of 548
8/13/2019 Config Guide Firewall Policer
1/547
Junos® OS
Firewall Filter and Policer Configuration Guide
Release
11.4
Published: 2011-11-08
Copyright © 2011, Juniper Networks, Inc.
8/13/2019 Config Guide Firewall Policer
2/547
Juniper Networks, Inc.1194North Mathilda AvenueSunnyvale, California 94089USA408-745-2000www.juniper.net
Thisproduct includesthe Envoy SNMPEngine, developed by EpilogueTechnology,an IntegratedSystems Company.Copyright© 1986-1997,
Epilogue Technology Corporation.All rights reserved. This program and its documentation were developed at privateexpense, and no part
of them is in thepublic domain.
This product includes memory allocation software developed by Mark Moraes,copyright © 1988, 1989, 1993, University of Toronto.
This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation
and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright ©
1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.
GateD software copyright © 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through
release 3.0 by Cornell University and its collaborators. Gated is based on Kirton’s EGP, UC Berkeley’s routing daemon (routed), and DCN’s
HELLO routing protocol. Development of Gated has beensupported in part by the National Science Foundation. Portions of the GateD
software copyright © 1988, Regentsof theUniversityof California.All rights reserved. Portionsof theGateD software copyright © 1991, D.
L. S. Associates.
This product includes software developed by Maker Communications, Inc., copyright © 1996, 1997, Maker Communications, Inc.
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc.in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc.All other
trademarks, service marks, registered trademarks, or registered service marks are the property of theirrespective owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.
Products made or sold byJuniper Networks or components thereof might be covered by oneor more of thefollowingpatents that are
owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440,6,192,051, 6,333,650, 6,359,479, 6,406,312,
6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.
Junos®
OS Firewall Filter and Policer Configuration Guide11.4
Copyright © 2011, Juniper Networks, Inc.
All rights reserved.
Revision History
October 2011—R1 Junos OS 11.4
The informationin this document is currentas of thedatelisted in the revisionhistory.
YEAR 2000 NOTICE
Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the
year 2038. However,the NTPapplicationis known to have some difficulty in theyear2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is thesubject of this technical documentationconsists of (or is intended for usewith)Juniper Networks
software. Useof such software is subject to theterms and conditions of theEnd User License Agreement (“EULA”) posted at
http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to theterms and conditions
of that EULA.
Copyright © 2011, Juniper Networks, Inc.ii
http://www.juniper.net/support/eula.htmlhttp://www.juniper.net/support/eula.html
8/13/2019 Config Guide Firewall Policer
3/547
Abbreviated Table of Contents
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Part 1 Stateless Firewall Filters
Chapter 1 Introduction to Stateless Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Chapter 2 Standard Firewall Filter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Chapter 3 Standard Firewall Filter Match Conditions Overview . . . . . . . . . . . . . . . . . . . 31
Chapter 4 Standard Firewall Filter Match Conditions and Actions . . . . . . . . . . . . . . . . . 47Chapter 5 Standard Firewall Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Chapter 6 Service Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Chapter 7 Simple Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Chapter 8 Stateless Firewall Filter Configuration in Logical Systems . . . . . . . . . . . . . 261
Chapter 9 Summary of Stateless Firewall Filter Configuration Statements . . . . . . . 283
Part 2 Traffic Policers
Chapter 10 Introduction to Traffic Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Chapter 11 Single-Rate Two-Color Policer Configuration . . . . . . . . . . . . . . . . . . . . . . . . 327
Chapter 12 Three-Color Policer Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399Chapter 13 Logical and Physical Interface Policer Configuration . . . . . . . . . . . . . . . . . . 415
Chapter 14 Layer 2 Policer Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Chapter 15 Summary of Policer Configuration Statements . . . . . . . . . . . . . . . . . . . . . . 455
Part 3 Index
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
Index of Statements and Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
iiiCopyright © 2011, Juniper Networks, Inc.
8/13/2019 Config Guide Firewall Policer
4/547
Copyright © 2011, Juniper Networks, Inc.iv
Junos OS 11.4 Firewall Filter and Policer Configuration Guide
8/13/2019 Config Guide Firewall Policer
5/547
Table of Contents
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Junos OS Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii
Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii
Using the Indexes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii
Using the Examples in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii
Merging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiiiMerging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiv
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiv
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvi
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvi
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii
Part 1 Stateless Firewall Filters
Chapter 1 Introduction to Stateless Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Router Data Flow Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Flow of Routing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Flow of Data Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Flow of Local Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Interdependent Flows of Routing Information and Packets . . . . . . . . . . . . . . . 4
Stateless Firewall Filter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Packet Flow Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Data Packet Flow Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Local Packet Flow Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Stateless and Stateful Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Purpose of Stateless Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Stateless Firewall Filter Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Standard Stateless Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Service Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Simple Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Stateless Firewall Filter Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Protocol Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Filter Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Filter-Terminating Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Nonterminating Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
vCopyright © 2011, Juniper Networks, Inc.
