Config Guide Firewall Policer

8/13/2019 Config Guide Firewall Policer

1/547

Junos® OS

Firewall Filter and Policer Configuration Guide

Release

11.4

Published: 2011-11-08

Copyright © 2011, Juniper Networks, Inc.


2/547

Juniper Networks, Inc.1194North Mathilda AvenueSunnyvale, California 94089USA408-745-2000www.juniper.net

Thisproduct includesthe Envoy SNMPEngine, developed by EpilogueTechnology,an IntegratedSystems Company.Copyright© 1986-1997,

Epilogue Technology Corporation.All rights reserved. This program and its documentation were developed at privateexpense, and no part

of them is in thepublic domain.

This product includes memory allocation software developed by Mark Moraes,copyright © 1988, 1989, 1993, University of Toronto.

This product includes FreeBSD software developed by the University of California, Berkeley, and its contributors. All of the documentation

and software included in the 4.4BSD and 4.4BSD-Lite Releases is copyrighted by the Regents of the University of California. Copyright ©

1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994. The Regents of the University of California. All rights reserved.

GateD software copyright © 1995, the Regents of the University. All rights reserved. Gate Daemon was originated and developed through

release 3.0 by Cornell University and its collaborators. Gated is based on Kirton’s EGP, UC Berkeley’s routing daemon (routed), and DCN’s

HELLO routing protocol. Development of Gated has beensupported in part by the National Science Foundation. Portions of the GateD

software copyright © 1988, Regentsof theUniversityof California.All rights reserved. Portionsof theGateD software copyright © 1991, D.

L. S. Associates.

This product includes software developed by Maker Communications, Inc., copyright © 1996, 1997, Maker Communications, Inc.

Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc.in the United

States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc.All other

trademarks, service marks, registered trademarks, or registered service marks are the property of theirrespective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,

transfer, or otherwise revise this publication without notice.

Products made or sold byJuniper Networks or components thereof might be covered by oneor more of thefollowingpatents that are

owned by or licensed to Juniper Networks: U.S. Patent Nos. 5,473,599, 5,905,725, 5,909,440,6,192,051, 6,333,650, 6,359,479, 6,406,312,

6,429,706, 6,459,579, 6,493,347, 6,538,518, 6,538,899, 6,552,918, 6,567,902, 6,578,186, and 6,590,785.

Junos®

OS Firewall Filter and Policer Configuration Guide11.4

Copyright © 2011, Juniper Networks, Inc.

All rights reserved.

Revision History

October 2011—R1 Junos OS 11.4

The informationin this document is currentas of thedatelisted in the revisionhistory.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the

year 2038. However,the NTPapplicationis known to have some difficulty in theyear2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is thesubject of this technical documentationconsists of (or is intended for usewith)Juniper Networks

software. Useof such software is subject to theterms and conditions of theEnd User License Agreement (“EULA”) posted at

http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to theterms and conditions

of that EULA.

Copyright © 2011, Juniper Networks, Inc.ii

http://www.juniper.net/support/eula.htmlhttp://www.juniper.net/support/eula.html


3/547

Abbreviated Table of Contents

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Part 1 Stateless Firewall Filters

Chapter 1 Introduction to Stateless Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Chapter 2 Standard Firewall Filter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Chapter 3 Standard Firewall Filter Match Conditions Overview . . . . . . . . . . . . . . . . . . . 31

Chapter 4 Standard Firewall Filter Match Conditions and Actions . . . . . . . . . . . . . . . . . 47Chapter 5 Standard Firewall Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Chapter 6 Service Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Chapter 7 Simple Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Chapter 8 Stateless Firewall Filter Configuration in Logical Systems . . . . . . . . . . . . . 261

Chapter 9 Summary of Stateless Firewall Filter Configuration Statements . . . . . . . 283

Part 2 Traffic Policers

Chapter 10 Introduction to Traffic Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

Chapter 11 Single-Rate Two-Color Policer Configuration . . . . . . . . . . . . . . . . . . . . . . . . 327

Chapter 12 Three-Color Policer Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399Chapter 13 Logical and Physical Interface Policer Configuration . . . . . . . . . . . . . . . . . . 415

Chapter 14 Layer 2 Policer Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437

Chapter 15 Summary of Policer Configuration Statements . . . . . . . . . . . . . . . . . . . . . . 455

Part 3 Index

Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507

Index of Statements and Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519

iiiCopyright © 2011, Juniper Networks, Inc.


4/547

Copyright © 2011, Juniper Networks, Inc.iv

Junos OS 11.4 Firewall Filter and Policer Configuration Guide


5/547

Table of Contents


Junos OS Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii

Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii

Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii

Using the Indexes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii

Using the Examples in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii

Merging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiiiMerging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiv

Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiv

Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvi

Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvi

Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii

Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxvii



Router Data Flow Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Flow of Routing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Flow of Data Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Flow of Local Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Interdependent Flows of Routing Information and Packets . . . . . . . . . . . . . . . 4

Stateless Firewall Filter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Packet Flow Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Data Packet Flow Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Local Packet Flow Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Stateless and Stateful Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Purpose of Stateless Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Stateless Firewall Filter Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Standard Stateless Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Service Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Simple Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7Stateless Firewall Filter Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Protocol Family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Filter Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Filter-Terminating Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Nonterminating Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

vCopyright © 2011, Juniper Networks, Inc.


6/547

Flow Control Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Stateless Firewall Filter Application Points . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Supported Standards for Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Using the CLI Editor in Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15


Standard Stateless Firewall Filter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

How Standard Firewall Filters Evaluate Packets . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Firewall Filters That Contain a Single Term . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Firewall Filters That Contain Multiple Terms . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Firewall Filter Terms That Do Not Contain Any Match Conditions . . . . . . . . . . 21

Firewall Filter Terms That Do Not Contain Any Actions . . . . . . . . . . . . . . . . . . 21

Firewall Filter Default Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Guidelines for Configuring Standard Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . 21

Statement Hierarchy for Configuring Standard Firewall Filters . . . . . . . . . . . . 22

Standard Firewall Filter Protocol Families . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Standard Firewall Filter Names and Options . . . . . . . . . . . . . . . . . . . . . . . . . . 23Standard Firewall Filter Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Standard Firewall Filter Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Standard Firewall Filter Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Guidelines for Applying Standard Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Applying Standard Firewall Filters Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Applying a Firewall Filter to a Router’s Physical Interfaces . . . . . . . . . . . 26

Applying a Firewall Filter to the Router’s Loopback Interface . . . . . . . . . 26

