inet filter mfc-filter term isp1-customers then forwarding-class expedited-forwarding set firewall family inet filter mfc-filter term isp2-customers from source-address 10.1. [edit] user@host# edit firewall policer ef-policer 382 Copyright © 2011. see “Using the CLI Editor in Configuration Mode” on page 15. perform the following tasks: • Configuring Policers to Rate-Limit Expedited-Forwarding and Assured-Forwarding Traffic on page 382 Configuring a Multifield Classification Filter That Also Applies Policing on page 383 Applying Multifield Classification Filtering and Policing to the Logical Interface on page 385 • • CLI Quick Configuration To quickly configure this example.4. a policer that rate-limits traffic to a bandwidth limit of 300 Kbps and a burst-size limit of 50 KB (the same traffic limits as defined by ef-policer).0/24 set firewall family inet filter mfc-filter term isp2-customers from source-address 10.1.

forwarding-class assured-forwarding. } } policer ef-policer { if-exceeding { bandwidth-limit 300k. Configure a policer for assured-forwarding traffic. } } Configuring a Multifield Classification Filter That Also Applies Policing Step-by-Step Procedure To configure a multifield classification filter that additionally applies policing: 1. } then { loss-priority high. repeat the instructions in this procedure to correct the configuration. If the command output does not display the intended configuration. Juniper Networks. Inc. burst-size-limit 50k. } then { loss-priority high. burst-size-limit 50k. Enable configuration of a firewall filter term for IPv4 traffic. forwarding-class expedited-forwarding.Chapter 11: Single-Rate Two-Color Policer Configuration [edit firewall policer ef-policer] user@host# set if-exceeding bandwidth-limit 300k user@host# set if-exceeding burst-size-limit 50k user@host# set then loss-priority high user@host# set then forwarding-class expedited-forwarding 2. [edit] user@host# edit firewall family inet filter mfc-filter Copyright © 2011. 383 . [edit firewall policer ef-policer] user@host# up [edit firewall] user@host# edit policer af-policer [edit firewall policer af-policer] user@host# set if-exceeding bandwidth-limit 300k user@host# set if-exceeding burst-size-limit 50k user@host# set then loss-priority high user@host# set then forwarding-class assured-forwarding Results Confirm the configuration of the policer by entering the show firewall configuration mode command. [edit] user@host# show firewall policer af-policer { if-exceeding { bandwidth-limit 300k.

0/24 user@host# set term isp2-customers then policer ef-policer 4. } } term other-customers { then { policer af-policer.Junos OS 11. } } } } 384 Copyright © 2011. Juniper Networks.0/24 user@host# set term isp1-customers then loss-priority low user@host# set term isp1-customers then forwarding-class expedited-forwarding 3. If the command output does not display the intended configuration.4.1.1. } then { policer ef-policer. [edit firewall family inet filter mfc-filter] user@host# set term other-customers then policer af-policer Results Confirm the configuration of the filter by entering the show firewall configuration mode command. [edit] user@host# show firewall family inet { filter mfc-filter { term isp1-customers { from { source-address 10.1. Configure the first term to match on source addresses and then classify the matched packets.1.0/24.0/24. forwarding-class expedited-forwarding.1. source-address 10.2.1.0/24.1. Inc.1. source-address 10.1.0/24 user@host# set term isp1-customers from source-address 10.1.2.4 Firewall Filter and Policer Configuration Guide 2. .3.0/24.4. Configure the second term to match on different source addresses and then police the matched packets. Configure the third term to police all other packets to a different set of traffic limits and actions.3. repeat the instructions in this procedure to correct the configuration. } } term isp2-customers { from { source-address 10.0/24 user@host# set term isp2-customers from source-address 10. [edit firewall family inet filter mfc-filter] user@host# set term isp2-customers from source-address 10. } then { loss-priority low. [edit firewall family inet filter mfc-filter] user@host# set term isp1-customers from source-address 10.

forwarding-class expedited-forwarding. } then { loss-priority high. } policer ef-policer { if-exceeding { bandwidth-limit 200k.1/24.168. } then discard. burst-size-limit 50k. Juniper Networks. if an input policer is also configured on the logical interface. 385 .1. } } Applying Multifield Classification Filtering and Policing to the Logical Interface Step-by-Step Procedure To apply multifield classification filtering and policing to the logical interface: 1. Inc.Chapter 11: Single-Rate Two-Color Policer Configuration policer af-policer { if-exceeding { bandwidth-limit 300k.168. } address 192. [edit interfaces ge-1/2/0 unit 0 family inet ] user@host# set filter input mfc-filter NOTE: Because the policer is executed before the filter. Copyright © 2011.1. Enable configuration of IPv4 on the logical interface. Results Confirm the configuration of the interface by entering the show interfaces configuration mode command. [edit] user@host# show interfaces ge-1/2/0 { unit 0 { family inet { filter { input mfc-filter. it cannot use the forwarding class and PLP of a multifield classifier associated with the interface.1/24 3. Configure an IP address for the logical interface. [edit interfaces ge-1/2/0 unit 0 family inet ] user@host# set address 192. repeat the instructions in this procedure to correct the configuration. burst-size-limit 50k. Apply the firewall filter to the logical interface input. [edit] user@host# edit interfaces ge-1/2/0 unit 0 family inet 2. If the command output does not display the intended configuration.

user@host> show firewall filter rate-limit-in Filter: rate-limit-in Policers: Name ef-policer-isp2-customers af-policer-other-customers Action Packets 32863 3870 The command output lists the policers applied by the firewall filter rate-limit-in.4 Firewall Filter and Policer Configuration Guide } } } If you are done configuring the device. Inc. The policer name is displayed concatenated with the name of the firewall filter term in which the policer is referenced as an action. Example: Configuring and Applying a Firewall Filter for a Multifield Classifier This example shows how to configure a firewall filter to classify traffic using a multifield classifier.Junos OS 11. Displaying the Number of Packets Processed by the Policer at the Logical Interface Purpose Verify the traffic flow through the logical interface and that the policer is evaluated when packets are received on the logical interface. 386 Copyright © 2011. Use the show firewall operational mode command for the filter you applied to the logical interface. not all packets policed by the policer. See “Guidelines for Configuring Standard Firewall Filters” on page 21. . The classifier detects packets of interest to CoS as they arrive on an interface. Juniper Networks. • • • • Requirements on page 386 Overview on page 387 Configuration on page 387 Verification on page 390 Requirements Before you begin. Verification Confirm that the configuration is working properly. NOTE: The packet count includes the number of out-of-specification (out-of-spec) packet counts. enter commit from configuration mode. and the number of packets that matched the filter term. review how to create and configure a firewall.

You then create and name the forwarding class for the network control traffic class as nc-class. Configuration CLI Quick Configuration To quickly configure this example.44. You create the forwarding class for assured forwarding DiffServ traffic as af-class and set the loss priority to low.44.55. Create and name the multifield classifier filter. You create and name the assured forwarding traffic class.66. copy the following commands.Chapter 11: Single-Rate Two-Color Policer Configuration Overview One common way to detect packets of CoS interest is by source or destination address. and specify the destination address as 192. [edit] Copyright © 2011. set the match condition.168. Finally. set the match condition. Then you create and name the network-control traffic class and set the match condition. In this example.77 set firewall filter mf-classifier term expedited-forwarding then forwarding-class ef-class set firewall filter mf-classifier term expedited-forwarding then policer ef-policer set firewall filter mf-classifier term network-control from precedence net-control set firewall filter mf-classifier term network-control then forwarding-class nc-class set firewall filter mf-classifier term best-effort then forwarding-class be-class set interfaces ge-0/0/0 unit 0 family inet filter input mf-classifier Step-by-Step Procedure The following example requires you to navigate various levels in the configuration hierarchy.168. see “Using the CLI Editor in Configuration Mode” on page 15 in the Junos OS CLI User Guide.66. Juniper Networks. you apply the multifield classifier firewall filter as an input filter on each customer-facing or host-facing that needs the filter. In this example. for the expedited forwarding traffic class. paste them into a text file. You create and name the forwarding class for the best-effort traffic class as be-class. Then you create and name the expedited forwarding traffic class. change any details necessary to match your network configuration. and then copy and paste the commands into the CLI at the [edit] hierarchy level.55 set firewall filter mf-classifier term assured-forwarding then forwarding-class af-class set firewall filter mf-classifier term assured-forwarding then loss-priority low set firewall filter mf-classifier term expedited-forwarding from destination-address 192. set firewall filter mf-classifier interface-specific set firewall filter mf-classifier term assured-forwarding from destination-address 192. Inc. The destination address is used in this example.168. the interface is ge-0/0/0. but many other matching criteria for packet detection are available to firewall filters. For instructions on how to do that. remove any line breaks. You then create the forwarding class for expedited forwarding DiffServ traffic as ef-class and set the policer to ef-policer. you configure the firewall filter mf-classifier. and specify the destination address as 192. 387 . To configure a firewall filter for a multifield classifier for a device: 1.168.77.