8/13/2019 Config Guide Firewall Policer
6/547
Flow Control Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Stateless Firewall Filter Application Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Supported Standards for Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Using the CLI Editor in Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Chapter 2 Standard Firewall Filter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Standard Stateless Firewall Filter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
How Standard Firewall Filters Evaluate Packets . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Firewall Filters That Contain a Single Term . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Firewall Filters That Contain Multiple Terms . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Firewall Filter Terms That Do Not Contain Any Match Conditions . . . . . . . . . . 21
Firewall Filter Terms That Do Not Contain Any Actions . . . . . . . . . . . . . . . . . . 21
Firewall Filter Default Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Guidelines for Configuring Standard Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . 21
Statement Hierarchy for Configuring Standard Firewall Filters . . . . . . . . . . . . 22
Standard Firewall Filter Protocol Families . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Standard Firewall Filter Names and Options . . . . . . . . . . . . . . . . . . . . . . . . . . 23Standard Firewall Filter Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Standard Firewall Filter Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Standard Firewall Filter Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Guidelines for Applying Standard Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Applying Standard Firewall Filters Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Applying a Firewall Filter to a Router’s Physical Interfaces . . . . . . . . . . . 26
Applying a Firewall Filter to the Router’s Loopback Interface . . . . . . . . . 26
Applying a Firewall Filter to Multiple Interfaces . . . . . . . . . . . . . . . . . . . . 27
Statement Hierarchy for Applying Standard Firewall Filters . . . . . . . . . . . . . . 27
Restrictions on Applying Standard Firewall Filters . . . . . . . . . . . . . . . . . . . . . . 27
Number of Input and Output Filters Per Logical Interface . . . . . . . . . . . . 28
MPLS and Layer 2 CCC Firewall Filters in Lists . . . . . . . . . . . . . . . . . . . . . 28
Layer 2 CCC Firewall Filters on MX Series Routers . . . . . . . . . . . . . . . . . . 28
Protocol-Independent Firewall Filters on the Loopback Interface . . . . . 28
Understanding How to Use Standard Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . 29
Using Standard Firewall Filters to Affect Local Packets . . . . . . . . . . . . . . . . . 29
Trusted Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Flood Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Using Standard Firewall Filters to Affect Data Packets . . . . . . . . . . . . . . . . . 30
Chapter 3 Standard Firewall Filter Match Conditions Overview . . . . . . . . . . . . . . . . . . . 31
Firewall Filter Match Conditions Based on Numbers or Text Aliases . . . . . . . . . . . 31
Matching on a Single Numeric Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Matching on a Range of Numeric Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Matching on a Text Alias for a Numeric Value . . . . . . . . . . . . . . . . . . . . . . . . . 32Matching on a List of Numeric Values or Text Aliases . . . . . . . . . . . . . . . . . . . 32
Firewall Filter Match Conditions Based on Bit-Field Values . . . . . . . . . . . . . . . . . . 32
Match Conditions for Bit-Field Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Match Conditions for Common Bit-Field Values or Combinations . . . . . . . . . 33
Logical Operators for Bit-Field Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Matching on a Single Bit-Field Value or Text Alias . . . . . . . . . . . . . . . . . . . . . . 35
Matching on Multiple Bit-Field Values or Text Aliases . . . . . . . . . . . . . . . . . . . 35
Matching on a Negated Bit-Field Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Copyright © 2011, Juniper Networks, Inc.vi
Junos OS 11.4 Firewall Filter and Policer Configuration Guide
8/13/2019 Config Guide Firewall Policer
7/547
Matching on the Logical OR of Two Bit-Field Values . . . . . . . . . . . . . . . . . . . 36
Matching on the Logical AND of Two Bit-Field Values . . . . . . . . . . . . . . . . . . 36
Grouping Bit-Field Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Firewall Filter Match Conditions Based on Address Fields . . . . . . . . . . . . . . . . . . . 37
Implied Match on the ’0/0 except’ Address for Firewall Filter Match
Conditions Based on Address Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Matching an Address Field to a Subnet Mask or Prefix . . . . . . . . . . . . . . . . . . 37
IPv4 Subnet Mask Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Prefix Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Default Prefix Length for IPv4 Addresses . . . . . . . . . . . . . . . . . . . . . . . . . 38
Default Prefix Length for IPv6 Addresses . . . . . . . . . . . . . . . . . . . . . . . . . 38
Default Prefix Length for MAC Addresses . . . . . . . . . . . . . . . . . . . . . . . . . 38
Matching an Address Field to an Excluded Value . . . . . . . . . . . . . . . . . . . . . . 38
Excluding IP Addresses in IPv4 or IPv6 Traffic . . . . . . . . . . . . . . . . . . . . . 38
Excluding IP Addresses in VPLS or Layer 2 Bridging Traffic . . . . . . . . . . . 39
Excluding MAC Addresses in VPLS or Layer 2 Bridging Traffic . . . . . . . . . 40
Excluding All Addresses Requires an Explicit Match on the ’0/0’Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Matching Either IP Address Field to a Single Value . . . . . . . . . . . . . . . . . . . . . 42
Matching Either IP Address Field in IPv4 or IPv6 Traffic . . . . . . . . . . . . . . 42
Matching Either IP Address Field in VPLS or Layer 2 Bridging Traffic . . . . 42
Matching an Address Field to Noncontiguous Prefixes . . . . . . . . . . . . . . . . . . 42
Matching an Address Field to a Prefix List . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Firewall Filter Match Conditions Based on Address Classes . . . . . . . . . . . . . . . . . 45
Source-Class Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Destination-Class Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Guidelines for Applying SCU or DCU Firewall Filters to Output Interfaces . . . 45
Chapter 4 Standard Firewall Filter Match Conditions and Actions . . . . . . . . . . . . . . . . . 47
Standard Firewall Filter Match Conditions for Protocol-Independent Traffic . . . . 47
Standard Firewall Filter Match Conditions for IPv4 Traffic . . . . . . . . . . . . . . . . . . . 48
Standard Firewall Filter Match Conditions for IPv6 Traffic . . . . . . . . . . . . . . . . . . . 57
Standard Firewall Filter Match Conditions for MPLS Traffic . . . . . . . . . . . . . . . . . 62
Standard Firewall Filter Match Conditions for MPLS-Tagged IPv4 Traffic . . . . . . 64
Matching on IPv4 Packet Header Address or Port Fields in MPLS Flows . . . . 64
IP Address Match Conditions for MPLS Traffic . . . . . . . . . . . . . . . . . . . . . . . . 65
IP Port Match Conditions for MPLS Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Standard Firewall Filter Match Conditions for VPLS Traffic . . . . . . . . . . . . . . . . . . 66
Standard Firewall Filter Match Conditions for Layer 2 CCC Traffic . . . . . . . . . . . . . 73
Standard Firewall Filter Match Conditions for Layer 2 Bridging Traffic . . . . . . . . . 75
Standard Firewall Filter Terminating Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Standard Firewall Filter Nonterminating Actions . . . . . . . . . . . . . . . . . . . . . . . . . . 82
Chapter 5 Standard Firewall Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Standard Firewall Filters That Match Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Example: Configuring a Filter to Match on IPv6 Flags . . . . . . . . . . . . . . . . . . . 89
Example: Configuring a Filter to Match on Port and Protocol Fields . . . . . . . . 91
Example: Configuring a Filter to Match on Two Unrelated Criteria . . . . . . . . . 94
viiCopyright © 2011, Juniper Networks, Inc.