Applying a Firewall Filter to Multiple Interfaces . . . . . . . . . . . . . . . . . . . . 27

Statement Hierarchy for Applying Standard Firewall Filters . . . . . . . . . . . . . . 27

Restrictions on Applying Standard Firewall Filters . . . . . . . . . . . . . . . . . . . . . . 27

Number of Input and Output Filters Per Logical Interface . . . . . . . . . . . . 28

MPLS and Layer 2 CCC Firewall Filters in Lists . . . . . . . . . . . . . . . . . . . . . 28

Layer 2 CCC Firewall Filters on MX Series Routers . . . . . . . . . . . . . . . . . . 28

Protocol-Independent Firewall Filters on the Loopback Interface . . . . . 28

Understanding How to Use Standard Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . 29

Using Standard Firewall Filters to Affect Local Packets . . . . . . . . . . . . . . . . . 29

Trusted Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Flood Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Using Standard Firewall Filters to Affect Data Packets . . . . . . . . . . . . . . . . . 30


Firewall Filter Match Conditions Based on Numbers or Text Aliases . . . . . . . . . . . 31

Matching on a Single Numeric Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Matching on a Range of Numeric Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Matching on a Text Alias for a Numeric Value . . . . . . . . . . . . . . . . . . . . . . . . . 32Matching on a List of Numeric Values or Text Aliases . . . . . . . . . . . . . . . . . . . 32

Firewall Filter Match Conditions Based on Bit-Field Values . . . . . . . . . . . . . . . . . . 32

Match Conditions for Bit-Field Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Match Conditions for Common Bit-Field Values or Combinations . . . . . . . . . 33

Logical Operators for Bit-Field Values . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Matching on a Single Bit-Field Value or Text Alias . . . . . . . . . . . . . . . . . . . . . . 35

Matching on Multiple Bit-Field Values or Text Aliases . . . . . . . . . . . . . . . . . . . 35

Matching on a Negated Bit-Field Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Copyright © 2011, Juniper Networks, Inc.vi



7/547

Matching on the Logical OR of Two Bit-Field Values . . . . . . . . . . . . . . . . . . . 36

Matching on the Logical AND of Two Bit-Field Values . . . . . . . . . . . . . . . . . . 36

Grouping Bit-Field Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36

Firewall Filter Match Conditions Based on Address Fields . . . . . . . . . . . . . . . . . . . 37

Implied Match on the ’0/0 except’ Address for Firewall Filter Match

Conditions Based on Address Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Matching an Address Field to a Subnet Mask or Prefix . . . . . . . . . . . . . . . . . . 37

IPv4 Subnet Mask Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Prefix Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Default Prefix Length for IPv4 Addresses . . . . . . . . . . . . . . . . . . . . . . . . . 38

Default Prefix Length for IPv6 Addresses . . . . . . . . . . . . . . . . . . . . . . . . . 38

Default Prefix Length for MAC Addresses . . . . . . . . . . . . . . . . . . . . . . . . . 38

Matching an Address Field to an Excluded Value . . . . . . . . . . . . . . . . . . . . . . 38

Excluding IP Addresses in IPv4 or IPv6 Traffic . . . . . . . . . . . . . . . . . . . . . 38

Excluding IP Addresses in VPLS or Layer 2 Bridging Traffic . . . . . . . . . . . 39

Excluding MAC Addresses in VPLS or Layer 2 Bridging Traffic . . . . . . . . . 40

Excluding All Addresses Requires an Explicit Match on the ’0/0’Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Matching Either IP Address Field to a Single Value . . . . . . . . . . . . . . . . . . . . . 42

Matching Either IP Address Field in IPv4 or IPv6 Traffic . . . . . . . . . . . . . . 42

Matching Either IP Address Field in VPLS or Layer 2 Bridging Traffic . . . . 42

Matching an Address Field to Noncontiguous Prefixes . . . . . . . . . . . . . . . . . . 42

Matching an Address Field to a Prefix List . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Firewall Filter Match Conditions Based on Address Classes . . . . . . . . . . . . . . . . . 45

Source-Class Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Destination-Class Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Guidelines for Applying SCU or DCU Firewall Filters to Output Interfaces . . . 45

Chapter 4 Standard Firewall Filter Match Conditions and Actions . . . . . . . . . . . . . . . . . 47

Standard Firewall Filter Match Conditions for Protocol-Independent Traffic . . . . 47

Standard Firewall Filter Match Conditions for IPv4 Traffic . . . . . . . . . . . . . . . . . . . 48

Standard Firewall Filter Match Conditions for IPv6 Traffic . . . . . . . . . . . . . . . . . . . 57

Standard Firewall Filter Match Conditions for MPLS Traffic . . . . . . . . . . . . . . . . . 62

Standard Firewall Filter Match Conditions for MPLS-Tagged IPv4 Traffic . . . . . . 64

Matching on IPv4 Packet Header Address or Port Fields in MPLS Flows . . . . 64

IP Address Match Conditions for MPLS Traffic . . . . . . . . . . . . . . . . . . . . . . . . 65

IP Port Match Conditions for MPLS Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Standard Firewall Filter Match Conditions for VPLS Traffic . . . . . . . . . . . . . . . . . . 66

Standard Firewall Filter Match Conditions for Layer 2 CCC Traffic . . . . . . . . . . . . . 73

Standard Firewall Filter Match Conditions for Layer 2 Bridging Traffic . . . . . . . . . 75

Standard Firewall Filter Terminating Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Standard Firewall Filter Nonterminating Actions . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Chapter 5 Standard Firewall Filter Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Standard Firewall Filters That Match Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Example: Configuring a Filter to Match on IPv6 Flags . . . . . . . . . . . . . . . . . . . 89

Example: Configuring a Filter to Match on Port and Protocol Fields . . . . . . . . 91

Example: Configuring a Filter to Match on Two Unrelated Criteria . . . . . . . . . 94

viiCopyright © 2011, Juniper Networks, Inc.