77 7. [edit firewall filter mf-classifier term assured-forwarding] user@host# set from destination-address 192. Create and name the forwarding class for the best-effort traffic class. . [edit firewall filter mf-classifier term assured-forwarding] user@host# set then forwarding-class af-class user@host# set then loss-priority low 5. [edit firewall filter mf-classifier term best-effort] user@host# set then forwarding-class be-class 388 Copyright © 2011. Create and name the forwarding class for the network control traffic class. Create and name the term for the network control traffic class.44.168.168. [edit firewall filter mf-classifier term expedited-forwarding] user@host# set from destination-address 192. Create the match condition for the network control traffic class. Specify the destination address for the expedited forwarding traffic. Create and name the term for the expedited forwarding traffic class. Juniper Networks. [edit firewall filter mf-classifier term network-control] user@host# set then forwarding-class nc-class 11.66. Create and name the term for the best-effort traffic class.4 Firewall Filter and Policer Configuration Guide user@host# edit firewall filter mf-classifier user@host# set interface-specific 2.55 4. [edit] user@host# edit firewall filter mf-classifier user@host# edit term best-effort 12. Inc. Create the forwarding class and set the loss priority for the assured forwarding traffic class. [edit] user@host# edit firewall filter mf-classifier user@host# edit term expedited-forwarding 6.Junos OS 11. Create the forwarding class and apply the policer for the expedited forwarding traffic class. Create and name the term for the assured forwarding traffic class. [edit firewall filter mf-classifier term expedited-forwarding] user@host# set then forwarding-class ef-class user@host# set then policer ef-policer 8. [edit] user@host# edit firewall filter mf-classifier user@host# edit term network-control 9. [edit firewall filter mf-classifier] user@host# edit term assured-forwarding 3. Specify the destination address for assured forwarding traffic. [edit firewall filter mf-classifier term network-control] user@host# set from precedence net-control 10.

[edit] user@host# show firewall filter mf-classifier interface-specific. confirm your configuration by entering the show firewall filter mf-classifier command. Inc. repeat the configuration instructions in this example to correct it. 389 . } } then { policer ef-policer.77/32. term assured-forwarding { from { destination-address { 192. } then forwarding-class nc-class.55/32. it has no match condition. forwarding-class af-class. enter commit from configuration mode.44. } } term network-control { from { precedence net-control. } } term expedited-forwarding { from { destination-address { 192. Copyright © 2011. If the output does not display the intended configuration.168. Apply the multifield classifier firewall filter as an input filter. [edit] user@host# set interfaces ge-0/0/0 unit 0 family inet filter input mf-classifier Results From configuration mode. } term best-effort { then forwarding-class be-class.66. } If you are done configuring the device. } } then { loss-priority low.Chapter 11: Single-Rate Two-Color Policer Configuration NOTE: Because this is the last term in the filter. forwarding-class ef-class. 13.168. Juniper Networks.

Juniper Networks. Related Documentation • “Standard Firewall Filter Nonterminating Actions on page 82” in the Junos OS Firewall Filter and Policer Configuration Guide • • • • • • • • • • Order of Policer and Firewall Filter Operations on page 304 Statement Hierarchy for Configuring Policers on page 305 Two-Color Policer Configuration Overview on page 307 Guidelines for Applying Traffic Policers on page 316 “Junos CoS Components” in the Junos OS Class of Service Configuration Guide “BA Classifier Overview” in the Junos OS Class of Service Configuration Guide “Overview of Forwarding Classes” in the Junos OS Class of Service Configuration Guide “Default Forwarding Classes” in the Junos OS Class of Service Configuration Guide “RED Drop Profiles Overview” in the Junos OS Class of Service Configuration Guide tri-color statement in the Junos OS Class of Service Configuration Guide Policer Overhead to Account for Rate Shaping in the Traffic Manager • • Policer Overhead to Account for Rate Shaping Overview on page 390 Example: Configuring Policer Overhead to Account for Rate Shaping on page 391 Policer Overhead to Account for Rate Shaping Overview If you configure ingress or egress traffic-shaping overhead values for an interface. the PIC or DPC goes offline and then comes back online. Inc.4 Firewall Filter and Policer Configuration Guide Verification Confirm that the configuration is working properly. To enable the router to account for the additional Ethernet frame length when policing actions are being determined. NOTE: When a policer overhead value is changed. • Verifying a Firewall Filter for a Multifield Classifier Configuration on page 390 Verifying a Firewall Filter for a Multifield Classifier Configuration Purpose Action Verify that a firewall filter for a multifield classifier is configured properly on a device. . enter the show firewall filter mf-classifier command.Junos OS 11. 390 Copyright © 2011. From configuration mode. the traffic manager cannot apply these values to any rate-limiting also applied to the interface. you must configure the ingress or egress overhead values for policers separately.

each with values from 0 through 255 bytes. • • • • Requirements on page 391 Overview on page 391 Configuration on page 392 Verification on page 398 Requirements Before you begin. Juniper Networks. The physical interface on port 1 on that PIC is configured to receive traffic on logical interface 0 and send it back out on logical interface 1. Inc. 391 . The policer overhead values are added to the length of the final Ethernet frame when determining ingress and egress policer actions. Class-of-service scheduling includes 100 Mbps of traffic rate-shaping overhead for the output traffic. Example: Configuring Policer Overhead to Account for Rate Shaping This example shows how to configure overhead values for policers when rate-shaping overhead is configured. installed in PIC location 3 of the Flexible PIC Concentrator (FPC) in slot number 1.Chapter 11: Single-Rate Two-Color Policer Configuration For Gigabit Ethernet Intelligent Queuing 2 (IQ2) and Enhanced IQ2 (IQ2E) PICs or interfaces on Dense Port Concentrators (DPCs) in MX Series routers. A policer egress overhead of 100 bytes is configured on the entire PIC so that. You can configure a policer ingress overhead and a policer egress overhead. for any policers applied to the output traffic. 100 bytes are added to the final Ethernet frame length when determining ingress and egress policer actions. you can control the rate of traffic that passes through all interfaces on the PIC or DPC by configuring a policer overhead. Topology The router hosts a Gigabit Ethernet IQ2 PIC. Copyright © 2011. make sure that interface for which you are applying ingress or egress policer overhead is hosted on one of the following: • • • Gigabit Ethernet IQ2 PIC IQ2E PIC DPCs in MX Series routers Overview This example shows how to configure policer overhead values for all physical interfaces on a supported PIC or MPC so that the rate shaping value configured on a logical interface is accounted for in any policing on that logical interface.

You configure policer overhead at the [edit chassis fpc slot-number pic pic-number] hierarchy level.20. • When a policer overhead value is changed. Configuration The following example requires you to navigate various levels in the configuration hierarchy. see “Using the CLI Editor in Configuration Mode” on page 15.1/30 set interfaces ge-1/3/1 unit 1 vlan-id 101 set interfaces ge-1/3/1 unit 1 family inet address 20. and then paste the commands into the CLI at the [edit] hierarchy level. To configure this example. Inc. set interfaces ge-1/3/1 per-unit-scheduler set interfaces ge-1/3/1 vlan-tagging set interfaces ge-1/3/1 unit 0 vlan-id 100 set interfaces ge-1/3/1 unit 0 family inet address 10.Junos OS 11.4 Firewall Filter and Policer Configuration Guide NOTE: Traffic rate-shaping and corresponding policer overhead are configured separately: • You configure rate shaping at the [edit class-of-service interfaces interface-name unit unit-number] hierarchy level.10.2 mac 00:00:11:22:33:44 set class-of-service schedulers be transmit-rate percent 5 set class-of-service schedulers ef transmit-rate percent 30 set class-of-service schedulers af transmit-rate percent 30 set class-of-service schedulers nc transmit-rate percent 35 set class-of-service scheduler-maps my-map forwarding-class best-effort scheduler be set class-of-service scheduler-maps my-map forwarding-class expedited-forwarding scheduler ef set class-of-service scheduler-maps my-map forwarding-class network-control scheduler nc set class-of-service scheduler-maps my-map forwarding-class assured-forwarding scheduler af set class-of-service interfaces ge-1/3/1 unit 1 scheduler-map my-map set class-of-service interfaces ge-1/3/1 unit 1 shaping-rate 100m 392 Copyright © 2011.1/30 arp 20. the PIC or DPC goes offline and then comes back online. For information about navigating the CLI. remove any line breaks.20.20. . perform the following tasks: • • Configuring the Logical Interfaces on page 393 Configuring Traffic Rate-Shaping on the Logical Interface That Carries Output Traffic on page 394 Configuring Policer Overhead on the PIC or MPC That Hosts the Rate-Shaped Logical Interface on page 396 Applying a Policer to the Logical Interface That Carries Input Traffic on page 396 • • CLI Quick Configuration To quickly configure this example.20. copy the following configuration commands into a text file.10. Juniper Networks.