Table of Contents
8/13/2019 Config Guide Firewall Policer
8/547
Example: Configuring a Filter to Limit TCP Access to a Port Based On a
Prefix List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Standard Firewall Filters That Count Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Example: Configuring a Filter to Count Accepted and Rejected Packets . . . 100
Example: Configuring a Filter to Count and Discard IP Options Packets . . . . 103
Example: Configuring a Filter to Count IP Options Packets . . . . . . . . . . . . . . 106
Standard Firewall Filters That Act on Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Example: Configuring a Filter to Set the DSCP Bit to Zero . . . . . . . . . . . . . . . . 111
Example: Configuring a Filter to Count and Sample Accepted Packets . . . . . 114
Standard Firewall Filters for Trusted Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Example: Configuring a Stateless Firewall Filter to Accept Traffic from
Trusted Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
Example: Configuring a Filter to Block Telnet and SSH Access . . . . . . . . . . . 123
Example: Configuring a Filter to Block TFTP Access . . . . . . . . . . . . . . . . . . . 129
Example: Configuring a Filter to Accept OSPF Packets from a Prefix . . . . . . 132
Example: Configuring a Filter to Accept DHCP Packets Based on
Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Example: Configuring a Filter to Block TCP Access to a Port Except from
Specified BGP Peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Standard Firewall Filters That Prevent IP Packet Flooding . . . . . . . . . . . . . . . . . . 143
Example: Configuring a Stateless Firewall Filter to Protect Against TCP and
ICMP Floods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Example: Configuring a Filter to Accept Packets Based on IPv6 TCP
Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149
Standard Firewall Filters That Handle Fragmented Packets . . . . . . . . . . . . . . . . . 152
Firewall Filters That Handle Fragmented Packets Overview . . . . . . . . . . . . . 152
Example: Configuring a Stateless Firewall Filter to Handle Fragments . . . . . 152
Standard Firewall Filters That Set Rate Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Stateless Firewall Filters That Reference Policers Overview . . . . . . . . . . . . . 157Example: Configuring a Rate-Limiting Filter Based on Destination Class . . . 158
Multiple Standard Firewall Filters Applied as a List . . . . . . . . . . . . . . . . . . . . . . . . 161
Multiple Standard Firewall Filters Applied as a List Overview . . . . . . . . . . . . 161
The Challenge: Simplify Large-Scale Firewall Filter Administration . . . . 161
A Solution: Apply Lists of Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . 162
Configuration of Multiple Filters for Filter Lists . . . . . . . . . . . . . . . . . . . . 162
Application of Filter Lists to a Router Interface . . . . . . . . . . . . . . . . . . . . 162
Interface-Specific Names for Filter Lists . . . . . . . . . . . . . . . . . . . . . . . . . 163
How Filter Lists Evaluate Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
Guidelines for Applying Multiple Standard Firewall Filters as a List . . . . . . . 164
Statement Hierarchy for Applying Lists of Multiple Firewall Filters . . . . 164
Filter Input Lists and Output Lists for Router Interfaces . . . . . . . . . . . . . 164
Types of Filters Supported in Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
Restrictions on Applying Filter Lists for MPLS or Layer 2 CCC Traffic . . . 165
Example: Applying Lists of Multiple Standard Firewall Filters . . . . . . . . . . . . 165
Multiple Standard Firewall Filters in a Nested Configuration . . . . . . . . . . . . . . . . 170
Multiple Standard Firewall Filters in a Nested Configuration Overview . . . . . 170
The Challenge: Simplify Large-Scale Firewall Filter Administration . . . 170
A Solution: Configure Nested References to Firewall Filters . . . . . . . . . . 171
Configuration of Nested Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Copyright © 2011, Juniper Networks, Inc.viii
Junos OS 11.4 Firewall Filter and Policer Configuration Guide
8/13/2019 Config Guide Firewall Policer
9/547
Application of Nested Firewall Filters to a Router Interface . . . . . . . . . . . 171
Guidelines for Nesting References to Multiple Standard Firewall Filters . . . . 172
Statement Hierarchy for Configuring Nested Firewall Filters . . . . . . . . . 172
Filter-Defining Terms and Filter-Referencing Terms . . . . . . . . . . . . . . . . 172
Types of Filters Supported in Nested Configurations . . . . . . . . . . . . . . . 173
Number of Filter References in a Single Filter . . . . . . . . . . . . . . . . . . . . . 173
Depth of Filter Nesting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
Example: Nesting References to Multiple Standard Firewall Filters . . . . . . . . 173
Interface-Specific Firewall Filter Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Interface-Specific Firewall Filter Instances Overview . . . . . . . . . . . . . . . . . . . 177
Instantiation of Interface-Specific Firewall Filters . . . . . . . . . . . . . . . . . . 177
Interface-Specific Names for Firewall Filter Instances . . . . . . . . . . . . . . 178
Interface-Specific Firewall Filter Counters . . . . . . . . . . . . . . . . . . . . . . . 178
Interface-Specific Firewall Filter Policers . . . . . . . . . . . . . . . . . . . . . . . . 179
Statement Hierarchy for Configuring Interface-Specific Firewall Filters . . . . 179
Statement Hierarchy for Applying Interface-Specific Firewall Filters . . . . . . 180
Example: Configuring Interface-Specific Firewall Filter Counters . . . . . . . . . 180Filtering Packets Received on a Set of Interface Groups . . . . . . . . . . . . . . . . . . . . 185
Filtering Packets Received on a Set of Interface Groups Overview . . . . . . . . 185
Statement Hierarchy for Assigning Interfaces to Interface Groups . . . . . . . . 185
Statement Hierarchy for Configuring a Filter to Match on a Set of Interface
Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
Statement Hierarchy for Applying Filters to an Interface Group . . . . . . . . . . 187
Example: Filtering Packets Received on an Interface Group . . . . . . . . . . . . . 188
Filtering Packets Received on an Interface Set . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
Filtering Packets Received on an Interface Set Overview . . . . . . . . . . . . . . . 192
Statement Hierarchy for Defining an Interface Set . . . . . . . . . . . . . . . . . . . . 192
Statement Hierarchy for Configuring a Filter to Match on an Interface
Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Example: Filtering Packets Received on an Interface Set . . . . . . . . . . . . . . . 193
Filter-Based Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Filter-Based Forwarding Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
Filters That Classify Packets or Direct Them to Routing Instances . . . . 199
Input Filtering to Classify and Forward Packets Within the Router . . . . 200
Output Filtering to Forward Packets to Another Routing Table . . . . . . 200
Restrictions for Applying Filter-Based Forwarding . . . . . . . . . . . . . . . . 200
Statement Hierarchy for Configuring FBF for IPv4 or IPv6 Traffic . . . . . . . . . 201
Statement Hierarchy for Configuring FBF for MPLS-Tagged IPv4 Traffic . . . 201
Matching on IPv4 Address Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Matching on TCP Port Number Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
Matching on UDP Port Number Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 203
Statement Hierarchy for Configuring Routing Instances for FBF . . . . . . . . . 204
Statement Hierarchy for Applying FBF Filters to Interfaces . . . . . . . . . . . . . 205
Example: Configuring Filter-Based Forwarding on the Source Address . . . . 206
Accounting for Standard Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Accounting for Standard Firewall Filters Overview . . . . . . . . . . . . . . . . . . . . . 211
Statement Hierarchy for Configuring Firewall Filter Accounting Profiles . . . . 211
Statement Hierarchy for Applying Firewall Filter Accounting Profiles . . . . . . 212
Example: Configuring Statistics Collection for a Standard Firewall Filter . . . 213
ixCopyright © 2011, Juniper Networks, Inc.