Table of Contents


8/547

Example: Configuring a Filter to Limit TCP Access to a Port Based On a

Prefix List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Standard Firewall Filters That Count Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Example: Configuring a Filter to Count Accepted and Rejected Packets . . . 100

Example: Configuring a Filter to Count and Discard IP Options Packets . . . . 103

Example: Configuring a Filter to Count IP Options Packets . . . . . . . . . . . . . . 106

Standard Firewall Filters That Act on Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Example: Configuring a Filter to Set the DSCP Bit to Zero . . . . . . . . . . . . . . . . 111

Example: Configuring a Filter to Count and Sample Accepted Packets . . . . . 114

Standard Firewall Filters for Trusted Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Example: Configuring a Stateless Firewall Filter to Accept Traffic from

Trusted Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Example: Configuring a Filter to Block Telnet and SSH Access . . . . . . . . . . . 123

Example: Configuring a Filter to Block TFTP Access . . . . . . . . . . . . . . . . . . . 129

Example: Configuring a Filter to Accept OSPF Packets from a Prefix . . . . . . 132

Example: Configuring a Filter to Accept DHCP Packets Based on

Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134Example: Configuring a Filter to Block TCP Access to a Port Except from

Specified BGP Peers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

Standard Firewall Filters That Prevent IP Packet Flooding . . . . . . . . . . . . . . . . . . 143

Example: Configuring a Stateless Firewall Filter to Protect Against TCP and

ICMP Floods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143

Example: Configuring a Filter to Accept Packets Based on IPv6 TCP

Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149

Standard Firewall Filters That Handle Fragmented Packets . . . . . . . . . . . . . . . . . 152

Firewall Filters That Handle Fragmented Packets Overview . . . . . . . . . . . . . 152

Example: Configuring a Stateless Firewall Filter to Handle Fragments . . . . . 152

Standard Firewall Filters That Set Rate Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Stateless Firewall Filters That Reference Policers Overview . . . . . . . . . . . . . 157Example: Configuring a Rate-Limiting Filter Based on Destination Class . . . 158

Multiple Standard Firewall Filters Applied as a List . . . . . . . . . . . . . . . . . . . . . . . . 161

Multiple Standard Firewall Filters Applied as a List Overview . . . . . . . . . . . . 161

The Challenge: Simplify Large-Scale Firewall Filter Administration . . . . 161

A Solution: Apply Lists of Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . 162

Configuration of Multiple Filters for Filter Lists . . . . . . . . . . . . . . . . . . . . 162

Application of Filter Lists to a Router Interface . . . . . . . . . . . . . . . . . . . . 162

Interface-Specific Names for Filter Lists . . . . . . . . . . . . . . . . . . . . . . . . . 163

How Filter Lists Evaluate Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163

Guidelines for Applying Multiple Standard Firewall Filters as a List . . . . . . . 164

Statement Hierarchy for Applying Lists of Multiple Firewall Filters . . . . 164

Filter Input Lists and Output Lists for Router Interfaces . . . . . . . . . . . . . 164

Types of Filters Supported in Lists . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

Restrictions on Applying Filter Lists for MPLS or Layer 2 CCC Traffic . . . 165

Example: Applying Lists of Multiple Standard Firewall Filters . . . . . . . . . . . . 165

Multiple Standard Firewall Filters in a Nested Configuration . . . . . . . . . . . . . . . . 170

Multiple Standard Firewall Filters in a Nested Configuration Overview . . . . . 170

The Challenge: Simplify Large-Scale Firewall Filter Administration . . . 170

A Solution: Configure Nested References to Firewall Filters . . . . . . . . . . 171

Configuration of Nested Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 171

Copyright © 2011, Juniper Networks, Inc.viii



9/547

Application of Nested Firewall Filters to a Router Interface . . . . . . . . . . . 171

Guidelines for Nesting References to Multiple Standard Firewall Filters . . . . 172

Statement Hierarchy for Configuring Nested Firewall Filters . . . . . . . . . 172

Filter-Defining Terms and Filter-Referencing Terms . . . . . . . . . . . . . . . . 172

Types of Filters Supported in Nested Configurations . . . . . . . . . . . . . . . 173

Number of Filter References in a Single Filter . . . . . . . . . . . . . . . . . . . . . 173

Depth of Filter Nesting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

Example: Nesting References to Multiple Standard Firewall Filters . . . . . . . . 173

Interface-Specific Firewall Filter Instances . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177

Interface-Specific Firewall Filter Instances Overview . . . . . . . . . . . . . . . . . . . 177

Instantiation of Interface-Specific Firewall Filters . . . . . . . . . . . . . . . . . . 177

Interface-Specific Names for Firewall Filter Instances . . . . . . . . . . . . . . 178

Interface-Specific Firewall Filter Counters . . . . . . . . . . . . . . . . . . . . . . . 178

Interface-Specific Firewall Filter Policers . . . . . . . . . . . . . . . . . . . . . . . . 179

Statement Hierarchy for Configuring Interface-Specific Firewall Filters . . . . 179

Statement Hierarchy for Applying Interface-Specific Firewall Filters . . . . . . 180

Example: Configuring Interface-Specific Firewall Filter Counters . . . . . . . . . 180Filtering Packets Received on a Set of Interface Groups . . . . . . . . . . . . . . . . . . . . 185

Filtering Packets Received on a Set of Interface Groups Overview . . . . . . . . 185

Statement Hierarchy for Assigning Interfaces to Interface Groups . . . . . . . . 185

Statement Hierarchy for Configuring a Filter to Match on a Set of Interface

Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Statement Hierarchy for Applying Filters to an Interface Group . . . . . . . . . . 187

Example: Filtering Packets Received on an Interface Group . . . . . . . . . . . . . 188

Filtering Packets Received on an Interface Set . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Filtering Packets Received on an Interface Set Overview . . . . . . . . . . . . . . . 192

Statement Hierarchy for Defining an Interface Set . . . . . . . . . . . . . . . . . . . . 192

Statement Hierarchy for Configuring a Filter to Match on an Interface

Set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193Example: Filtering Packets Received on an Interface Set . . . . . . . . . . . . . . . 193

Filter-Based Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Filter-Based Forwarding Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

Filters That Classify Packets or Direct Them to Routing Instances . . . . 199

Input Filtering to Classify and Forward Packets Within the Router . . . . 200

Output Filtering to Forward Packets to Another Routing Table . . . . . . 200

Restrictions for Applying Filter-Based Forwarding . . . . . . . . . . . . . . . . 200

Statement Hierarchy for Configuring FBF for IPv4 or IPv6 Traffic . . . . . . . . . 201

Statement Hierarchy for Configuring FBF for MPLS-Tagged IPv4 Traffic . . . 201

Matching on IPv4 Address Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Matching on TCP Port Number Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . 202

Matching on UDP Port Number Fields . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Statement Hierarchy for Configuring Routing Instances for FBF . . . . . . . . . 204

Statement Hierarchy for Applying FBF Filters to Interfaces . . . . . . . . . . . . . 205

Example: Configuring Filter-Based Forwarding on the Source Address . . . . 206

Accounting for Standard Firewall Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Accounting for Standard Firewall Filters Overview . . . . . . . . . . . . . . . . . . . . . 211

Statement Hierarchy for Configuring Firewall Filter Accounting Profiles . . . . 211

Statement Hierarchy for Applying Firewall Filter Accounting Profiles . . . . . . 212

Example: Configuring Statistics Collection for a Standard Firewall Filter . . . 213

ixCopyright © 2011, Juniper Networks, Inc.