20.20.10.20.2 mac 00:00:11:22:33:44 Results Confirm the configuration of the interfaces by entering the show interfaces configuration mode command.1/30 4. Enable configuration of the interface [edit] user@host# edit interfaces ge-1/3/1 2.Chapter 11: Single-Rate Two-Color Policer Configuration set firewall policer 500Kbps logical-interface-policer set firewall policer 500Kbps if-exceeding bandwidth-limit 500k set firewall policer 500Kbps if-exceeding burst-size-limit 625k set firewall policer 500Kbps then discard set chassis fpc 1 pic 3 ingress-policer-overhead 100 set chassis fpc 1 pic 3 egress-policer-overhead 100 set interfaces ge-1/3/1 unit 0 family inet policer input 500Kbps Configuring the Logical Interfaces Step-by-Step Procedure To configure the logical interfaces: 1. unit 0 { vlan-id 100.20. Copyright © 2011. [edit] user@host# show interfaces ge-1/3/1 { per-unit-scheduler.10.10. [edit interfaces ge-1/3/1] user@host# set unit 1 vlan-id 101 user@host# set unit 1 family inet address 20. Juniper Networks. Enable multiple queues for each logical interface (so that you can associate an output scheduler with each logical interface).0. Inc. 393 . family inet { address 10. vlan-tagging.1/30 arp 20. repeat the instructions in this procedure to correct the configuration.1/30.10. Configure logical interface ge-1/3/1. Configure logical interface ge-1/3/1. [edit interfaces ge-1/3/1] user@host# set per-unit scheduler user@host# set vlan-tagging NOTE: For Gigabit Ethernet IQ2 PICs only. [edit interfaces ge-1/3/1] user@host# set unit 0 vlan-id 100 user@host# set unit 0 family inet address 10.1. If the command output does not display the intended configuration. use the shared-scheduler statement to enable shared schedulers and shapers on a physical interface. 3.

20. [edit class-of-service] user@host# edit interfaces ge-1/3/1 unit 1 [edit class-of-service interfaces ge-1/3/1 unit 1] user@host# set scheduler-map my-map 394 Copyright © 2011. [edit class-of-service] user@host# edit scheduler-maps my-map [edit class-of-service scheduler-maps my-map] user@host# set forwarding-class best-effort scheduler be user@host# set forwarding-class expedited-forwarding scheduler ef user@host# set forwarding-class network-control scheduler nc user@host# set forwarding-class assured-forwarding scheduler af c.1/30 { arp 20. b. Associate the scheduler map with logical interface ge-1/3/1.Junos OS 11. . [edit class-of-service] user@host# edit schedulers [edit class-of-service schedulers] user@host# set be transmit-rate percent 5 user@host# set ef transmit-rate percent 30 user@host# set af transmit-rate percent 30 user@host# set nc transmit-rate percent 35 A percentage of zero drops all packets in the queue. the transmission rate is limited to the rate-controlled amount.0. a scheduler with the rate-limit option shares unused bandwidth above the rate-controlled amount.4 Firewall Filter and Policer Configuration Guide } } unit 1 { vlan-id 101. [edit] user@host# edit class-of-service 2. Configure schedulers that specify the percentage of transmission capacity. Inc. family inet { address 20. Configure packet scheduling on logical interface ge-1/3/1. } } } } Configuring Traffic Rate-Shaping on the Logical Interface That Carries Output Traffic Step-by-Step Procedure To configure traffic rate-shaping on the logical interface that carries output traffic: 1.20.2 mac 00:00:11:22:33:44. Juniper Networks.20. When the rate-limit option is specified. Configure a scheduler map to associate each scheduler with a forwarding class.20. Enable configuration of class-of-service features. In contrast with the exact option. a.0.

forwarding-class expedited-forwarding scheduler ef. If the command output does not display the intended configuration. Inc. } } schedulers { be { transmit-rate percent 5. Configure 100 Mbps of traffic rate-shaping overhead on logical interface ge-1/3/1. forwarding-class assured-forwarding scheduler af. repeat the instructions in this procedure to correct the configuration. you can independently control the delay-buffer rate. With this configuration approach. } } } scheduler-maps { my-map { forwarding-class best-effort scheduler be. } nc { transmit-rate percent 35. Juniper Networks. [edit class-of-service interfaces ge-1/3/1 unit 1] user@host# set shaping-rate 100 Alternatively. [edit] user@host# show class-of-service interfaces { ge-1/3/1 { unit 1 { scheduler-map my-map.Chapter 11: Single-Rate Two-Color Policer Configuration 3. Results Confirm the configuration of the class-of-service features (including the 100 Mbp of shaping of the egress traffic) by entering the show class-of-service configuration mode command. 395 .1. } ef { transmit-rate percent 30. forwarding-class network-control scheduler nc. shaping-rate 100m. } af { transmit-rate percent 30. you can configure a shaping rate for a logical interface and oversubscribe the physical interface by including the shaping-rate statement at the [edit class-of-service traffic-control-profiles] hierarchy level. } } Copyright © 2011.

repeat the instructions in this procedure to correct the configuration. Inc. . Configure the logical interface (aggregate) policer.4 Firewall Filter and Policer Configuration Guide Configuring Policer Overhead on the PIC or MPC That Hosts the Rate-Shaped Logical Interface Step-by-Step Procedure To configure policer overhead on the PIC or MPC that hosts the rate-shaped logical interface: 1. [edit] user@host# set chassis fpc 1 pic 3 2. [edit] user@host# set ingress-policer-overhead 100 user@host# set egress-policer-overhead 100 NOTE: These values are added to the length of the final Ethernet frame when determining ingress and egress policer actions for all physical interfaces on the PIC or MPC.Junos OS 11. Enable configuration of the supported PIC or MPC. Juniper Networks. } } } Applying a Policer to the Logical Interface That Carries Input Traffic Step-by-Step Procedure To apply a policer to the logical interface that carries input traffic: 1. [edit] user@host# show chassis chassis { fpc 1 { pic 3 { egress-policer-overhead 100. Results Confirm the configuration of the policer overhead on the physical interface to account for rate-shaping by entering the show chassis configuration mode command. If the command output does not display the intended configuration. ingress-policer-overhead 100. Configure 100 bytes of policer overhead on the supported PIC or MPC. [edit] user@host# edit firewall policer 500Kbps [edit firewall policer 500Kbps] user@host# set logical-interface-policer user@host# set if-exceeding bandwidth-limit 500k user@host# set if-exceeding burst-size-limit 625k user@host# set then discard 396 Copyright © 2011. You can specify policer overhead with values from 0 through 255 bytes.

[edit] user@host# set interfaces ge-1/3/1 unit 0 family inet policer input 500Kbps NOTE: The 100 Mbps policer overhead is added to the length of the final Ethernet frame when determining ingress and egress policer actions.20. Apply the policer to Layer 3 input on the IPv4 logical interface. Results Confirm the configuration of the policer with rate-shaping overhead by entering the show firewall and show interfaces configuration mode commands. } } unit 0 { vlan-id 101. repeat the instructions in this procedure to correct the configuration.10. 397 . enter commit from configuration mode.20.2 mac 00:00:11:22:33:44.1/30 { arp 20. if-exceeding { bandwidth-limit 500k. vlan-tagging.10. } then discard. [edit] user@host# show firewall policer 500Kbps { logical-interface-policer. Inc. } } } } If you are done configuring the device. } [edit] user@host# show interfaces ge-1/3/1 { per-unit-scheduler. burst-size-limit 625k. } family inet { address 10.Chapter 11: Single-Rate Two-Color Policer Configuration 2.20. Copyright © 2011. family inet { address 20. If the command output does not display the intended configuration.1/30. unit 0 { vlan-id 100. layer2-policer { input-policer 500Kbps. Juniper Networks.20.