Table of Contents
8/13/2019 Config Guide Firewall Policer
10/547
Logging of Stateless Firewall Filter Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
System Logging Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
System Logging of Events Generated for the Firewall Facility . . . . . . . . . . . . 219
Logging of Packet Headers Evaluated by a Firewall Filter Term . . . . . . . . . . . 221
Example: Configuring Logging for a Stateless Firewall Filter Term . . . . . . . . 222
Chapter 6 Service Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Service Filter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Service Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Service Rule Refinement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Service Filter Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
How Service Filters Evaluate Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Service Filters That Contain a Single Term . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Service Filters That Contain Multiple Terms . . . . . . . . . . . . . . . . . . . . . . . . . 229
Service Filter Terms That Do Not Contain Any Match Conditions . . . . . . . . . 229
Service Filter Terms That Do Not Contain Any Actions . . . . . . . . . . . . . . . . . 229Service Filter Default Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Guidelines for Configuring Service Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Statement Hierarchy for Configuring Service Filters . . . . . . . . . . . . . . . . . . . 230
Service Filter Protocol Families . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Service Filter Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Service Filter Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Service Filter Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Service Filter Terminating Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Guidelines for Applying Service Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Restrictions for Adaptive Services Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . 232
Adaptive Services Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
System Logging to a Remote Host from M Series Routers . . . . . . . . . . . 232
Statement Hierarchy for Applying Service Filters . . . . . . . . . . . . . . . . . . . . . 232
Associating Service Rules with Adaptive Services Interfaces . . . . . . . . . . . . 233
Filtering Traffic Before Accepting Packets for Service Processing . . . . . . . . 233
Postservice Filtering of Returning Service Traffic . . . . . . . . . . . . . . . . . . . . . . 234
Service Filter Match Conditions and Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Service Filter Match Conditions for IPv4 or IPv6 Traffic . . . . . . . . . . . . . . . . . 235
Service Filter Terminating Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Service Filter Nonterminating Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241
Example: Configuring and Applying Service Filters . . . . . . . . . . . . . . . . . . . . . . . . 242
Chapter 7 Simple Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Simple Filter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
How Simple Filters Evaluate Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249Simple Filters That Contain a Single Term . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Simple Filters That Contain Multiple Terms . . . . . . . . . . . . . . . . . . . . . . . . . 250
Simple Filter Terms That Do Not Contain Any Match Conditions . . . . . . . . . 250
Simple Filter Terms That Do Not Contain Any Actions . . . . . . . . . . . . . . . . . 250
Simple Filter Default Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
Guidelines for Configuring Simple Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Statement Hierarchy for Configuring Simple Filters . . . . . . . . . . . . . . . . . . . . 251
Simple Filter Protocol Families . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Copyright © 2011, Juniper Networks, Inc.x
Junos OS 11.4 Firewall Filter and Policer Configuration Guide
8/13/2019 Config Guide Firewall Policer
11/547
Simple Filter Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Simple Filter Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Simple Filter Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Simple Filter Terminating Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Simple Filter Nonterminating Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Guidelines for Applying Simple Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Statement Hierarchy for Applying Simple Filters . . . . . . . . . . . . . . . . . . . . . . 254
Restrictions for Applying Simple Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Example: Configuring and Applying a Simple Filter . . . . . . . . . . . . . . . . . . . . . . . 255
Chapter 8 Stateless Firewall Filter Configuration in Logical Systems . . . . . . . . . . . . . 261
Stateless Firewall Filters in Logical Systems Overview . . . . . . . . . . . . . . . . . . . . . 261
Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Stateless Firewall Filters in Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . 261
Identifiers for Firewall Objects in Logical Systems . . . . . . . . . . . . . . . . . . . . 262
Guidelines for Configuring and Applying Firewall Filters in Logical Systems . . . . 262
Statement Hierarchy for Configuring Firewall Filters in Logical Systems . . . 262Filter Types in Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Firewall Filter Protocol Families in Logical Systems . . . . . . . . . . . . . . . . . . . 263
Firewall Filter Match Conditions in Logical Systems . . . . . . . . . . . . . . . . . . . 264
Firewall Filter Actions in Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Statement Hierarchy for Applying Firewall Filters in Logical Systems . . . . . 264
References from a Firewall Filter in a Logical System to Subordinate Objects . . 265
Resolution of References from a Firewall Filter to Subordinate Objects . . . 265
Valid Reference from a Firewall Filter to a Subordinate Object . . . . . . . . . . 265
References from a Firewall Filter in a Logical System to Nonfirewall Objects . . 266
Resolution of References from a Firewall Filter to Nonfirewall Objects . . . . 266
Valid Reference to a Nonfirewall Object Outside of the Logical System . . . 267
References from a Nonfirewall Object in a Logical System to a Firewall Filter . . 268
Resolution of References from a Nonfirewall Object to a Firewall Filter . . . 269
Invalid Reference to a Firewall Filter Outside of the Logical System . . . . . . 269
Valid Reference to a Firewall Filter Within the Logical System . . . . . . . . . . . 270
Valid Reference to a Firewall Filter Outside of the Logical System . . . . . . . . 272
Restrictions for Stateless Firewall Filters in Logical Systems . . . . . . . . . . . . . . . . 273
Unsupported Firewall Filter Statements for Logical Systems . . . . . . . . . . . . 273
Unsupported Actions for Firewall Filters in Logical Systems . . . . . . . . . . . . . 275
Example: Configuring a Stateless Firewall Filter to Protect a Logical System
Against ICMP Floods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
Chapter 9 Summary of Stateless Firewall Filter Configuration Statements . . . . . . . 283
accounting-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
enhanced-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
filter (Applying to a Logical Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
filter (Configuring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
interface-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
interface-specific . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
service-filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
xiCopyright © 2011, Juniper Networks, Inc.