Table of Contents


10/547

Logging of Stateless Firewall Filter Activity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

System Logging Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

System Logging of Events Generated for the Firewall Facility . . . . . . . . . . . . 219

Logging of Packet Headers Evaluated by a Firewall Filter Term . . . . . . . . . . . 221

Example: Configuring Logging for a Stateless Firewall Filter Term . . . . . . . . 222


Service Filter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Service Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227

Service Rule Refinement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

Service Filter Counters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

How Service Filters Evaluate Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

Service Filters That Contain a Single Term . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Service Filters That Contain Multiple Terms . . . . . . . . . . . . . . . . . . . . . . . . . 229

Service Filter Terms That Do Not Contain Any Match Conditions . . . . . . . . . 229

Service Filter Terms That Do Not Contain Any Actions . . . . . . . . . . . . . . . . . 229Service Filter Default Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Guidelines for Configuring Service Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Statement Hierarchy for Configuring Service Filters . . . . . . . . . . . . . . . . . . . 230

Service Filter Protocol Families . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Service Filter Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Service Filter Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Service Filter Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Service Filter Terminating Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231

Guidelines for Applying Service Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

Restrictions for Adaptive Services Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . 232

Adaptive Services Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

System Logging to a Remote Host from M Series Routers . . . . . . . . . . . 232

Statement Hierarchy for Applying Service Filters . . . . . . . . . . . . . . . . . . . . . 232

Associating Service Rules with Adaptive Services Interfaces . . . . . . . . . . . . 233

Filtering Traffic Before Accepting Packets for Service Processing . . . . . . . . 233

Postservice Filtering of Returning Service Traffic . . . . . . . . . . . . . . . . . . . . . . 234

Service Filter Match Conditions and Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235

Service Filter Match Conditions for IPv4 or IPv6 Traffic . . . . . . . . . . . . . . . . . 235

Service Filter Terminating Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Service Filter Nonterminating Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

Example: Configuring and Applying Service Filters . . . . . . . . . . . . . . . . . . . . . . . . 242


Simple Filter Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

How Simple Filters Evaluate Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249Simple Filters That Contain a Single Term . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Simple Filters That Contain Multiple Terms . . . . . . . . . . . . . . . . . . . . . . . . . 250

Simple Filter Terms That Do Not Contain Any Match Conditions . . . . . . . . . 250

Simple Filter Terms That Do Not Contain Any Actions . . . . . . . . . . . . . . . . . 250

Simple Filter Default Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

Guidelines for Configuring Simple Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Statement Hierarchy for Configuring Simple Filters . . . . . . . . . . . . . . . . . . . . 251

Simple Filter Protocol Families . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Copyright © 2011, Juniper Networks, Inc.x



11/547

Simple Filter Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Simple Filter Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Simple Filter Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Simple Filter Terminating Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Simple Filter Nonterminating Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Guidelines for Applying Simple Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

Statement Hierarchy for Applying Simple Filters . . . . . . . . . . . . . . . . . . . . . . 254

Restrictions for Applying Simple Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

Example: Configuring and Applying a Simple Filter . . . . . . . . . . . . . . . . . . . . . . . 255


Stateless Firewall Filters in Logical Systems Overview . . . . . . . . . . . . . . . . . . . . . 261

Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Stateless Firewall Filters in Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . 261

Identifiers for Firewall Objects in Logical Systems . . . . . . . . . . . . . . . . . . . . 262

Guidelines for Configuring and Applying Firewall Filters in Logical Systems . . . . 262

Statement Hierarchy for Configuring Firewall Filters in Logical Systems . . . 262Filter Types in Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

Firewall Filter Protocol Families in Logical Systems . . . . . . . . . . . . . . . . . . . 263

Firewall Filter Match Conditions in Logical Systems . . . . . . . . . . . . . . . . . . . 264

Firewall Filter Actions in Logical Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

Statement Hierarchy for Applying Firewall Filters in Logical Systems . . . . . 264

References from a Firewall Filter in a Logical System to Subordinate Objects . . 265

Resolution of References from a Firewall Filter to Subordinate Objects . . . 265

Valid Reference from a Firewall Filter to a Subordinate Object . . . . . . . . . . 265

References from a Firewall Filter in a Logical System to Nonfirewall Objects . . 266

Resolution of References from a Firewall Filter to Nonfirewall Objects . . . . 266

Valid Reference to a Nonfirewall Object Outside of the Logical System . . . 267

References from a Nonfirewall Object in a Logical System to a Firewall Filter . . 268

Resolution of References from a Nonfirewall Object to a Firewall Filter . . . 269

Invalid Reference to a Firewall Filter Outside of the Logical System . . . . . . 269

Valid Reference to a Firewall Filter Within the Logical System . . . . . . . . . . . 270

Valid Reference to a Firewall Filter Outside of the Logical System . . . . . . . . 272

Restrictions for Stateless Firewall Filters in Logical Systems . . . . . . . . . . . . . . . . 273

Unsupported Firewall Filter Statements for Logical Systems . . . . . . . . . . . . 273

Unsupported Actions for Firewall Filters in Logical Systems . . . . . . . . . . . . . 275

Example: Configuring a Stateless Firewall Filter to Protect a Logical System

Against ICMP Floods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Chapter 9 Summary of Stateless Firewall Filter Configuration Statements . . . . . . . 283

accounting-profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283

enhanced-mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284family . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

filter (Applying to a Logical Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

filter (Configuring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

interface-set . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

interface-specific . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

service-filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290

xiCopyright © 2011, Juniper Networks, Inc.