• • Displaying Traffic Statistics and Policers for the Logical Interface on page 398 Displaying Statistics for the Policer on page 398 Displaying Traffic Statistics and Policers for the Logical Interface Purpose Verify the traffic flow through the logical interface and that the policer is evaluated when packets are received on the logical interface. In this example. while the log_int-o suffix denotes a logical interface policer applied to output traffic. Related Documentation • • • • Statement Hierarchy for Configuring Policers on page 305 Two-Color Policer Configuration Overview on page 307 Guidelines for Applying Traffic Policers on page 316 “Configuring a Policer Overhead” in the Junos OS System Basics and Services Command Reference 398 Copyright © 2011. the input and output policer names are displayed as follows: • • 500Kbps-ge-1/3/1. the logical interface policer is applied to input traffic only. For the policer 500Kbps. Juniper Networks. . In this example. the logical interface policer is applied to Input traffic only. The command output displays the number of packets evaluated by each configured policer (or the specified policer).4 Firewall Filter and Policer Configuration Guide Verification Confirm that the configuration is working properly. in each direction. while the log_int-o suffix denotes a logical interface policer applied to output traffic. Use the show interfaces operational mode command for logical interface ge-1/3/1. and include the detail or extensive option. Displaying Statistics for the Policer Purpose Action Verify the number of packets evaluated by the policer. and the Protocol inet section contains a Policer field that would list the policer 500Kbps as an input or output policer as follows: • • Action Input: 500Kbps-ge-1/3/1.0-log_int-i 500Kbps-ge-1/3/1. The command output section for Traffic statistics lists the number of bytes and packets received and transmitted on the logical interface.Junos OS 11. Inc.0-log_int-o The log_int-i suffix denotes a logical interface policer applied to input traffic.0-log_int-i Output: 500Kbps-ge-1/3/1. Use the show policer operational mode command and optionally specify the name of the policer.0-log_int-o The log_int-i suffix denotes a logical interface policer applied to input traffic.0.

you can apply three-color policers to aggregated interfaces.CHAPTER 12 Three-Color Policer Configuration This chapter covers three-color policing applied to Layer 3 traffic. Inc. M7i and M10i routers with the Enhanced CFEB (CFEB-E). Juniper Networks. M320 routers with Enhanced-III FPCs. Copyright © 2011. 399 . • • • Three-Color Policer Configuration Guidelines on page 399 Basic Single-Rate Three-Color Policers on page 401 Basic Two-Rate Three-Color Policers on page 407 Three-Color Policer Configuration Guidelines • • • Platforms Supported for Three-Color Policers on page 399 Color Modes for Three-Color Policers on page 400 Naming Conventions for Three-Color Policers on page 400 Platforms Supported for Three-Color Policers Three-color policers are supported on the following Juniper Networks routers: • • M120 Multiservice Edge Routers M320 Multiservice Edge Routers and T Series Core Routers with Enhanced II Flexible PIC Concentrators (FPCs) MX Series 3D Universal Edge Routers T640 Core Routers with Enhanced Scaling FPC4 • • On MX Series and M120 routers. The discard action for a tricolor marking policer for a firewall filter is supported on the M120 routers. and MX Series routers with Trio MPCs. so it is not necessary to include the logical-interface-policer statement for them.

any preexisting color markings are used in determining the appropriate policing action for the packet. but cannot reduce the PLP level to low. the three-color policer assumes that all packets examined have been previously marked or metered. For example. the yellow packet would never receive the action associated with either the green packets or red packets. Color-Aware Mode In color-aware mode.Junos OS 11. Inc. We recommend that you name your policer using a convention that identifies the basic components of the policer: • Three-color policer type—Where srTCM identifies a single-rate three-color policer and trTCM identifies a two-rate three-color policer. two-rate policing might be configured on a node upstream in the network. tokens for violating packets are never taken from the metering token buckets at the color-aware policing node. For two-rate. Three-color policer color mode—Where ca identifies a color-aware three-color policer and cb identifies a color-blind three-color policer. For example. if a color-aware three-color policer meters a packet with a medium PLP marking. the three-color policer takes into account any coloring markings that might have been set for a packet by another traffic policer configured at a previous network node. The two-rate policer has marked a packet as yellow (loss priority medium-low). the Junos OS uses two token buckets to manage bandwidth based on the two rates of traffic. the three-color policer assumes that all packets examined have not been previously marked or metered. three-color policing. This way. In other words.4 Firewall Filter and Policer Configuration Guide Color Modes for Three-Color Policers Three-color policers—both single-rate and two-rate three-color policer schemes—can operate in either of two modes: • • Color-Blind Mode on page 400 Color-Aware Mode on page 400 Color-Blind Mode In color-blind mode. the three-color policer can increase the packet loss priority (PLP) level of a packet. the policer ignores preexisting color markings that might have been set for a packet by another traffic policer configured at a previous network node. Juniper Networks. At the node where color-aware policing is configured. The color-aware policer takes this yellow marking into account when determining the appropriate policing action. a simple naming convention makes it easier to apply the policers properly. . • 400 Copyright © 2011. it can raise the PLP level to high. In color-aware mode. In color-aware policing. but never decrease it. Naming Conventions for Three-Color Policers Because policers can be numerous and must be applied correctly to work. If you configure a three-color policer to be color-blind instead of color-aware.

. . Inc. color-aware Naming Convention srTCMnumber-ca Example Names srTCM1-ca. srTCM3-cb. trTCM3-ca. . trTCM2-cb. Table 38: Recommended Naming Convention for Policers Three-Color Policer Type Single-rate three-color. srTCM3-ca. trTCM2-ca. 401 . Single-rate three-color.. Two-rate three-color.. color-blind srTCMnumber-cb srTCM1-cb. Two-rate three-color. srTCM2-ca. srTCM2-cb. color-aware trTCMnumber-ca trTCM1-ca.. Juniper Networks.. color-blind trTCMnumber-cb trTCM1-cb. trTCM3-cb. A single-rate three-color policer is most useful when a service is structured according to packet length and not peak arrival rate. Table 38 on page 401 describes a recommended naming convention for policers. .Chapter 12: Three-Color Policer Configuration NOTE: TCM stands for tricolor marking.. Copyright © 2011. Related Documentation • • • Statement Hierarchy for Configuring Policers on page 305 Three-Color Policer Configuration Overview on page 311 Guidelines for Applying Traffic Policers on page 316 Basic Single-Rate Three-Color Policers • • Single-Rate Three-Color Policer Overview on page 401 Example: Configuring a Single-Rate Three-Color Policer on page 402 Single-Rate Three-Color Policer Overview A single-rate three-color policer defines a bandwidth limit and a maximum burst size for guaranteed traffic and a second burst size for peak traffic....

optionally. M320 routers with Enhanced-III FPCs. Example: Configuring a Single-Rate Three-Color Policer This example shows how to configure a single-rate three-color policer. discards the packets. M7i and M10i routers with the Enhanced CFEB (CFEB-E). • Single-rate tricolor marking (single-rate TCM) classifies traffic as belonging to one of three color categories and performs congestion-control actions on the packets based on the color marking: • Green—Traffic that conforms to either the bandwidth limit or the burst size for guaranteed traffic (CIR and CBS). For a green traffic flow. Committed burst size (CBS)—Maximum packet size permitted for bursts of data that exceed the CIR. The discard action for a tricolor marking policer for a firewall filter is supported on the M120 routers. Inc. 402 Copyright © 2011.Junos OS 11. . single-rate marks the packets with an implicit loss priority of low and transmits the packets. the packets with higher loss priority are more likely to be discarded. Red—Traffic that exceeds the burst size for peak traffic (EBS). Excess burst size (EBS)—Maximum packet size permitted for peak traffic. Yellow—Traffic that exceeds both the bandwidth limit and the burst size for guaranteed traffic (CIR or CBS) but not the burst size for peak traffic (EBS). • • If congestion occurs downstream. single-rate marks the packets with an implicit loss priority of medium-high and transmits the packets.4 Firewall Filter and Policer Configuration Guide Single-rate three-color policing meters a traffic stream based on the following configured traffic criteria: • • Committed information rate (CIR)—Bandwidth limit for guaranteed traffic. and MX Series routers with Trio MPCs. • • • • Requirements on page 402 Overview on page 403 Configuration on page 403 Verification on page 407 Requirements No special configuration beyond device initialization is required before configuring this example. the only configurable action is to discard packets in a red traffic flow. so it is not necessary to include the logical-interface-policer statement for them. Juniper Networks. single-rate marks packets with an implicit loss priority of high and. NOTE: For both single-rate and two-rate three-color policers. For a yellow traffic flow.

For information about navigating the CLI. Only nonconforming traffic that exceeds the peak burst-size limit is categorized as red. then packets in a red flow are discarded instead. Traffic that conforms to the limits for guaranteed traffic is categorized as green. If the policer configuration includes the optional action statement (action loss-priority high then discard). For green traffic. 403 . see “Using the CLI Editor in Configuration Mode” on page 15. packets are implicitly set with a loss-priority value of medium-high and then transmitted. You configure the policer to rate-limit traffic to a bandwidth limit of 40 Mbps and a burst-size limit of 100 KB for green traffic but also allow an excess burst-size limit of 200 KB for yellow traffic. To configure this example. In this example. you apply a color-aware. • Each category is associated with an action. The IPv4 firewall filter term that references the policer does not apply any packet-filtering.0. You can apply a three-color policer to Layer 3 traffic as a firewall filter policer only. The filter is used only to apply the three-color policer to the interface. Topology In this example. Nonconforming traffic that exceeds the burst size for excess traffic is categorized as red. which overrides the implicit marking of red traffic to a high loss priority. plus a second burst-size limit for excess traffic. You reference the policer from a stateless firewall filter term. packets are implicitly set with a loss-priority value of high and then transmitted. Configuration The following example requires you to navigate various levels in the configuration hierarchy. packets are implicitly set with a loss-priority value of low and then transmitted. single-rate three-color policer to the input IPv4 traffic at logical interface ge-2/0/5. Juniper Networks. For yellow traffic. and then you apply the filter to the input or output of a logical interface at the protocol level.Chapter 12: Three-Color Policer Configuration Overview A single-rate three-color policer meters a traffic flow against a bandwidth limit and burst-size limit for guaranteed traffic. Inc. perform the following tasks: • • • Configuring a Single-Rate Three-Color Policer on page 404 Configuring an IPv4 Stateless Firewall Filter That References the Policer on page 405 Applying the Filter to the Logical Interface on page 406 Copyright © 2011. you configure the three-color policer action loss-priority high then discard. and nonconforming traffic falls into one of two categories: • Nonconforming traffic that does not exceed the burst size for excess traffic is categorized as yellow. For red traffic.

