Robbie,
To match L2 parameters (like MAC addresses etc), you need to configure a filter under family type 'ethernet-switching'.
Check out the options that Junos allows for a family inet filter:
regress@beta-mclag1# set firewall family inet filter test term one from ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> destination-address Match IP destination address
+ destination-port Match TCP/UDP destination port
destination-port-range-optimize Optimize the destination port range
> destination-prefix-list Match IP destination prefixes in named list
+ dscp Match Differentiated Services (DiffServ) code point
fragment-flags Match fragment flags (in symbolic or hex formats) - (Ingress only)
+ fragment-offset Match fragment offset
+ icmp-code Match ICMP message code
+ icmp-type Match ICMP message type
> interface Match interface name
+ ip-options Match IP options
is-fragment Match if packet is a fragment
+ packet-length Match packet length
+ packet-length-except Do not match packet length
+ precedence Match IP precedence value
+ protocol Match IP protocol type
> source-address Match IP source address
+ source-port Match TCP/UDP source port
source-port-range-optimize Optimize the source port range
> source-prefix-list Match IP source prefixes in named list
tcp-established Match packet of an established TCP connection
tcp-flags Match TCP flags (in symbolic or hex formats)
tcp-initial Match initial packet of a TCP connection
+ ttl Match IP ttl type
[edit]
=======
now the options for family ethernet-switching filter:
regress@beta-mclag1# set firewall family ethernet-switching filter test term one from ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> destination-address Match IP destination address
> destination-mac-address Match MAC destination address
+ destination-port Match TCP/UDP destination port
> destination-prefix-list Match IP destination prefixes in named list
+ dot1q-tag Match Dot1Q Tag Value
+ dot1q-user-priority Match Dot1Q user priority
+ dscp Match Differentiated Services (DiffServ) code point
+ ether-type Match Ethernet Type
fragment-flags Match fragment flags (in symbolic or hex formats) - (Ingress only)
+ icmp-code Match ICMP message code
+ icmp-type Match ICMP message type
> interface Match interface name
is-fragment Match if packet is a fragment
+ l2-encap-type Match Ethernet Encapsulation Type
+ precedence Match IP precedence value
+ protocol Match IP protocol type
> source-address Match IP source address
> source-mac-address Match MAC source address
+ source-port Match TCP/UDP source port
> source-prefix-list Match IP source prefixes in named list
tcp-established Match packet of an established TCP connection
tcp-flags Match TCP flags (in symbolic or hex formats)
tcp-initial Match initial packet of a TCP connection
+ vlan Match Vlan Id or Name
[edit]
Filters under family ethernet-switching allow matching on MAC/ether-type etc while family-inet filters do not.
HTH,
ankit
#family#inet#ethernet-switching#filter#firewall#ether-type