Table of Contents
8/13/2019 Config Guide Firewall Policer
12/547
simple-filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Part 2 Traffic Policers
Chapter 10 Introduction to Traffic Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Traffic Policing Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Congestion Management for IP Traffic Flows . . . . . . . . . . . . . . . . . . . . . . . . 297
Traffic Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Traffic Color Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Forwarding Classes and PLP Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Policer Application to Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Traffic Policer Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Single-Rate Two-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Basic Single-Rate Two-Color Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Bandwidth Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Logical Bandwidth Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Single-Rate Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Two-Rate Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Hierarchical Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Two-Color and Three-Color Policer Options . . . . . . . . . . . . . . . . . . . . . . . . . 303
Logical Interface (Aggregate) Policers . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Physical Interface Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Policers Applied to Layer 2 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Multifield Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Order of Policer and Firewall Filter Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Introduction to Policer Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
Statement Hierarchy for Configuring Policers . . . . . . . . . . . . . . . . . . . . . . . . 305
Two-Color Policer Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Three-Color Policer Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Hierarchical Policer Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . 314
Guidelines for Applying Traffic Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Introduction to Policer Rate Limits and Actions . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Policer Bandwidth and Burst-Size Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Policer Color-Marking and Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Single Token Bucket Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Token Bucket Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Single Token Bucket Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Conformance Measurement for Two-Color Marking . . . . . . . . . . . . . . . . 321
Dual Token Bucket Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Token Bucket Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Guaranteed Bandwidth for Three-Color Marking . . . . . . . . . . . . . . . . . . 322
Nonconformance Measurement for Single-Rate Three-Color
Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Nonconformance Measurement for Two-Rate Three-Color Marking . . 323
Calculation of Policer Burst-Size Limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Guidelines for Choosing a Burst-Size Limit . . . . . . . . . . . . . . . . . . . . . . . 323
Burst-Size Limit Based on the Line Rate of the Interface . . . . . . . . . . . . 325
Copyright © 2011, Juniper Networks, Inc.xii
Junos OS 11.4 Firewall Filter and Policer Configuration Guide
8/13/2019 Config Guide Firewall Policer
13/547
Burst-Size Limit Based on the MTU of Traffic on the Interface . . . . . . . 325
Supported Standards for Policing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
Chapter 11 Single-Rate Two-Color Policer Configuration . . . . . . . . . . . . . . . . . . . . . . . . 327
Basic Single-Rate Two-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327Single-Rate Two-Color Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
Example: Configuring a Single-Rate Two-Color Policer . . . . . . . . . . . . . . . . 328
Example: Configuring Interface and Firewall Filter Policers at the Same
Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Bandwidth Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Bandwidth Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Guidelines for Configuring a Bandwidth Policer . . . . . . . . . . . . . . . . . . . 344
Guidelines for Applying a Bandwidth Policer . . . . . . . . . . . . . . . . . . . . . 344
Example: Configuring a Logical Bandwidth Policer . . . . . . . . . . . . . . . . . . . . 345
Filter-Specific Counters and Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Filter-Specific Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352
Example: Configuring a Stateless Firewall Filter to Protect Against TCP andICMP Floods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353
Prefix-Specific Counting and Policing Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Prefix-Specific Counting and Policing Overview . . . . . . . . . . . . . . . . . . . . . . 359
Separate Counting and Policing for Each IPv4 Address Range . . . . . . . 359
Prefix-Specific Action Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Counter and Policer Set Size and Indexing . . . . . . . . . . . . . . . . . . . . . . . 361
Filter-Specific Counter and Policer Set Overview . . . . . . . . . . . . . . . . . . . . . 362
Example: Configuring Prefix-Specific Counting and Policing . . . . . . . . . . . . 362
Prefix-Specific Counting and Policing Configuration Scenarios . . . . . . . . . . 369
Prefix Length of the Action and Prefix Length of Addresses in Filtered
Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Scenario 1: Firewall Filter Term Matches on Multiple Addresses . . . . . . 370
Scenario 2: Subnet Prefix Is Longer Than the Prefix in the Filter Match
Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Scenario3: Subnet Prefix Is Shorter Than the Prefix in the Firewall Filter
Match Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
Multifield Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Multifield Classification Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Forwarding Classes and PLP Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375
Multifield Classification and BA Classification . . . . . . . . . . . . . . . . . . . . 376
Multifield Classification Used In Conjunction with Policers . . . . . . . . . . 376
Multifield Classification Requirements and Restrictions . . . . . . . . . . . . . . . . 377
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377
CoS Tricolor Marking Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Multifield Classification Limitations on M Series Routers . . . . . . . . . . . . . . . 378
Problem: Output-Filter Matching on Input-Filter Classification . . . . . . . 378
Workaround: Configure All Actions in the Ingress Filter . . . . . . . . . . . . . 379
Example: Configuring Multifield Classification . . . . . . . . . . . . . . . . . . . . . . . 380
Example: Configuring and Applying a Firewall Filter for a Multifield
Classifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386
xiiiCopyright © 2011, Juniper Networks, Inc.
Table of Contents
8/13/2019 Config Guide Firewall Policer
14/547
Policer Overhead to Account for Rate Shaping in the Traffic Manager . . . . . . . . 390
Policer Overhead to Account for Rate Shaping Overview . . . . . . . . . . . . . . . 390
Example: Configuring Policer Overhead to Account for Rate Shaping . . . . . 391
Chapter 12 Three-Color Policer Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Three-Color Policer Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Platforms Supported for Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . 399
Color Modes for Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Color-Blind Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Color-Aware Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Naming Conventions for Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . 400
Basic Single-Rate Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Single-Rate Three-Color Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Example: Configuring a Single-Rate Three-Color Policer . . . . . . . . . . . . . . . 402
Basic Two-Rate Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407
Two-Rate Three-Color Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Example: Configuring a Two-Rate Three-Color Policer . . . . . . . . . . . . . . . . 409Chapter 13 Logical and Physical Interface Policer Configuration . . . . . . . . . . . . . . . . . . 415
Two-Color and Three-Color Logical Interface Policers . . . . . . . . . . . . . . . . . . . . . 415
Logical Interface (Aggregate) Policer Overview . . . . . . . . . . . . . . . . . . . . . . . 415
Example: Configuring a Two-Color Logical Interface (Aggregate) Policer . . 416
Example: Configuring a Three-Color Logical Interface (Aggregate)
Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Two-Color and Three-Color Physical Interface Policers . . . . . . . . . . . . . . . . . . . . 427
Physical Interface Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
Example: Configuring a Physical Interface Policer for Aggregate Traffic at
a Physical Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429
Chapter 14 Layer 2 Policer Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Hierarchical Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Hierarchical Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437
Example: Configuring a Hierarchical Policer . . . . . . . . . . . . . . . . . . . . . . . . . 439
Two-Color and Three-Color Policers at Layer 2 . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Two-Color Policing at Layer 2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444
Guidelines for Configuring Two-Color Policing of Layer 2 Traffic . . . . . 445
Statement Hierarchy for Configuring a Two-Color Policer for Layer 2
Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Statement Hierarchy for Applying a Two-Color Policer to Layer 2
Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445
Three-Color Policing at Layer 2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Guidelines for Configuring Three-Color Policing of Layer 2 Traffic . . . . 446
Statement Hierarchy for Configuring a Three-Color Policer for Layer 2
Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446
Statement Hierarchy for Applying a Three-Color Policer to Layer 2
Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Example: Configuring a Three-Color Logical Interface (Aggregate)
Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Copyright © 2011, Juniper Networks, Inc.xiv
Junos OS 11.4 Firewall Filter and Policer Configuration Guide
8/13/2019 Config Guide Firewall Policer
15/547
Chapter 15 Summary of Policer Configuration Statements . . . . . . . . . . . . . . . . . . . . . . 455
action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
aggregate (Hierarchical Policer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
bandwidth-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
bandwidth-limit (Hierarchical Policer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
bandwidth-limit (Policer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
bandwidth-percent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
burst-size-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
burst-size-limit (Hierarchical Policer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
burst-size-limit (Policer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
color-aware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
color-blind . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
committed-burst-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
committed-information-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
excess-burst-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
filter-specific . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
forwarding-class (Firewall Filter Action) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
hierarchical-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
if-exceeding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
if-exceeding (Hierarchical Policer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
if-exceeding (Policer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478
input-hierarchical-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
input-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
input-three-color . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
layer2-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
load-balance-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
logical-bandwidth-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482
logical-interface-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483
loss-priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
loss-priority (Firewall Filter Action) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484
loss-priority high then discard (Three-Color Policer) . . . . . . . . . . . . . . . . . . 485
output-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486
output-three-color . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
peak-burst-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
peak-information-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490
physical-interface-filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
physical-interface-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
policer (Applying to a Logical Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493
policer (Configuring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
policer (Firewall Filter Action) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495prefix-action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
prefix-action (Configuring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
prefix-action (Firewall Filter Action) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
premium (Hierarchical Policer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
single-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499
three-color-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500
three-color-policer (Configuring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
three-color-policer (Firewall Filter Action) . . . . . . . . . . . . . . . . . . . . . . . . . . 502
xvCopyright © 2011, Juniper Networks, Inc.
