Table of Contents
Advertisement
Interface Filter Match Conditions
IP Address Filter Match Conditions
Copyright © 2010, Juniper Networks, Inc.
vlan 10;
vlan 30;
The following restrictions apply to numeric filter match conditions:
You cannot specify a range of values.
You cannot specify a list of comma-separated values.
You cannot exclude a specific value in a numeric filter match condition. For example,
you cannot specify a condition that would match only if the match condition was not
equal to a given value.
Interface filter match conditions can match interface name values in a packet. For
interface filter match conditions, you specify the name of the interface, for example:
[edit firewall family family-name filter filter-name term term-name from]user@host#
set interface ge-0/0/1
Port and VLAN interfaces do not use logical unit numbers. However, a firewall filter that
is applied to a router interface can specify the logical unit number in the interface filter
match condition, for example:
[edit firewall family family-name filter filter-name term term-name from]user@host#
set interface ge-0/1/0.0
You can include the
wildcard as part of the interface name, for example:
*
[edit firewall family family-name filter filter-name term term-name from]user@host#
set interface ge-0/*/1user@host# set interface ge-0/1/*user@host# set interface ge-*
Address filter match conditions can match prefix values in a packet, such as IP source
and destination prefixes. For address filter match conditions, you specify a keyword that
identifies the field and one prefix of that type that a packet must match.
You specify the address as a single prefix. A match occurs if the value of the field matches
the prefix. For example:
[edit firewall family family-name filter filter-name term term-name from]user@host#
set destination-address 10.2.1.0/28;
Each prefix contains an implicit 0/0 except statement, which means that any prefix that
does not match the prefix that is specified is explicitly considered not to match.
To specify the address prefix, use the notation prefix/prefix-length. If you omit
prefix-length, it defaults to /32. For example:
[edit firewall family family-name filter filter-name term term-name from]user@host#
set destination-address 10[edit firewall family family-name filter filter-name term
term-name from] user@host# showdestination-address {10.0.0.0/32;}
To specify more than one IP address in a filter term, you enter each address in its own
match statement. For example, a match occurs in the following term if the value of the
field matches either of the following source-address prefixes:
source-address
[edit firewall family family-name filter filter-name term term-name from]user@host#
set source-address 10.0.0.0/8user@host# set source-address 10.1.0.0/16
Chapter 100: Firewall Filters—Overview
3033
Advertisement
Chapters
Table of Contents
Troubleshooting
Related Manuals for Juniper JUNOS OS 10.3 - SOFTWARE
Related Products for Juniper JUNOS OS 10.3 - SOFTWARE
- Juniper IDP OS 5.1R1 - S REV 1
- Juniper JUNOS OS 10.4 - S REV 5
- Juniper JUNOS OS 10.4 - FOR EX REV 1
- Juniper JUNOS OS 10.4 - XML API OPERATIONAL
- Juniper IDP OS 5.1R1
- Juniper JUNOS SOFTWARE 10.2 - SOFTWARE INSTALLATION AND UPGRADE GUIDE 4-28-2010
- Juniper OCX1100
- Juniper ADVANCED INSIGHT SCRIPTS 2.5 - S REV 1