Routing

 View Only

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



  • 1.  fireall family inet filter testfilter

    Posted 09-27-2012 20:12
    firewall { family inet { filter PROTECT_RE { I want to know whether this inet filter can match layer 2 packet? such as stp or layer2 storm if I set up policer in this filter


  • 2.  RE: fireall family inet filter testfilter

    Posted 09-28-2012 02:41
    Robbie,

    To match L2 parameters (like MAC addresses etc), you need to configure a filter under family type 'ethernet-switching'.

    Check out the options that Junos allows for a family inet filter:

    regress@beta-mclag1# set firewall family inet filter test term one from ?
    Possible completions:
    + apply-groups Groups from which to inherit configuration data
    + apply-groups-except Don't inherit configuration data from these groups
    > destination-address Match IP destination address
    + destination-port Match TCP/UDP destination port
    destination-port-range-optimize Optimize the destination port range
    > destination-prefix-list Match IP destination prefixes in named list
    + dscp Match Differentiated Services (DiffServ) code point
    fragment-flags Match fragment flags (in symbolic or hex formats) - (Ingress only)
    + fragment-offset Match fragment offset
    + icmp-code Match ICMP message code
    + icmp-type Match ICMP message type
    > interface Match interface name
    + ip-options Match IP options
    is-fragment Match if packet is a fragment
    + packet-length Match packet length
    + packet-length-except Do not match packet length
    + precedence Match IP precedence value
    + protocol Match IP protocol type
    > source-address Match IP source address
    + source-port Match TCP/UDP source port
    source-port-range-optimize Optimize the source port range
    > source-prefix-list Match IP source prefixes in named list
    tcp-established Match packet of an established TCP connection
    tcp-flags Match TCP flags (in symbolic or hex formats)
    tcp-initial Match initial packet of a TCP connection
    + ttl Match IP ttl type
    [edit]


    =======
    now the options for family ethernet-switching filter:

    regress@beta-mclag1# set firewall family ethernet-switching filter test term one from ?
    Possible completions:
    + apply-groups Groups from which to inherit configuration data
    + apply-groups-except Don't inherit configuration data from these groups
    > destination-address Match IP destination address
    > destination-mac-address Match MAC destination address
    + destination-port Match TCP/UDP destination port
    > destination-prefix-list Match IP destination prefixes in named list
    + dot1q-tag Match Dot1Q Tag Value
    + dot1q-user-priority Match Dot1Q user priority
    + dscp Match Differentiated Services (DiffServ) code point
    + ether-type Match Ethernet Type
    fragment-flags Match fragment flags (in symbolic or hex formats) - (Ingress only)
    + icmp-code Match ICMP message code
    + icmp-type Match ICMP message type
    > interface Match interface name
    is-fragment Match if packet is a fragment
    + l2-encap-type Match Ethernet Encapsulation Type
    + precedence Match IP precedence value
    + protocol Match IP protocol type
    > source-address Match IP source address
    > source-mac-address Match MAC source address
    + source-port Match TCP/UDP source port
    > source-prefix-list Match IP source prefixes in named list
    tcp-established Match packet of an established TCP connection
    tcp-flags Match TCP flags (in symbolic or hex formats)
    tcp-initial Match initial packet of a TCP connection
    + vlan Match Vlan Id or Name
    [edit]

    Filters under family ethernet-switching allow matching on MAC/ether-type etc while family-inet filters do not.

    HTH,
    ankit
    #family
    #inet
    #ethernet-switching
    #filter
    #firewall
    #ether-type


  • 3.  RE: fireall family inet filter testfilter

    Posted 09-28-2012 02:45
    since filter under family inet can't match layer2 info, packet such stp,arp will not be handled by the default term if there is a default term,right?


  • 4.  RE: fireall family inet filter testfilter
    Best Answer

    Posted 09-28-2012 02:53
    correct, these will not be affected.
    ARP replies will be processed just fine. Also, you ideally shouldn't receive any STP BPDUs on a layer-3 interface 🙂