Table of Contents
8/13/2019 Config Guide Firewall Policer
16/547
8/13/2019 Config Guide Firewall Policer
17/547
List of Figures
Part 1 Stateless Firewall Filters
Chapter 1 Introduction to Stateless Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Figure 1: Flows of Routing Information and Packets . . . . . . . . . . . . . . . . . . . . . . . . . 4
Chapter 5 Standard Firewall Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Figure 2: Typical Network with BGP Peer Sessions . . . . . . . . . . . . . . . . . . . . . . . . 138
Chapter 8 Stateless Firewall Filter Configuration in Logical Systems . . . . . . . . . . . . . 261
Figure 3: Logical System with a Stateless Firewall . . . . . . . . . . . . . . . . . . . . . . . . 279
Part 2 Traffic Policers
Chapter 10 Introduction to Traffic Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Figure 4: Network Traffic and Burst Rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Figure 5: Incoming and Outgoing Policers and Firewall Filters . . . . . . . . . . . . . . . 305
xviiCopyright © 2011, Juniper Networks, Inc.
8/13/2019 Config Guide Firewall Policer
18/547
Copyright © 2011, Juniper Networks, Inc.xviii
Junos OS 11.4 Firewall Filter and Policer Configuration Guide
8/13/2019 Config Guide Firewall Policer
19/547
List of Tables
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv
Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv
Part 1 Stateless Firewall Filters
Chapter 1 Introduction to Stateless Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Table 3: Firewall Filter Protocol Families . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Table 4: Filter Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Table 5: Stateless Firewall Filter Configuration and Application Summary . . . . . . 12
Chapter 2 Standard Firewall Filter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Table 6: Standard Firewall Filter Match Conditions by Protocol Family . . . . . . . . . 24
Table 7: Standard Firewall Filter Action Categories . . . . . . . . . . . . . . . . . . . . . . . . . 25
Chapter 3 Standard Firewall Filter Match Conditions Overview . . . . . . . . . . . . . . . . . . . 31
Table 8: Binary and Bit-Field Match Conditions for Firewall Filters . . . . . . . . . . . . 33
Table 9: Bit-Field Match Conditions for Common Combinations . . . . . . . . . . . . . 34
Table 10: Bit-Field Logical Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Chapter 4 Standard Firewall Filter Match Conditions and Actions . . . . . . . . . . . . . . . . . 47
Table 11: Standard Firewall Filter Match Conditions for Protocol-IndependentTraffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Table 12: Standard Firewall Filter Match Conditions for IPv4 Traffic . . . . . . . . . . . 48
Table 13: Standard Firewall Filter Match Conditions for IPv6 Traffic . . . . . . . . . . . 57
Table 14: Standard Firewall Filter Match Conditions for MPLS Traffic . . . . . . . . . . 63
Table 15: IP Address-Specific Firewall Filter Match Conditions for MPLS
Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Table 16: IP Port-Specific Firewall Filter Match Conditions for MPLS Traffic . . . . 66
Table 17: Standard Firewall Filter Match Conditions for VPLS Traffic . . . . . . . . . . . 67
Table 18: Standard Firewall Filter Match Conditions for Layer 2 CCC Traffic . . . . . 74
Table 19: Standard Firewall Filter Match Conditions for Layer 2 Bridging
(MX Series 3D Universal Edge Routers Only) . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Table 20: Terminating Actions for Standard Firewall Filters . . . . . . . . . . . . . . . . . . 81Table 21: Nonterminating Actions for Standard Firewall Filters . . . . . . . . . . . . . . . 83
Chapter 5 Standard Firewall Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Table 22: Syslog Message Destinations for the Firewall Facility . . . . . . . . . . . . . . 219
Table 23: Packet-Header Logs for Stateless Firewall Filter Terms . . . . . . . . . . . . 222
Chapter 6 Service Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Table 24: Service Filter Match Conditions for IPv4 or IPv6 Traffic . . . . . . . . . . . . 235
Table 25: Terminating Actions for Service Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 241
xixCopyright © 2011, Juniper Networks, Inc.
8/13/2019 Config Guide Firewall Policer
20/547
Table 26: Nonterminating Actions for Service Filters . . . . . . . . . . . . . . . . . . . . . . 242
Chapter 7 Simple Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Table 27: Simple Filter Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Chapter 8 Stateless Firewall Filter Configuration in Logical Systems . . . . . . . . . . . . . 261
Table 28: Unsupported Firewall Statements for Logical Systems . . . . . . . . . . . . 274
Table 29: Unsupported Actions for Firewall Filters in Logical Systems . . . . . . . . 275
Part 2 Traffic Policers
Chapter 10 Introduction to Traffic Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Table 30: Two-Color Policer Configuration and Application Overview . . . . . . . . 307
Table 31: Three-Color Policer Configuration and Application Overview . . . . . . . . 312
Table 32: Hierarchical Policer Configuration and Application Summary . . . . . . . 315
Table 33: Policer Bandwidth Limits and Burst-Size Limits . . . . . . . . . . . . . . . . . . 317
Table 34: Implicit and Configurable Policer Actions Based on Color Marking . . . 318
Table 35: Example Calculations of Policer Burst-Size Limit . . . . . . . . . . . . . . . . . 325
Chapter 11 Single-Rate Two-Color Policer Configuration . . . . . . . . . . . . . . . . . . . . . . . . 327
Table 36: Examples of Counter and Policer Set Size and Indexing . . . . . . . . . . . . 361
Table 37: Summary of Prefix-Specific Action Scenarios . . . . . . . . . . . . . . . . . . . 369
Chapter 12 Three-Color Policer Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Table 38: Recommended Naming Convention for Policers . . . . . . . . . . . . . . . . . 401
Copyright © 2011, Juniper Networks, Inc.xx
Junos OS 11.4 Firewall Filter and Policer Configuration Guide
8/13/2019 Config Guide Firewall Policer
21/547
About This Guide
This preface provides the following guidelines for using the Junos®
OS Firewall Filter and
Policer Configuration Guide:
• Junos OS Documentation and Release Notes on page xxi
• Objectives on page xxii
• Audience on page xxii
• Supported Platforms on page xxii
• Using the Indexes on page xxiii
• Using the Examples in This Manual on page xxiii
• Documentation Conventions on page xxiv
• Documentation Feedback on page xxvi
• Requesting Technical Support on page xxvi
Junos OS Documentation and Release Notes
For a list of related Junos OS documentation, see
http://www.juniper.net/techpubs/software/junos/ .