Table of Contents


12/547

simple-filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

term . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292



Traffic Policing Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

Congestion Management for IP Traffic Flows . . . . . . . . . . . . . . . . . . . . . . . . 297

Traffic Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

Traffic Color Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299

Forwarding Classes and PLP Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Policer Application to Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Traffic Policer Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Single-Rate Two-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Basic Single-Rate Two-Color Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301

Bandwidth Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

Logical Bandwidth Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

Single-Rate Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

Two-Rate Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

Hierarchical Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Two-Color and Three-Color Policer Options . . . . . . . . . . . . . . . . . . . . . . . . . 303

Logical Interface (Aggregate) Policers . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Physical Interface Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Policers Applied to Layer 2 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

Multifield Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

Order of Policer and Firewall Filter Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

Introduction to Policer Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

Statement Hierarchy for Configuring Policers . . . . . . . . . . . . . . . . . . . . . . . . 305

Two-Color Policer Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 307

Three-Color Policer Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 311

Hierarchical Policer Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . 314

Guidelines for Applying Traffic Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

Introduction to Policer Rate Limits and Actions . . . . . . . . . . . . . . . . . . . . . . . . . . 316

Policer Bandwidth and Burst-Size Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

Policer Color-Marking and Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

Single Token Bucket Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Token Bucket Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

Single Token Bucket Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

Conformance Measurement for Two-Color Marking . . . . . . . . . . . . . . . . 321

Dual Token Bucket Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

Token Bucket Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

Guaranteed Bandwidth for Three-Color Marking . . . . . . . . . . . . . . . . . . 322

Nonconformance Measurement for Single-Rate Three-Color

Marking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

Nonconformance Measurement for Two-Rate Three-Color Marking . . 323

Calculation of Policer Burst-Size Limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

Guidelines for Choosing a Burst-Size Limit . . . . . . . . . . . . . . . . . . . . . . . 323

Burst-Size Limit Based on the Line Rate of the Interface . . . . . . . . . . . . 325

Copyright © 2011, Juniper Networks, Inc.xii



13/547

Burst-Size Limit Based on the MTU of Traffic on the Interface . . . . . . . 325

Supported Standards for Policing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326


Basic Single-Rate Two-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327Single-Rate Two-Color Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

Example: Configuring a Single-Rate Two-Color Policer . . . . . . . . . . . . . . . . 328

Example: Configuring Interface and Firewall Filter Policers at the Same

Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

Bandwidth Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

Bandwidth Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

Guidelines for Configuring a Bandwidth Policer . . . . . . . . . . . . . . . . . . . 344

Guidelines for Applying a Bandwidth Policer . . . . . . . . . . . . . . . . . . . . . 344

Example: Configuring a Logical Bandwidth Policer . . . . . . . . . . . . . . . . . . . . 345

Filter-Specific Counters and Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352

Filter-Specific Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352

Example: Configuring a Stateless Firewall Filter to Protect Against TCP andICMP Floods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 353

Prefix-Specific Counting and Policing Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

Prefix-Specific Counting and Policing Overview . . . . . . . . . . . . . . . . . . . . . . 359

Separate Counting and Policing for Each IPv4 Address Range . . . . . . . 359

Prefix-Specific Action Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . 360

Counter and Policer Set Size and Indexing . . . . . . . . . . . . . . . . . . . . . . . 361

Filter-Specific Counter and Policer Set Overview . . . . . . . . . . . . . . . . . . . . . 362

Example: Configuring Prefix-Specific Counting and Policing . . . . . . . . . . . . 362

Prefix-Specific Counting and Policing Configuration Scenarios . . . . . . . . . . 369

Prefix Length of the Action and Prefix Length of Addresses in Filtered

Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

Scenario 1: Firewall Filter Term Matches on Multiple Addresses . . . . . . 370

Scenario 2: Subnet Prefix Is Longer Than the Prefix in the Filter Match

Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372

Scenario3: Subnet Prefix Is Shorter Than the Prefix in the Firewall Filter

Match Condition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373

Multifield Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375

Multifield Classification Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375

Forwarding Classes and PLP Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375

Multifield Classification and BA Classification . . . . . . . . . . . . . . . . . . . . 376

Multifield Classification Used In Conjunction with Policers . . . . . . . . . . 376

Multifield Classification Requirements and Restrictions . . . . . . . . . . . . . . . . 377

Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 377

CoS Tricolor Marking Requirement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

Multifield Classification Limitations on M Series Routers . . . . . . . . . . . . . . . 378

Problem: Output-Filter Matching on Input-Filter Classification . . . . . . . 378

Workaround: Configure All Actions in the Ingress Filter . . . . . . . . . . . . . 379

Example: Configuring Multifield Classification . . . . . . . . . . . . . . . . . . . . . . . 380

Example: Configuring and Applying a Firewall Filter for a Multifield

Classifier . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 386

xiiiCopyright © 2011, Juniper Networks, Inc.

Table of Contents


14/547

Policer Overhead to Account for Rate Shaping in the Traffic Manager . . . . . . . . 390

Policer Overhead to Account for Rate Shaping Overview . . . . . . . . . . . . . . . 390

Example: Configuring Policer Overhead to Account for Rate Shaping . . . . . 391

Chapter 12 Three-Color Policer Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Three-Color Policer Configuration Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Platforms Supported for Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . 399

Color Modes for Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

Color-Blind Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

Color-Aware Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

Naming Conventions for Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . 400

Basic Single-Rate Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Single-Rate Three-Color Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 401

Example: Configuring a Single-Rate Three-Color Policer . . . . . . . . . . . . . . . 402

Basic Two-Rate Three-Color Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 407

Two-Rate Three-Color Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

Example: Configuring a Two-Rate Three-Color Policer . . . . . . . . . . . . . . . . 409Chapter 13 Logical and Physical Interface Policer Configuration . . . . . . . . . . . . . . . . . . 415

Two-Color and Three-Color Logical Interface Policers . . . . . . . . . . . . . . . . . . . . . 415

Logical Interface (Aggregate) Policer Overview . . . . . . . . . . . . . . . . . . . . . . . 415

Example: Configuring a Two-Color Logical Interface (Aggregate) Policer . . 416

Example: Configuring a Three-Color Logical Interface (Aggregate)

Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

Two-Color and Three-Color Physical Interface Policers . . . . . . . . . . . . . . . . . . . . 427

Physical Interface Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427

Example: Configuring a Physical Interface Policer for Aggregate Traffic at

a Physical Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 429

Chapter 14 Layer 2 Policer Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437

Hierarchical Policers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437

Hierarchical Policer Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 437

Example: Configuring a Hierarchical Policer . . . . . . . . . . . . . . . . . . . . . . . . . 439

Two-Color and Three-Color Policers at Layer 2 . . . . . . . . . . . . . . . . . . . . . . . . . . 444

Two-Color Policing at Layer 2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444