Junos OS 11. [edit firewall three-color-policer srTCM1-ca] user@host# set single-rate committed-information-rate 40m user@host# set single-rate committed-burst-size 100k 4. the only configurable action is to discard packets in a red traffic flow. 404 Copyright © 2011. Configure the color mode of the single-rate three-color policer. In this example.1/24 set interfaces ge-2/0/5 unit 0 family inet filter input filter-srtcm1ca-all Configuring a Single-Rate Three-Color Policer Step-by-Step Procedure To configure a single-rate three-color policer: 1. [edit firewall three-color-policer srTCM1-ca] user@host# set single-rate excess-burst-size 200k 5. set firewall three-color-policer srTCM1-ca single-rate color-aware set firewall three-color-policer srTCM1-ca single-rate committed-information-rate 40m set firewall three-color-policer srTCM1-ca single-rate committed-burst-size 100k set firewall three-color-policer srTCM1-ca single-rate excess-burst-size 200k set firewall three-color-policer srTCM1-ca action loss-priority high then discard set firewall family inet filter filter-srtcm1ca-all term 1 then three-color-policer single-rate srTCM1-ca set class-of-service interfaces ge-2/0/5 unit 0 forwarding-class af set interfaces ge-2/0/5 unit 0 family inet address 10. Configure the single-rate burst-size limit that is used to classify nonconforming traffic. and then paste the commands into the CLI at the [edit] hierarchy level. . this example takes the more severe action of discarding packets in a red traffic flow. [edit firewall three-color-policer srTCM1-ca] user@host# set action loss-priority high then discard For three-color policers. copy the following configuration commands into a text file. Enable configuration of a three-color policer. [edit firewall three-color-policer srTCM1-ca] user@host# set single-rate color-aware 3.4 Firewall Filter and Policer Configuration Guide CLI Quick Configuration To quickly configure this example. packets in a red traffic flow have been implicitly marked with a high packet loss priority (PLP) level because the traffic flow exceeded the rate-limiting defined by the single rate-limit (specified by the committed-information-rate 40m statement) and the larger burst-size limit (specified by the excess-burst-size 200k statement).20. (Optional) Configure the action for nonconforming traffic. Configure the single-rate guaranteed traffic limits. [edit] user@host# edit firewall three-color-policer srTCM1-ca 2. Because the optional action statement is included. remove any line breaks. Juniper Networks.130. Inc.

excess-burst-size 200k. three-color-policer srTCM1-ca { action { loss-priority high then discard. committed-information-rate 40m. committed-burst-size 100k. If the command output does not display the intended configuration. committed-information-rate 40m. repeat the instructions in this procedure to correct the configuration. Copyright © 2011. Specify the filter term that references the policer. [edit] user@host# show firewall family inet { filter filter-srtcm1ca-all { term 1 { then { three-color-policer { single-rate srTCM1-ca. [edit firewall family inet filter filter-srtcm1ca-all] user@host# set term 1 then three-color-policer single-rate srTCM1-ca Note that the term does not specify any match conditions. The firewall filter passes all packets to the policer. } } Configuring an IPv4 Stateless Firewall Filter That References the Policer Step-by-Step Procedure To configure a standard stateless firewall filter that references the policer: 1. 405 . Enable configuration of an IPv4 standard stateless firewall filter. If the command output does not display the intended configuration. } single-rate { color-aware. } single-rate { color-aware. } } } } } three-color-policer srTCM1-ca { action { loss-priority high then discard.Chapter 12: Three-Color Policer Configuration Results Confirm the configuration of the hierarchical policer by entering the show firewall configuration command. repeat the instructions in this procedure to correct the configuration. Results Confirm the configuration of the firewall filter by entering the show firewall configuration mode command. Juniper Networks. Inc. [edit] user@host# edit firewall family inet filter filter-srtcm1ca-all 2.

Junos OS 11. Configure an IP address. If the command output does not display the intended configuration. Enable configuration of the logical interface. regardless of any preexisting classification. (MX Series routers only) (Optional) Reclassify all incoming packets on the logical interface ge-2/0/5. Inc.20. Juniper Networks.4 Firewall Filter and Policer Configuration Guide committed-burst-size 100k. [edit] user@host# edit interfaces ge-2/0/5 unit 0 family inet 3. } } } [edit] user@host# show interfaces ge-2/0/5 { unit 0 { family inet { filter { input filter-srtcm1ca-all.20. } } 406 Copyright © 2011. } address 10. Reference the filter as an input filter. [edit interfaces ge-2/0/5 unit 0 family inet] user@host# set address 10.130. [edit interfaces ge-2/0/5 unit 0 family inet] user@host# set filter input filter-srtcm1ca-all Results Confirm the configuration of the interface by entering the show class-of-service and show interfaces configuration mode commands. excess-burst-size 200k. [edit] user@host# show class-of-service interfaces { ge-2/0/5 { unit 0 { forwarding-class af.1/24. } } Applying the Filter to the Logical Interface Step-by-Step Procedure To apply the filter to the logical interface: 1.0 to assured forwarding. [edit] user@host# set class-of-service interfaces ge-2/0/5 unit 0 forwarding-class af The classifier name can be a configured classifier or one of the default classifiers.1/24 4.130. 2. repeat the instructions in this procedure to correct the configuration. .

Within that section.0 (Index 105) (SNMP ifIndex 556) (Generation 170) Flags: Device-Down SNMP-Traps 0x4004000 Encapsulation: ENET2 Traffic statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Local statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Transit statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps Protocol inet.130. Route table: 0 Flags: Sendbcast-pkt-to-re Input Filters: filter-srtcm1ca-all Addresses. Route table: 0 Policer: Input: __default_arp_policer__ Related Documentation • • • Statement Hierarchy for Configuring Policers on page 305 Three-Color Policer Configuration Overview on page 311 Three-Color Policer Configuration Guidelines on page 399 Basic Two-Rate Three-Color Policers • • Two-Rate Three-Color Policer Overview on page 408 Example: Configuring a Two-Rate Three-Color Policer on page 409 Copyright © 2011.1.20.130. MTU: Unlimited. the Input Filters field displays the name of the firewall filter applied to IPv4 input traffic at the logical interface. MTU: 1500.Chapter 12: Three-Color Policer Configuration } If you are done configuring the device. Inc. Generation: 243. Local: 10. Verification Confirm that the configuration is working properly. and specify detail mode. Use the show interfaces operational mode command for the logical interface ge-2/0/5. Generation: 171 Protocol multiservice. enter commit from configuration mode.20. The Protocol inet section of the command output displays IPv4 information for the logical interface. Displaying the Firewall Filters Applied to the Logical Interface Purpose Action Verify that the firewall filter is applied to IPv4 input traffic at the logical interface.0.255.0 detail Logical interface ge-2/0/5. 407 . user@host> show interfaces ge-2/0/5.20. Flags: Dest-route-down Is-Preferred Is-Primary Destination: 10. Generation: 242. Broadcast: 10.130/24. Juniper Networks.

Yellow—Traffic that exceeds the bandwidth limit or burst size for guaranteed traffic (CIR or CBS) but not the bandwidth limit and burst size for peak traffic (PIR and PBS). A two-rate three-color policer is most useful when a service is structured according to arrival rates and not necessarily packet length. discards the packets. Red—Traffic that exceeds the bandwidth limit and burst size for peak traffic (PIR and PBS).4 Firewall Filter and Policer Configuration Guide Two-Rate Three-Color Policer Overview A two-rate three-color policer defines two bandwidth limits (one for guaranteed traffic and one for peak traffic) and two burst sizes (one for each of the bandwidth limits). For a yellow traffic flow. Peak information rate (PIR)—Bandwidth limit for peak traffic. Inc. For a green traffic flow. . two-rate TCM marks packets with an implicit loss priority of high and. For a tricolor marking policer referenced by a firewall filter term. the packets with higher loss priority are more likely to be discarded. two-rate TCM marks packets with an implicit loss priority of medium-high and transmits the packets. the discard policing action is supported on the following routing platforms: • • • M7i and M10i routers with the Enhanced CFEB (CFEB-E) M120 and M320 routers with Enhanced-III FPCs MX Series routers with Trio MPCs 408 Copyright © 2011. the only configurable action is to discard packets in a red traffic flow. • • If congestion occurs downstream. Juniper Networks. For a red traffic flow. optionally. Peak burst size (PBS)—Maximum packet size permitted for bursts of data that exceed the PIR. two-rate TCM marks the packets with an implicit loss priority of low and transmits the packets. • • Two-rate tricolor marking (two-rate TCM) classifies traffic as belonging to one of three color categories and performs congestion-control actions on the packets based on the color marking: • Green—Traffic that conforms to the bandwidth limit and burst size for guaranteed traffic (CIR and CBS). NOTE: For both single-rate and two-rate three-color policers.Junos OS 11. Two-rate three-color policing meters a traffic stream based on the following configured traffic criteria: • • Committed information rate (CIR)—Bandwidth limit for guaranteed traffic. Committed burst size (CBS)—Maximum packet size permitted for bursts of data that exceed the CIR.