If the information in the latest release notes differs from the information in the
documentation, follow the Junos OS Release Notes.
To obtain the most current version of all Juniper Networks®
technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/ .
JuniperNetworkssupports a technical book program to publishbooksby Juniper Networks
engineers and subject matter experts with book publishers around the world. These
books go beyond the technical documentation to explore the nuances of network
architecture, deployment, and administration using the Junos operating system (Junos
OS) and Juniper Networks devices. In addition, the Juniper Networks Technical Library,published in conjunction with O'Reilly Media, explores improving network security,
reliability, and availability using Junos OS configuration techniques. All the books are for
sale at technical bookstores and book outlets around the world. The current list can be
viewed at http://www.juniper.net/books .
xxiCopyright © 2011, Juniper Networks, Inc.
http://www.juniper.net/techpubs/software/junos/http://www.juniper.net/techpubs/http://www.juniper.net/bookshttp://www.juniper.net/bookshttp://www.juniper.net/techpubs/http://www.juniper.net/techpubs/software/junos/
8/13/2019 Config Guide Firewall Policer
22/547
Objectives
This guide provides an overview of stateless firewall filters and traffic policers for the
Junos OS and describes how to configure firewall filters and policers on the router.
NOTE: For additional information about the Junos OS—either corrections to
or information thatmight have beenomittedfrom thisguide—seethe software
release notes at http://www.juniper.net/ .
Audience
This guide is designed for network administrators who are configuring and monitoring a
Juniper Networks M Series, MX Series, T Series, EX Series, or J Series router or switch.
To use this guide, you need a broad understanding of networks in general, the Internet
in particular, networking principles, and network configuration. You must also be familiar
with one or more of the following Internet routing protocols:
• Border Gateway Protocol (BGP)
• Distance Vector Multicast Routing Protocol (DVMRP)
• Intermediate System-to-Intermediate System (IS-IS)
• Internet Control Message Protocol (ICMP) router discovery
• Internet Group Management Protocol (IGMP)
• Multiprotocol Label Switching (MPLS)
• Open Shortest Path First (OSPF)
• Protocol-Independent Multicast (PIM)
• Resource Reservation Protocol (RSVP)
• Routing Information Protocol (RIP)
• Simple Network Management Protocol (SNMP)
Personnel operating the equipment must be trained and competent; must not conduct
themselves in a careless, willfully negligent, or hostile manner; and must abide by the
instructions provided by the documentation.
Supported Platforms
For the features described in this manual, the Junos OS currently supports the following
platforms:
• J Series
• M Series
Copyright © 2011, Juniper Networks, Inc.xxii
Junos OS 11.4 Firewall Filter and Policer Configuration Guide
http://www.juniper.net/http://www.juniper.net/
8/13/2019 Config Guide Firewall Policer
23/547
• MX Series
• T Series
• EX Series
Using the Indexes
This reference contains two indexes: a complete index that includes topic entries, and
an index of statements and commands only.
In the index of statements and commands, an entry refers to a statement summary
section only. In the complete index, the entry for a configuration statement or command
contains at least two parts:
• The primary entry refers to the statement summary section.
• The secondaryentry, usageguidelines, refersto the section in a configuration guidelines
chapter that describes how to use the statement or command.
Using the Examples in This Manual
If you want touse the examples in this manual, you can use the load merge or the load
merge relative command. These commands cause the software to merge the incoming
configuration into the current candidate configuration. The example does not become
active until you commit the candidate configuration.
If the example configuration contains the top level of the hierarchy (or multiple
hierarchies), the example is a full example. In this case, use the load merge command.
If the example configuration does not start at the top level of the hierarchy, the exampleis a snippet. In this case, use the load merge relative command. These procedures are
described in the following sections.
Merging a Full Example
To merge a full example, follow these steps:
1. From the HTML or PDF version of the manual, copy a configuration example into a
text file, save the file with a name, and copy the file to a directory on your routing
platform.
Forexample, copy thefollowingconfiguration toa file andname thefile ex-script.conf.
Copy the ex-script.conf file to the /var/tmp directory on your routing platform.
system {
scripts {
commit {
file ex-script.xsl;
}
}
}
interfaces {
fxp0 {
xxiiiCopyright © 2011, Juniper Networks, Inc.
About This Guide
8/13/2019 Config Guide Firewall Policer
24/547
disable;
unit 0 {
family inet {
address 10.0.0.1/24;
}}
}
}
2. Merge the contents of the file into your routing platform configuration by issuing the
load merge configuration mode command:
[edit]
user@host# load merge /var/tmp/ex-script.conf
load complete
Merging a Snippet
To merge a snippet, follow these steps:
1. From the HTML or PDF version of the manual, copya configuration snippet into a text
file, savethe filewith a name, and copythe fileto a directory on your routing platform.
For example, copy the following snippet to a file and name the file
ex-script-snippet.conf . Copy the ex-script-snippet.conf file to the /var/tmp directory
on your routing platform.
commit {
file ex-script-snippet.xsl; }
2. Move to the hierarchy level that is relevant for this snippet by issuing the following
configuration mode command:
[edit]user@host# edit system scripts
[edit system scripts]
3. Merge the contents of the file into your routing platform configuration by issuing the
load merge relative configuration mode command:
[edit system scripts]
user@host# load merge relative /var/tmp/ex-script-snippet.conf
load complete
For more information about the load command, see the JunosOSCLI User Guide.
Documentation Conventions
Table 1 on page xxv defines notice icons used in this guide.
Copyright © 2011, Juniper Networks, Inc.xxiv
Junos OS 11.4 Firewall Filter and Policer Configuration Guide
http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/swconfig-cli/swconfig-cli.pdfhttp://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/swconfig-cli/swconfig-cli.pdf
8/13/2019 Config Guide Firewall Policer
25/547
Table 1: Notice Icons
DescriptionMeaningIcon
Indicates important features or instructions.Informational note
Indicates a situation that might result in loss of data or hardware damage.Caution
Alerts you tothe risk of personal injury or death.Warning
Alerts you tothe risk of personal injury from a laser.Laser warning
Table 2 on page xxv defines the text and syntax conventions used in this guide.