Guidelines for Configuring Two-Color Policing of Layer 2 Traffic . . . . . 445

Statement Hierarchy for Configuring a Two-Color Policer for Layer 2

Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

Statement Hierarchy for Applying a Two-Color Policer to Layer 2

Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

Three-Color Policing at Layer 2 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

Guidelines for Configuring Three-Color Policing of Layer 2 Traffic . . . . 446

Statement Hierarchy for Configuring a Three-Color Policer for Layer 2

Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

Statement Hierarchy for Applying a Three-Color Policer to Layer 2

Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447

Example: Configuring a Three-Color Logical Interface (Aggregate)

Policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447

Copyright © 2011, Juniper Networks, Inc.xiv



15/547

Chapter 15 Summary of Policer Configuration Statements . . . . . . . . . . . . . . . . . . . . . . 455

action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456

aggregate (Hierarchical Policer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457

bandwidth-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

bandwidth-limit (Hierarchical Policer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

bandwidth-limit (Policer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459

bandwidth-percent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461

burst-size-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463

burst-size-limit (Hierarchical Policer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463

burst-size-limit (Policer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464

color-aware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

color-blind . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467

committed-burst-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468

committed-information-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470

excess-burst-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472

filter-specific . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

forwarding-class (Firewall Filter Action) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

hierarchical-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475

if-exceeding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477

if-exceeding (Hierarchical Policer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477

if-exceeding (Policer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478

input-hierarchical-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479

input-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479

input-three-color . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480

layer2-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481

load-balance-group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

logical-bandwidth-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 482

logical-interface-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

loss-priority . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484

loss-priority (Firewall Filter Action) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 484

loss-priority high then discard (Three-Color Policer) . . . . . . . . . . . . . . . . . . 485

output-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 486

output-three-color . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487

peak-burst-size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488

peak-information-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 490

physical-interface-filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491

physical-interface-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492

policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493

policer (Applying to a Logical Interface) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 493

policer (Configuring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494

policer (Firewall Filter Action) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 495prefix-action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496

prefix-action (Configuring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496

prefix-action (Firewall Filter Action) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497

premium (Hierarchical Policer) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498

single-rate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 499

three-color-policer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 500

three-color-policer (Configuring) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501

three-color-policer (Firewall Filter Action) . . . . . . . . . . . . . . . . . . . . . . . . . . 502

xvCopyright © 2011, Juniper Networks, Inc.

Table of Contents


16/547


17/547

List of Figures



Figure 1: Flows of Routing Information and Packets . . . . . . . . . . . . . . . . . . . . . . . . . 4


Figure 2: Typical Network with BGP Peer Sessions . . . . . . . . . . . . . . . . . . . . . . . . 138


Figure 3: Logical System with a Stateless Firewall . . . . . . . . . . . . . . . . . . . . . . . . 279



Figure 4: Network Traffic and Burst Rates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

Figure 5: Incoming and Outgoing Policers and Firewall Filters . . . . . . . . . . . . . . . 305

xviiCopyright © 2011, Juniper Networks, Inc.


18/547

Copyright © 2011, Juniper Networks, Inc.xviii



19/547

List of Tables


Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv

Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxv



Table 3: Firewall Filter Protocol Families . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Table 4: Filter Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Table 5: Stateless Firewall Filter Configuration and Application Summary . . . . . . 12


Table 6: Standard Firewall Filter Match Conditions by Protocol Family . . . . . . . . . 24

Table 7: Standard Firewall Filter Action Categories . . . . . . . . . . . . . . . . . . . . . . . . . 25


Table 8: Binary and Bit-Field Match Conditions for Firewall Filters . . . . . . . . . . . . 33

Table 9: Bit-Field Match Conditions for Common Combinations . . . . . . . . . . . . . 34

Table 10: Bit-Field Logical Operators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Chapter 4 Standard Firewall Filter Match Conditions and Actions . . . . . . . . . . . . . . . . . 47

Table 11: Standard Firewall Filter Match Conditions for Protocol-IndependentTraffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Table 12: Standard Firewall Filter Match Conditions for IPv4 Traffic . . . . . . . . . . . 48

Table 13: Standard Firewall Filter Match Conditions for IPv6 Traffic . . . . . . . . . . . 57

Table 14: Standard Firewall Filter Match Conditions for MPLS Traffic . . . . . . . . . . 63

Table 15: IP Address-Specific Firewall Filter Match Conditions for MPLS

Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Table 16: IP Port-Specific Firewall Filter Match Conditions for MPLS Traffic . . . . 66

Table 17: Standard Firewall Filter Match Conditions for VPLS Traffic . . . . . . . . . . . 67

Table 18: Standard Firewall Filter Match Conditions for Layer 2 CCC Traffic . . . . . 74

Table 19: Standard Firewall Filter Match Conditions for Layer 2 Bridging

(MX Series 3D Universal Edge Routers Only) . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Table 20: Terminating Actions for Standard Firewall Filters . . . . . . . . . . . . . . . . . . 81Table 21: Nonterminating Actions for Standard Firewall Filters . . . . . . . . . . . . . . . 83


Table 22: Syslog Message Destinations for the Firewall Facility . . . . . . . . . . . . . . 219

Table 23: Packet-Header Logs for Stateless Firewall Filter Terms . . . . . . . . . . . . 222


Table 24: Service Filter Match Conditions for IPv4 or IPv6 Traffic . . . . . . . . . . . . 235

Table 25: Terminating Actions for Service Filters . . . . . . . . . . . . . . . . . . . . . . . . . . 241

xixCopyright © 2011, Juniper Networks, Inc.