For red traffic. it is not necessary to include the logical-interface-policer statement. You reference the policer from a stateless firewall filter term. which overrides the implicit marking of red traffic to a high loss priority. You configure the policer to rate-limit traffic to a bandwidth limit of 40 Mbps and a burst-size limit of 100 KB for green traffic. Nonconforming traffic that exceeds peak traffic limits is categorized as red. you apply a color-aware.0. The IPv4 firewall filter term that references the policer does not apply any packet-filtering. Example: Configuring a Two-Rate Three-Color Policer This example shows how to configure a two-rate three-color policer. two-rate three-color policer to the input IPv4 traffic at logical interface fe-0/1/1. Each category is associated with an action. In this example. Topology In this example. and nonconforming traffic falls into one of two categories: • • Nonconforming traffic that does not exceed peak traffic limits is categorized as yellow. then packets in a red flow are discarded instead. Only nonconforming traffic that exceeds the peak traffic limits is categorized as red. packets are implicitly set with a loss-priority value of high and then transmitted. packets are implicitly set with a loss-priority value of medium-high and then transmitted. Juniper Networks. For yellow traffic. and you configure the policer to also allow a peak bandwidth limit of 60 Mbps and a peak burst-size limit of 200 KB for yellow traffic. 409 . Overview A two-rate three-color policer meters a traffic flow against a bandwidth limit and burst-size limit for guaranteed traffic. packets are implicitly set with a loss-priority value of low and then transmitted. you configure the three-color policer action loss-priority high then discard. The filter is used only to apply the three-color policer to the interface.Chapter 12: Three-Color Policer Configuration To apply a tricolor marking policer on these routing platforms. You can apply a three-color policer to Layer 3 traffic as a firewall filter policer only. For green traffic. Inc. Traffic that conforms to the limits for guaranteed traffic is categorized as green. If the policer configuration includes the optional action statement (action loss-priority high then discard). and then you apply the filter to the input or output of a logical interface at the protocol level. • • • • Requirements on page 409 Overview on page 409 Configuration on page 410 Verification on page 413 Requirements No special configuration beyond device initialization is required before configuring this example. plus a bandwidth limit and burst-size limit for peak traffic. Copyright © 2011.

[edit] user@host# set firewall three-color-policer trTCM1-ca 2.Junos OS 11. To configure this example. copy the following configuration commands into a text file. and then paste the commands into the CLI at the [edit] hierarchy level. [edit firewall three-color-policer trTCM1-ca] user@host# set two-rate color-aware 3. Inc. set firewall three-color-policer trTCM1-ca two-rate color-aware set firewall three-color-policer trTCM1-ca two-rate committed-information-rate 40m set firewall three-color-policer trTCM1-ca two-rate committed-burst-size 100k set firewall three-color-policer trTCM1-ca two-rate peak-information-rate 60m set firewall three-color-policer trTCM1-ca two-rate peak-burst-size 200k set firewall three-color-policer trTCM1-ca action loss-priority high then discard set firewall family inet filter filter-trtcm1ca-all term 1 then three-color-policer two-rate trTCM1-ca set interfaces ge-2/0/5 unit 0 family inet address 10. Enable configuration of a three-color policer.1/30 set interfaces ge-2/0/5 unit 0 family inet filter input filter-trtcm1ca-all set class-of-service interfaces ge-2/0/5 forwarding-class af Configuring a Two-Rate Three-Color Policer Step-by-Step Procedure To configure a two-rate three-color policer: 1. . [edit firewall three-color-policer trTCM1-ca] user@host# set two-rate committed-information-rate 40m user@host# set two-rate committed-burst-size 100k Traffic that does not exceed both of these limits is categorized as green. see “Using the CLI Editor in Configuration Mode” on page 15. 4. Packets in a green flow are implicitly set to low loss priority and then transmitted.10. perform the following tasks: • • • Configuring a Two-Rate Three-Color Policer on page 410 Configuring an IPv4 Stateless Firewall Filter That References the Policer on page 411 Applying the Filter to a Logical Interface at the Protocol Family Level on page 412 CLI Quick Configuration To quickly configure this example.10. [edit firewall three-color-policer trTCM1-ca] user@host# set two-rate peak-information-rate 60m user@host# set two-rate peak-burst-size 200k 410 Copyright © 2011. remove any line breaks. Configure the two-rate guaranteed traffic limits. Configure the color mode of the two-rate three-color policer. For information about navigating the CLI.4 Firewall Filter and Policer Configuration Guide Configuration The following example requires you to navigate various levels in the configuration hierarchy. Configure the two-rate peak traffic limits. Juniper Networks.

repeat the instructions in this procedure to correct the configuration. the only configurable action is to discard red packets. [edit] user@host# show firewall Copyright © 2011. peak-information-rate 60m. 411 . Juniper Networks. Specify the filter term that references the policer. Packets in a red flow are implicitly set to high loss priority. [edit] user@host# show firewall three-color-policer trTCM1-ca { action { loss-priority high then discard. The firewall filter passes all packets to the policer. (Optional) Configure the policer action for red traffic. committed-burst-size 100k. [edit firewall family inet filter filter-trtcm1ca-all] user@host# set term 1 then three-color-policer two-rate trTCM1-ca Note that the term does not specify any match conditions. Packets in a yellow flow are implicitly set to medium-high loss priority and then transmitted. [edit] user@host# set firewall family inet filter filter-trtcm1ca-all 2. } } Configuring an IPv4 Stateless Firewall Filter That References the Policer Step-by-Step Procedure To configure an IPv4 stateless firewall filter that references the policer: 1. peak-burst-size 200k. } two-rate { color-aware. Enable configuration of an IPv4 standard stateless firewall filter. [edit firewall three-color-policer trTCM1-ca] user@host# set action loss-priority high then discard For three-color policers. Inc.Chapter 12: Three-Color Policer Configuration Nonconforming traffic that does not exceed both of these limits is categorized as yellow. Red packets are packets that have been assigned high loss priority because they exceeded the peak information rate (PIR) and the peak burst size (PBS). If the command output does not display the intended configuration. repeat the instructions in this procedure to correct the configuration. Results Confirm the configuration of the firewall filter by entering the show firewall configuration mode command. committed-information-rate 40m. Results Confirm the configuration of the policer by entering the show firewall configuration mode command. 5. Nonconforming traffic that exceeds both of these limits is categorized as red. If the command output does not display the intended configuration.

If the command output does not display the intended configuration.10. peak-information-rate 60m. (MX Series routers only) (Optional) For input policers.Junos OS 11. [edit] user@host# show interfaces ge-2/0/5 { unit 0 { family inet { 412 Copyright © 2011. A fixed classifier reclassifies all incoming packets. you can configure a fixed classifier. Results Confirm the configuration of the interface by entering the show interfaces configuration mode command. Juniper Networks. Inc. committed-burst-size 100k. peak-burst-size 200k. regardless of any preexisting classification. [edit] user@host# edit interfaces ge-2/0/5 unit 0 family inet 2. [edit] user@host# set class-of-service interfaces ge-2/0/5 forwarding-class af The classifier name can be a configured classifier or one of the default classifiers.1/30 user@host# set filter input filter-trtcm1ca-all 3.4 Firewall Filter and Policer Configuration Guide family inet { filter filter-trtcm1ca-all { term 1 { then { three-color-policer { two-rate trTCM1-ca. } } Applying the Filter to a Logical Interface at the Protocol Family Level Step-by-Step Procedure To apply the filter to the logical interface at the protocol family level: 1. } two-rate { color-aware. repeat the instructions in this procedure to correct the configuration. Enable configuration of an IPv4 firewall filter. committed-information-rate 40m. [edit interfaces ge-2/0/5 unit 0 family inet] user@host# set address 10. } } } } } three-color-policer trTCM1-ca { action { loss-priority high then discard. .10. Apply the policer to the logical interface at the protocol family level.

