Routers - Juniper ACX1000 Configuration Manual

Table 73: Standard Firewall Filter Match Conditions for IPv4 Traffic on ACX Series
Routers (continued)
Match Condition
dscp number
fragment-flags number
icmp-code number
Copyright © 2017, Juniper Networks, Inc.
Description
Match the Differentiated Services code point (DSCP). The DiffServ protocol uses the
type-of-service (ToS) byte in the IP header. The most significant 6 bits of this byte form the
DSCP. For more information, see
Trusted Traffic" on page 950.
You can specify a numeric value from 0 through 63. To specify the value in hexadecimal form,
include 0x as a prefix. To specify the value in binary form, include b as a prefix.
In place of the numeric value, you can specify one of the following text synonyms (the field
values are also listed):
RFC 3246, An Expedited Forwarding PHB (Per-Hop Behavior), defines one code point:
RFC 2597, Assured Forwarding PHB Group, defines 4 classes, with 3 drop precedences in
each class, for a total of 12 code points:
(10), (12), (14)
af11 af12 af13
af21 (18), af22 (20), af23
af31 (26), af32 (28), af33
af41 (34), af42 (36), af43
(Ingress only) Match the three-bit IP fragmentation flags field in the IP header.
In place of the numeric field value, you can specify one of the following keywords (the field
values are also listed): dont-fragment
Match the ICMP message code field.
If you configure this match condition, we recommend that you also configure the
match condition in the same term.
If you configure this match condition, you must also configure the
match condition in the same term. An ICMP message code provides more specific information
than an ICMP message type, but the meaning of an ICMP message code is dependent on the
associated ICMP message type.
In place of the numeric value, you can specify one of the following text synonyms (the field
values are also listed). The keywords are grouped by the ICMP type with which they are
associated:
parameter-problem: ip-header-bad
redirect: redirect-for-host (1),
(2)
redirect-for-tos-and-net
time-exceeded:
ttl-eq-zero-during-reassembly
unreachable:
communication-prohibited-by-filtering
(7),
destination-host-unknown
destination-network-unknown
host-unreachable (1), host-unreachable-for-TOS
network-unreachable-for-TOS
(2),
protocol-unreachable source-host-isolated
"Understanding How Behavior Aggregate Classifiers Prioritize
(22)
(30)
(38)
(0x4), more-fragments
(0), required-option-missing
redirect-for-network (0), redirect-for-tos-and-host
(1),
ttl-eq-zero-during-transit
(13),
destination-host-prohibited
destination-network-prohibited
(6), (4),
fragmentation-needed
(12), network-unreachable
(11), port-unreachable (3), precedence-cutoff-in-effect
(8),
source-route-failed
Chapter 32: Configuring Firewall Filters
(46).
ef
(0x2), or reserved (0x8).
protocol icmp
icmp-type message-type
(1)
(3),
(0)
(10),
(9),
(14),
host-precedence-violation
(0),
(15),
(5)
1055