20/547

Table 26: Nonterminating Actions for Service Filters . . . . . . . . . . . . . . . . . . . . . . 242


Table 27: Simple Filter Match Conditions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252


Table 28: Unsupported Firewall Statements for Logical Systems . . . . . . . . . . . . 274

Table 29: Unsupported Actions for Firewall Filters in Logical Systems . . . . . . . . 275



Table 30: Two-Color Policer Configuration and Application Overview . . . . . . . . 307

Table 31: Three-Color Policer Configuration and Application Overview . . . . . . . . 312

Table 32: Hierarchical Policer Configuration and Application Summary . . . . . . . 315

Table 33: Policer Bandwidth Limits and Burst-Size Limits . . . . . . . . . . . . . . . . . . 317

Table 34: Implicit and Configurable Policer Actions Based on Color Marking . . . 318

Table 35: Example Calculations of Policer Burst-Size Limit . . . . . . . . . . . . . . . . . 325


Table 36: Examples of Counter and Policer Set Size and Indexing . . . . . . . . . . . . 361

Table 37: Summary of Prefix-Specific Action Scenarios . . . . . . . . . . . . . . . . . . . 369

Chapter 12 Three-Color Policer Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

Table 38: Recommended Naming Convention for Policers . . . . . . . . . . . . . . . . . 401

Copyright © 2011, Juniper Networks, Inc.xx



21/547

About This Guide

This preface provides the following guidelines for using the Junos®

OS Firewall Filter and

Policer Configuration Guide:

• Junos OS Documentation and Release Notes on page xxi

• Objectives on page xxii

• Audience on page xxii

• Supported Platforms on page xxii

• Using the Indexes on page xxiii

• Using the Examples in This Manual on page xxiii

• Documentation Conventions on page xxiv

• Documentation Feedback on page xxvi

• Requesting Technical Support on page xxvi

Junos OS Documentation and Release Notes

For a list of related Junos OS documentation, see

http://www.juniper.net/techpubs/software/junos/ .

If the information in the latest release notes differs from the information in the

documentation, follow the Junos OS Release Notes.

To obtain the most current version of all Juniper Networks®

technical documentation,

see the product documentation page on the Juniper Networks website at

http://www.juniper.net/techpubs/ .

JuniperNetworkssupports a technical book program to publishbooksby Juniper Networks

engineers and subject matter experts with book publishers around the world. These

books go beyond the technical documentation to explore the nuances of network

architecture, deployment, and administration using the Junos operating system (Junos

OS) and Juniper Networks devices. In addition, the Juniper Networks Technical Library,published in conjunction with O'Reilly Media, explores improving network security,

reliability, and availability using Junos OS configuration techniques. All the books are for

sale at technical bookstores and book outlets around the world. The current list can be

viewed at http://www.juniper.net/books .

xxiCopyright © 2011, Juniper Networks, Inc.

http://www.juniper.net/techpubs/software/junos/http://www.juniper.net/techpubs/http://www.juniper.net/bookshttp://www.juniper.net/bookshttp://www.juniper.net/techpubs/http://www.juniper.net/techpubs/software/junos/


22/547

Objectives

This guide provides an overview of stateless firewall filters and traffic policers for the

Junos OS and describes how to configure firewall filters and policers on the router.

NOTE: For additional information about the Junos OS—either corrections to

or information thatmight have beenomittedfrom thisguide—seethe software

release notes at http://www.juniper.net/ .

Audience

This guide is designed for network administrators who are configuring and monitoring a

Juniper Networks M Series, MX Series, T Series, EX Series, or J Series router or switch.

To use this guide, you need a broad understanding of networks in general, the Internet

in particular, networking principles, and network configuration. You must also be familiar

with one or more of the following Internet routing protocols:

• Border Gateway Protocol (BGP)

• Distance Vector Multicast Routing Protocol (DVMRP)

• Intermediate System-to-Intermediate System (IS-IS)

• Internet Control Message Protocol (ICMP) router discovery

• Internet Group Management Protocol (IGMP)

• Multiprotocol Label Switching (MPLS)

• Open Shortest Path First (OSPF)

• Protocol-Independent Multicast (PIM)

• Resource Reservation Protocol (RSVP)

• Routing Information Protocol (RIP)

• Simple Network Management Protocol (SNMP)

Personnel operating the equipment must be trained and competent; must not conduct

themselves in a careless, willfully negligent, or hostile manner; and must abide by the

instructions provided by the documentation.

Supported Platforms

For the features described in this manual, the Junos OS currently supports the following

platforms:

• J Series

• M Series

Copyright © 2011, Juniper Networks, Inc.xxii


http://www.juniper.net/http://www.juniper.net/


23/547

• MX Series

• T Series

• EX Series

Using the Indexes

This reference contains two indexes: a complete index that includes topic entries, and

an index of statements and commands only.

In the index of statements and commands, an entry refers to a statement summary

section only. In the complete index, the entry for a configuration statement or command

contains at least two parts:

• The primary entry refers to the statement summary section.

• The secondaryentry, usageguidelines, refersto the section in a configuration guidelines

chapter that describes how to use the statement or command.

Using the Examples in This Manual

If you want touse the examples in this manual, you can use the load merge or the load

merge relative command. These commands cause the software to merge the incoming

configuration into the current candidate configuration. The example does not become

active until you commit the candidate configuration.

If the example configuration contains the top level of the hierarchy (or multiple

hierarchies), the example is a full example. In this case, use the load merge command.

If the example configuration does not start at the top level of the hierarchy, the exampleis a snippet. In this case, use the load merge relative command. These procedures are

described in the following sections.

Merging a Full Example

To merge a full example, follow these steps:

1. From the HTML or PDF version of the manual, copy a configuration example into a

text file, save the file with a name, and copy the file to a directory on your routing

platform.

Forexample, copy thefollowingconfiguration toa file andname thefile ex-script.conf.

Copy the ex-script.conf file to the /var/tmp directory on your routing platform.

system {

scripts {

commit {

file ex-script.xsl;

}

}

}

interfaces {

fxp0 {

xxiiiCopyright © 2011, Juniper Networks, Inc.

About This Guide


24/547

disable;

unit 0 {

family inet {

address 10.0.0.1/24;

}}

}

}

2. Merge the contents of the file into your routing platform configuration by issuing the

load merge configuration mode command:

[edit]

user@host# load merge /var/tmp/ex-script.conf

load complete

Merging a Snippet

To merge a snippet, follow these steps:

1. From the HTML or PDF version of the manual, copya configuration snippet into a text

file, savethe filewith a name, and copythe fileto a directory on your routing platform.

For example, copy the following snippet to a file and name the file

ex-script-snippet.conf . Copy the ex-script-snippet.conf file to the /var/tmp directory

on your routing platform.

commit {

file ex-script-snippet.xsl; }

2. Move to the hierarchy level that is relevant for this snippet by issuing the following

configuration mode command:

[edit]user@host# edit system scripts

[edit system scripts]

3. Merge the contents of the file into your routing platform configuration by issuing the

load merge relative configuration mode command:

[edit system scripts]

user@host# load merge relative /var/tmp/ex-script-snippet.conf

load complete

For more information about the load command, see the JunosOSCLI User Guide.

Documentation Conventions

Table 1 on page xxv defines notice icons used in this guide.