Route table: 0 Flags: Sendbcast-pkt-to-re Input Filters: filter-trtcm1ca-all Addresses. 413 . } } } } If you are done configuring the device.20. filter { input filter-trtcm1ca-all. Generation: 243. MTU: Unlimited.20.1. the Input Filters field displays the name of IPv4 firewall filters associated with the logical interface. Within that section.0 (Index 105) (SNMP ifIndex 556) (Generation 170) Flags: Device-Down SNMP-Traps 0x4004000 Encapsulation: ENET2 Traffic statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Local statistics: Input bytes : 0 Output bytes : 0 Input packets: 0 Output packets: 0 Transit statistics: Input bytes : 0 0 bps Output bytes : 0 0 bps Input packets: 0 0 pps Output packets: 0 0 pps Protocol inet. Flags: Dest-route-down Is-Preferred Is-Primary Destination: 10. Juniper Networks.0. Route table: 0 Policer: Input: __default_arp_policer__ Related Documentation • • • Statement Hierarchy for Configuring Policers on page 305 Three-Color Policer Configuration Overview on page 311 Three-Color Policer Configuration Guidelines on page 399 Copyright © 2011. • Displaying the Firewall Filters Applied to the Logical Interface on page 413 Displaying the Firewall Filters Applied to the Logical Interface Purpose Action Verify that the firewall filter is applied to IPv4 input traffic at the logical interface. and specify detail mode. enter commit from configuration mode. MTU: 1500. Use the show interfaces operational mode command for the logical interface ge-2/0/5. Local: 10.130. Generation: 242. Generation: 171 Protocol multiservice.130.0 detail Logical interface ge-2/0/5. Broadcast: 10.10.1/30. Verification Confirm that the configuration is working properly.Chapter 12: Three-Color Policer Configuration address 10.20. user@host> show interfaces ge-2/0/5. Inc.10.130/24. The Protocol inet section of the command output displays IPv4 information for the logical interface.255.

Juniper Networks. Inc.4 Firewall Filter and Policer Configuration Guide 414 Copyright © 2011.Junos OS 11. .

• • Two-Color and Three-Color Logical Interface Policers on page 415 Two-Color and Three-Color Physical Interface Policers on page 427 Two-Color and Three-Color Logical Interface Policers • • • Logical Interface (Aggregate) Policer Overview on page 415 Example: Configuring a Two-Color Logical Interface (Aggregate) Policer on page 416 Example: Configuring a Three-Color Logical Interface (Aggregate) Policer on page 421 Logical Interface (Aggregate) Policer Overview A logical interface policer—also called an aggregate policer—is a two-color or three-color policer that defines traffic rate limiting that you can apply to input or output traffic for multiple protocol families on the same logical interface without creating multiple instances of the policer. Juniper Networks.CHAPTER 13 Logical and Physical Interface Policer Configuration This chapter covers two-color and three-color policers configured as logical and physical interface policers and applied to Layer 2 or Layer 3 traffic. Inc. include the logical-interface-policer statement at one of the following hierarchy levels: • • [edit firewall three-color-policer name] [edit logical-systems logical-system-name firewall three-color-policer name] Copyright © 2011. include the logical-interface-policer statement at one of the following hierarchy levels: • • [edit firewall policer policer-name] [edit logical-systems logical-system-name firewall policer policer-name] To configure a single-rate or two-rate three-color logical interface policer. To configure a single-rate two-color logical interface policer. 415 .

416 Copyright © 2011. . As the incoming IPv4 traffic rate on the physical interface slows and conforms to the configured limits. then the logical interface policer policer_IFL rate-limits the input IPv4 traffic on the logical interface ge-1/3/1. regardless of the protocol family) or at the protocol family level (to rate-limit traffic of a specific protocol family). Junos OS stops marking the incoming IPv4 packets at the logical interface. Juniper Networks. You cannot reference a logical interface policer from a stateless firewall filter term and then apply the filter to a logical interface. you configure the single-rate two-color policer policer_IFL as a logical interface policer and apply it to incoming IPv4 traffic at logical interface ge-1/3/1. You cannot apply a three-color policer to Layer 2 traffic as a physical interface policer (through a firewall filter). make sure that the logical interface to which you apply the two-color logical interface policer is hosted on a Gigabit Ethernet interface (ge-) or a 10-Gigabit Ethernet interface (xe-). • • • • Requirements on page 416 Overview on page 416 Configuration on page 417 Verification on page 421 Requirements Before you begin.0. Example: Configuring a Two-Color Logical Interface (Aggregate) Policer This example shows how to configure a single-rate two-color policer as a logical interface policer and apply it to incoming IPv4 traffic on a logical interface. To display a logical interface policer on a particular interface. Configure the policer to mark nonconforming traffic by setting packet loss priority (PLP) levels to high and classifying packets as best-effort. Overview In this example. and Monitoring” section of the Junos OS Routing Policy Configuration Guide. issue the show interfaces policers operational mode command. For information about configuring a stateless firewall filter for flooded traffic. You apply a logical interface policer to Layer 3 traffic directly to the interface configuration at the logical unit level (to rate-limit all traffic types. Forwarding. see “Applying Filters to Forwarding Tables” in the “Traffic Sampling. Topology If the input IPv4 traffic on the physical interface ge-1/3/1 exceeds the bandwidth limit equal to 90 percent of the media rate with a 300 KB burst-size limit. Inc. You can apply a logical interface policer to unicast traffic only.4 Firewall Filter and Policer Configuration Guide NOTE: A three-color policer can be applied to Layer 2 traffic as a logical interface policer only.0.Junos OS 11.

Inc.10. For information about navigating the CLI. Juniper Networks.10. Configure logical interface ge-1/3/1. [edit] user@host# edit interfaces ge-1/3/1 2. [edit interfaces ge-1/3/1] user@host# set vlan-tagging 3. perform the following tasks: • • • Configuring the Logical Interfaces on page 417 Configuring the Single-Rate Two-Color Policer as a Logical Interface Policer on page 418 Applying the Logical Interface Policer to Input IPv4 Traffic at a Logical Interface on page 420 CLI Quick Configuration To quickly configure this example. To configure this example.20. see “Using the CLI Editor in Configuration Mode” on page 15. Enable configuration of the interface.2 mac 00:00:11:22:33:44 Copyright © 2011.20. [edit interfaces ge-1/3/1] user@host# set unit 0 vlan-id 100 user@host# set unit 0 family inet address 10.20.1/30 set interfaces ge-1/3/1 unit 1 vlan-id 101 set interfaces ge-1/3/1 unit 1 family inet address 20.20. [edit interfaces ge-1/3/1] user@host# set unit 1 vlan-id 101 user@host# set unit 1 family inet address 20.10. copy the following configuration commands into a text file. 417 . set interfaces ge-1/3/1 vlan-tagging set interfaces ge-1/3/1 unit 0 vlan-id 100 set interfaces ge-1/3/1 unit 0 family inet address 10.2 mac 00:00:11:22:33:44 set firewall policer policer_IFL logical-interface-policer set firewall policer policer_IFL if-exceeding bandwidth-percent 90 set firewall policer policer_IFL if-exceeding burst-size-limit 300k set firewall policer policer_IFL then loss-priority high set firewall policer policer_IFL then forwarding-class best-effort set interfaces ge-1/3/1 unit 0 family inet policer input policer_IFL Configuring the Logical Interfaces Step-by-Step Procedure To configure the logical interfaces: 1.10.1/30 arp 20. and then paste the commands into the CLI at the [edit] hierarchy level.20.1/30 4.0. remove any line breaks.Chapter 13: Logical and Physical Interface Policer Configuration Configuration The following example requires you to navigate various levels in the configuration hierarchy.20.20.20. Configure logical interface ge-1/3/1. Configure single tagging.1/30 arp 20.0.