Table 2: Text and Syntax Conventions
ExamplesDescriptionConvention
To enter configuration mode, type the
configure command:
user@host> configure
Represents text that you type.Bold text like this
user@host> show chassis alarms
No alarms currently active
Represents output that appears on the
terminal screen.
Fixed-width text like this
• A policy term is a named structure
that defines match conditions and
actions.
• JunosOS SystemBasics Configuration
Guide
• RFC 1997, BGP Communities Attribute
• Introduces important new terms.
• Identifies book names.
• Identifies RFC and Internet draft titles.
Italic text like this
Configure the machine’s domain name:
[edit]
root@# set system domain-name
domain-name
Represents variables (options for which
you substitute a value) in commands or
configuration statements.
Italictext like this
• To configure a stub area, include the
stub statement at the [edit protocols
ospf areaarea-id] hierarchy level.
• Theconsole portis labeledCONSOLE.
Represents names of configuration
statements, commands, files, and
directories; interface names;
configuration hierarchy levels; or labels
on routing platform components.
Text like this
stub ;Enclose optional keywords or variables.< > (angle brackets)
xxvCopyright © 2011, Juniper Networks, Inc.
About This Guide
8/13/2019 Config Guide Firewall Policer
26/547
Table 2: Text and Syntax Conventions (continued)
ExamplesDescriptionConvention
broadcast | multicast
( string1 | string2 | string3)
Indicates a choicebetween the mutuallyexclusive keywordsor variables on either
side of the symbol. The set of choices is
often enclosed in parentheses for clarity.
| (pipe symbol)
rsvp { # Required fordynamic MPLS onlyIndicates a comment specified on the
sameline asthe configuration statement
to which it applies.
# (pound sign)
communityname members[
community-ids]
Enclose a variable for which you can
substitute one or more values.
[ ] (square brackets)
[edit]
routing-options {
static {route default {
nexthop address;
retain;
}
}
}
Identify a level in the configuration
hierarchy.
Indention and braces( { } )
Identifies a leaf statement at a
configuration hierarchy level.
; (semicolon)
J-Web GUI Conventions
• In the Logical Interfaces box, select
All Interfaces.
• To cancel the configuration, click
Cancel.
Represents J-Web graphical user
interface (GUI) items you click or select.
Bold text like this
In the configuration editor hierarchy,select Protocols>Ospf.
Separates levels in a hierarchy of J-Webselections.
> (bold right angle bracket)
Documentation Feedback
We encourage you to provide feedback, comments, and suggestions so that we can
improve the documentation. You can send your comments to
[email protected], or fill out the documentation feedback form at
https://www.juniper.net/cgi-bin/docbugreport/ . If you are using e-mail, be sure to include
the following information with your comments:
• Document or topic name
• URL or page number
• Software release version (if applicable)
Requesting Technical Support
Technical productsupport is availablethrough the Juniper Networks TechnicalAssistance
Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,
Copyright © 2011, Juniper Networks, Inc.xxvi
Junos OS 11.4 Firewall Filter and Policer Configuration Guide
mailto:[email protected]://www.juniper.net/cgi-bin/docbugreport/https://www.juniper.net/cgi-bin/docbugreport/mailto:[email protected]
8/13/2019 Config Guide Firewall Policer
27/547
or are covered under warranty, and need postsales technical support, you can access
our tools and resources online or open a case with JTAC.
• JTAC policies—For a complete understanding of our JTAC procedures and policies,
review the JTAC User Guide located athttp://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf .
• Product warranties—For product warranty information, visit
http://www.juniper.net/support/warranty/ .
• JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day,
7 daysa week, 365 days a year.
Self-Help Online Tools and Resources
For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with the
following features:
• Find CSC offerings: http://www.juniper.net/customers/support/
• Find product documentation: http://www.juniper.net/techpubs/
• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/
• Download the latest versions of software and review release notes:
http://www.juniper.net/customers/csc/software/
• Search technical bulletins for relevant hardware and software notifications:
https://www.juniper.net/alerts/
• Join and participate in the Juniper Networks Community Forum:
http://www.juniper.net/company/communities/
• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/
To verify service entitlementby productserial number, use our Serial NumberEntitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/
Opening a Case with JTAC
You can open a case with JTAC on the Web or by telephone.
• Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .
• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).
For international or direct-dial options in countries without toll-free numbers, visit us at
http://www.juniper.net/support/requesting-support.html
xxviiCopyright © 2011, Juniper Networks, Inc.
About This Guide
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdfhttp://www.juniper.net/support/warranty/http://www.juniper.net/customers/support/http://www.juniper.net/techpubs/http://kb.juniper.net/http://www.juniper.net/customers/csc/software/https://www.juniper.net/alerts/http://www.juniper.net/company/communities/http://www.juniper.net/cm/https://tools.juniper.net/SerialNumberEntitlementSearch/http://www.juniper.net/cm/http://www.juniper.net/support/requesting-support.htmlhttp://www.juniper.net/support/requesting-support.htmlhttp://www.juniper.net/cm/https://tools.juniper.net/SerialNumberEntitlementSearch/http://www.juniper.net/cm/http://www.juniper.net/company/communities/https://www.juniper.net/alerts/http://www.juniper.net/customers/csc/software/http://kb.juniper.net/http://www.juniper.net/techpubs/http://www.juniper.net/customers/support/http://www.juniper.net/support/warranty/http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf
8/13/2019 Config Guide Firewall Policer
28/547
Copyright © 2011, Juniper Networks, Inc.xxviii
Junos OS 11.4 Firewall Filter and Policer Configuration Guide
8/13/2019 Config Guide Firewall Policer
29/547
PART 1
Stateless Firewall Filters
• Introduction to Stateless Firewall Filters on page 3
• Standard Firewall Filter Overview on page 19
• Standard Firewall Filter Match Conditions Overview on page 31
• Standard Firewall Filter Match Conditions and Actions on page 47
• Standard Firewall Filter Configuration on page 89
• Service Filter Configuration on page 227
• Simple Filter Configuration on page 249
• Stateless Firewall Filter Configuration in Logical Systems on page 261
• Summary of Stateless Firewall Filter Configuration Statements on page 283
1Copyright © 2011, Juniper Networks, Inc.
8/13/2019 Config Guide Firewall Policer
30/547
Copyright © 2011, Juniper Networks, Inc.2
Junos OS 11.4 Firewall Filter and Policer Configuration Guide
8/13/2019 Config Guide Firewall Policer
31/547
CHAPTER 1
Introduction to Stateless Firewall Filters
• Router Data Flow Overview on page 3
• Stateless Firewall Filter Overview on page 5
• Stateless Firewall Filter Types on page 6
• Stateless Firewall Filter Components on page 7
• Stateless Firewall Filter Application Points on page 12
•