Copyright © 2011, Juniper Networks, Inc.xxiv


http://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/swconfig-cli/swconfig-cli.pdfhttp://www.juniper.net/techpubs/en_US/junos11.4/information-products/topic-collections/swconfig-cli/swconfig-cli.pdf


25/547

Table 1: Notice Icons

DescriptionMeaningIcon

Indicates important features or instructions.Informational note

Indicates a situation that might result in loss of data or hardware damage.Caution

Alerts you tothe risk of personal injury or death.Warning

Alerts you tothe risk of personal injury from a laser.Laser warning

Table 2 on page xxv defines the text and syntax conventions used in this guide.

Table 2: Text and Syntax Conventions

ExamplesDescriptionConvention

To enter configuration mode, type the

configure command:

user@host> configure

Represents text that you type.Bold text like this

user@host> show chassis alarms

No alarms currently active

Represents output that appears on the

terminal screen.

Fixed-width text like this

• A policy term is a named structure

that defines match conditions and

actions.

• JunosOS SystemBasics Configuration

Guide

• RFC 1997, BGP Communities Attribute

• Introduces important new terms.

• Identifies book names.

• Identifies RFC and Internet draft titles.

Italic text like this

Configure the machine’s domain name:

[edit]

root@# set system domain-name

domain-name

Represents variables (options for which

you substitute a value) in commands or

configuration statements.

Italictext like this

• To configure a stub area, include the

stub statement at the [edit protocols

ospf areaarea-id] hierarchy level.

• Theconsole portis labeledCONSOLE.

Represents names of configuration

statements, commands, files, and

directories; interface names;

configuration hierarchy levels; or labels

on routing platform components.

Text like this

stub ;Enclose optional keywords or variables.< > (angle brackets)

xxvCopyright © 2011, Juniper Networks, Inc.

About This Guide


26/547

Table 2: Text and Syntax Conventions (continued)

ExamplesDescriptionConvention

broadcast | multicast

( string1 | string2 | string3)

Indicates a choicebetween the mutuallyexclusive keywordsor variables on either

side of the symbol. The set of choices is

often enclosed in parentheses for clarity.

| (pipe symbol)

rsvp { # Required fordynamic MPLS onlyIndicates a comment specified on the

sameline asthe configuration statement

to which it applies.

# (pound sign)

communityname members[

community-ids]

Enclose a variable for which you can

substitute one or more values.

[ ] (square brackets)

[edit]

routing-options {

static {route default {

nexthop address;

retain;

}

}

}

Identify a level in the configuration

hierarchy.

Indention and braces( { } )

Identifies a leaf statement at a

configuration hierarchy level.

; (semicolon)

J-Web GUI Conventions

• In the Logical Interfaces box, select

All Interfaces.

• To cancel the configuration, click

Cancel.

Represents J-Web graphical user

interface (GUI) items you click or select.

Bold text like this

In the configuration editor hierarchy,select Protocols>Ospf.

Separates levels in a hierarchy of J-Webselections.

> (bold right angle bracket)

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can

improve the documentation. You can send your comments to

[email protected], or fill out the documentation feedback form at

https://www.juniper.net/cgi-bin/docbugreport/ . If you are using e-mail, be sure to include

the following information with your comments:

• Document or topic name

• URL or page number

• Software release version (if applicable)

Requesting Technical Support

Technical productsupport is availablethrough the Juniper Networks TechnicalAssistance

Center (JTAC). If you are a customer with an active J-Care or JNASC support contract,

Copyright © 2011, Juniper Networks, Inc.xxvi


mailto:[email protected]://www.juniper.net/cgi-bin/docbugreport/https://www.juniper.net/cgi-bin/docbugreport/mailto:[email protected]


27/547

or are covered under warranty, and need postsales technical support, you can access

our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located athttp://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf .

• Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/ .

• JTAC Hours of Operation —The JTAC centers have resources available 24 hours a day,

7 daysa week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online

self-service portal called the Customer Support Center (CSC) that provides you with the

following features:

• Find CSC offerings: http://www.juniper.net/customers/support/

• Find product documentation: http://www.juniper.net/techpubs/

• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

• Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

https://www.juniper.net/alerts/

• Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verify service entitlementby productserial number, use our Serial NumberEntitlement

(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

• Use the Case Management tool in the CSC at http://www.juniper.net/cm/ .

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, visit us at

http://www.juniper.net/support/requesting-support.html

xxviiCopyright © 2011, Juniper Networks, Inc.

About This Guide

http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdfhttp://www.juniper.net/support/warranty/http://www.juniper.net/customers/support/http://www.juniper.net/techpubs/http://kb.juniper.net/http://www.juniper.net/customers/csc/software/https://www.juniper.net/alerts/http://www.juniper.net/company/communities/http://www.juniper.net/cm/https://tools.juniper.net/SerialNumberEntitlementSearch/http://www.juniper.net/cm/http://www.juniper.net/support/requesting-support.htmlhttp://www.juniper.net/support/requesting-support.htmlhttp://www.juniper.net/cm/https://tools.juniper.net/SerialNumberEntitlementSearch/http://www.juniper.net/cm/http://www.juniper.net/company/communities/https://www.juniper.net/alerts/http://www.juniper.net/customers/csc/software/http://kb.juniper.net/http://www.juniper.net/techpubs/http://www.juniper.net/customers/support/http://www.juniper.net/support/warranty/http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf


29/547

PART 1

Stateless Firewall Filters

• Introduction to Stateless Firewall Filters on page 3

• Standard Firewall Filter Overview on page 19

• Standard Firewall Filter Match Conditions Overview on page 31

• Standard Firewall Filter Match Conditions and Actions on page 47

• Standard Firewall Filter Configuration on page 89

• Service Filter Configuration on page 227

• Simple Filter Configuration on page 249

• Stateless Firewall Filter Configuration in Logical Systems on page 261

• Summary of Stateless Firewall Filter Configuration Statements on page 283

1Copyright © 2011, Juniper Networks, Inc.


31/547

CHAPTER 1

Introduction to Stateless Firewall Filters

• Router Data Flow Overview on page 3

• Stateless Firewall Filter Overview on page 5

• Stateless Firewall Filter Types on page 6

• Stateless Firewall Filter Components on page 7

• Stateless Firewall Filter Application Points on page 12

•

Date post:	04-Jun-2018
Category:	Documents
Upload:	ol-vin
View:	230 times
Download:	0 times

Config Guide Firewall Policer

Documents