10. from 8. [edit] user@host# show interfaces ge-1/3/1 { vlan-tagging.000 bits per second.4 Firewall Filter and Policer Configuration Guide Results Confirm the configuration of the logical interfaces by entering the show interfaces configuration mode command. 3.1/30 { arp 20.2 mac 00:00:11:22:33:44. Specify the policer traffic limits.Junos OS 11.10. • 418 Copyright © 2011. • To specify the bandwidth limit as an absolute rate. repeat the instructions in this procedure to correct the configuration. [edit firewall policer policer_IFL] user@host# set logical-interface-policer A logical interface policer rate-limits traffic based on a percentage of the media rate of the physical interface underlying the logical interface to which the policer is applied.1/30.20. family inet { address 10.20. If the command output does not display the intended configuration. Specify the bandwidth limit. [edit] user@host# edit firewall policer policer_IFL 2. Enable configuration of a single-rate two-color policer. include the bandwidth-limit bps statement. Juniper Networks. } } unit 1 { vlan-id 101.000 bits per second through 50. Specify that the policer is a logical interface (aggregate) policer.000. unit 0 { vlan-id 100. Inc.000. } } } } Configuring the Single-Rate Two-Color Policer as a Logical Interface Policer Step-by-Step Procedure To configure a single-rate two-color policer as a logical interface policer: 1. . The policer is applied directly to the interface rather than referenced by a firewall filter. include the bandwidth-percent percent statement.20. family inet { address 20. To specify the bandwidth limit as a percentage of the physical port speed on the interface.20. a.

the CLI commands and output are based on both setting the packet loss priority level and classifying the packet. which is the maximum packet size to be permitted for bursts of data that exceed the specified bandwidth limit. If the command output does not display the intended configuration.000. } then { loss-priority high. include the forwarding-class (forwarding-class | assured-forwarding | best-effort | expedited-forwarding | network-control) statement.000 bytes. • • To discard the packet. include the loss-priority (low | medium-low | medium-high | high) statement. Juniper Networks.000. Specify the burst-size limit.Chapter 13: Logical and Physical Interface Policer Configuration In this example. Specify the policer actions to be taken on traffic that exceeds the configured rate limits. the CLI commands and output are based on a bandwidth limit specified as a percentage rather than as an absolute rate. [edit firewall policer policer_IFL] user@host# set if-exceeding burst-size-limit 300k 4. forwarding-class best-effort. if-exceeding { bandwidth-percent 90. • In this example. [edit] user@host# show firewall policer policer_IFL { logical-interface-policer. Inc. [edit firewall policer policer_IFL] user@host# set then loss-priority high user@host# set then forwarding-class best-effort Results Confirm the configuration of the policer by entering the show firewall configuration mode command. 419 . To classify the packet to a forwarding class. } } Copyright © 2011. include the discard statement. To set the loss-priority value of the packet.500 bytes through 100. from 1. [edit firewall policer policer_IFL] user@host# set if-exceeding bandwidth-percent 90 b. burst-size-limit 300k. repeat the instructions in this procedure to correct the configuration.

20. include the policer (input | output) policer-name statement at the [edit interfaces interface-name unit number] hierarchy level. [edit] user@host# show interfaces ge-1/3/1 { vlan-tagging. 420 Copyright © 2011. [edit interfaces ge-1/3/1 unit 0] user@host# set family inet policer input policer_IFL Results Confirm the configuration of the interface by entering the show interfaces configuration mode command. enter commit from configuration mode.20. [edit] user@host# edit interfaces ge-1/3/1 unit 0 2.2 mac 00:00:11:22:33:44. . • To apply the policer to all traffic types.20.Junos OS 11. Juniper Networks. • To apply the logical interface policer to incoming packets. family inet { address 20.4 Firewall Filter and Policer Configuration Guide Applying the Logical Interface Policer to Input IPv4 Traffic at a Logical Interface Step-by-Step Procedure To apply the two-color logical interface policer to input IPv4 traffic a logical interface: 1.1/30 { arp 20. include the policer (input | output) policer-name statement at the [edit interfaces interface-name unit unit-number family family-name] hierarchy level. To apply the policer to traffic of a specific protocol family. repeat the instructions in this procedure to correct the configuration. unit 0 { vlan-id 100.10. the CLI commands and output are based on rate-limiting the IPv4 input traffic at logical interface ge-1/3/1. family inet { policer input policer_IFL. use the policer output policer-name statement.1/30. address 10. Apply the policer to all traffic types or to a specific traffic type on the logical interface. } } } } If you are done configuring the device. Enable configuration of the logical interface. regardless of the protocol family. Inc. } } unit 1 { vlan-id 101.10.0. If the command output does not display the intended configuration. In this example. To apply the logical interface policer to outgoing packets.20. use the policer input policer-name statement.

In this example. the logical interface policer is applied to input traffic only. • • Displaying Traffic Statistics and Policers for the Logical Interface on page 421 Displaying Statistics for the Policer on page 421 Displaying Traffic Statistics and Policers for the Logical Interface Purpose Verify the traffic flow through the logical interface and that the policer is evaluated when packets are received on the logical interface.0-log_int-o The log_int-i suffix denotes a logical interface policer applied to input traffic. • • Requirements on page 422 Overview on page 422 Copyright © 2011. while the log_int-o suffix denotes a logical interface policer applied to output traffic.0-log_int-o The log_int-i suffix denotes a logical interface policer applied to input traffic. Displaying Statistics for the Policer Purpose Action Verify the number of packets evaluated by the policer. In this example.0-log_int-i policer_IFL-ge-1/3/1. The command output section for Traffic statistics lists the number of bytes and packets received and transmitted on the logical interface. Example: Configuring a Three-Color Logical Interface (Aggregate) Policer This example shows how to configure a two-rate three-color color-blind policer as a logical interface (aggregate) policer and apply the policer directly to Layer 2 input traffic at a supported logical interface. The command output displays the number of packets evaluated by each configured policer (or the specified policer).Chapter 13: Logical and Physical Interface Policer Configuration Verification Confirm that the configuration is working properly.0. while the log_int-o suffix denotes a logical interface policer applied to output traffic.0-log_int-i Output: policer_IFL-ge-1/3/1. Juniper Networks. For the policer policer_IFL. the input and output policer names are displayed as follows: • • policer_IFL-ge-1/3/1. the logical interface policer is applied to input traffic only. The Protocol inet subsection contains a Policer field that would list the policer policer_IFL as an input or output logical interface policer as follows: • • Action Input: policer_IFL-ge-1/3/1. Use the show interfaces operational mode command for logical interface ge-1/3/1. and include the detail or extensive option. 421 . Inc. in each direction. Use the show policer operational mode command and optionally specify the name of the policer.

As with any policed traffic. Traffic that conforms to the limits for guaranteed traffic is categorized as green. and nonconforming traffic falls into one of two categories: • Nonconforming traffic that does not exceed the bandwidth and burst-size limits for peak traffic is categorized as yellow. NOTE: When using a three-color policer to rate-limit Layer 2 traffic. The packets in a yellow traffic flow are implicitly set to a medium-high loss priority and then transmitted. and not by referencing the policer in a stateless firewall filter and then applying the filter to the logical interface at the protocol family level. Nonconforming traffic that exceeds the bandwidth and burst-size limits for peak traffic is categorized as red.4 Firewall Filter and Policer Configuration Guide • • Configuration on page 423 Verification on page 426 Requirements Before you begin. Topology In this example. you configure the two-rate three-color policer trTCM2-cb as a color-blind logical interface policer and apply the policer to incoming Layer 2 traffic on logical interface ge-1/3/1. Juniper Networks. plus a second set of bandwidth and burst-size limits for peak traffic. Overview A two-rate three-color policer meters a traffic flow against a bandwidth limit and burst-size limit for guaranteed traffic. NOTE: You apply a logical interface policer directly to a logical interface at the logical unit level. color-aware policing can be applied to egress traffic only. Inc. 422 Copyright © 2011. • A logical interface policer defines traffic rate-limiting rules that you can apply to multiple protocol families on the same logical interface without creating multiple instances of the policer. Nonconforming traffic that falls within the peak traffic limits of a 60 Mbps bandwidth limit and a 200 KB allowance for traffic bursting (based on the token-bucket formula) is categorized as yellow.0. make sure that the logical interface to which you apply the three-color logical interface policer is hosted on a Gigabit Ethernet interface (ge-) or a 10-Gigabit Ethernet interface (xe-) on an MX Series router. the packets in a green flow are implicitly set to a low loss priority and then transmitted. .Junos OS 11. The policer defines guaranteed traffic rate limits such that traffic that conforms to the bandwidth limit of 40 Mbps with a 100 KB allowance for traffic bursting (based on the token-bucket formula) is categorized as green.

1/30 set interfaces ge-1/3/1 unit 1 vlan-id 101 set interfaces ge-1/3/1 unit 1 family inet address 20.1/30 Copyright © 2011.20.Chapter 13: Logical and Physical Interface Policer Configuration Nonconforming traffic that exceeds the peak traffic limits are categorized as red. remove any line breaks. see “Using the CLI Editor in Configuration Mode” on page 15. Enable configuration of the interface.20. [edit interfaces ge-1/3/1] user@host# set vlan-tagging 3. perform the following tasks: • • • Configuring the Logical Interfaces on page 423 Configuring the Two-Rate Three-Color Policer as a Logical Interface Policer on page 424 Applying the Three-Color Policer to the Layer 2 Input at the Logical Interface on page 425 CLI Quick Configuration To quickly configure this example. 423 . set interfaces ge-1/3/1 vlan-tagging set interfaces ge-1/3/1 unit 0 vlan-id 100 set interfaces ge-1/3/1 unit 0 family inet address 10. In this example. For information about navigating the CLI. Configure logical interface ge-1/3/1.10. so packets in a red traffic flow are discarded instead of transmitted. Inc. Configure single tagging.2 mac 00:00:11:22:33:44 set firewall three-color-policer trTCM2-cb logical-interface-policer set firewall three-color-policer trTCM2-cb two-rate color-blind set firewall thre