Table of Contents
Advertisement
Complete Software Guide for Junos
Understanding How Firewall Filters Test a Packet's Protocol
Related
Documentation
Understanding the Use of Policers in Firewall Filters
3036
®
OS for EX Series Ethernet Switches, Release 10.3
When examining match conditions, Juniper Networks Junos operating system (Junos
OS) for Juniper Networks EX Series Ethernet Switches tests only the field that is specified.
The software does not implicitly test the IP header to determine whether a packet is an
IP packet. Therefore, in some cases, you must specify
conjunction with other match conditions to ensure that the filters are performing the
expected matches.
If you specify a protocol match condition or a match of the ICMP type or TCP flags field,
there is no implied protocol match. For the following match conditions, you must explicitly
specify the protocol match condition in the same term:
—Specify the match
destination-port
—Specify the match
source-port
If you do not specify the protocol when using the preceding fields, design your filters
carefully to ensure that they perform the expected matches. For example, if you specify
a match of
destination-port ssh
have a value of
22
in the two-byte field that is two bytes beyond the end of the IP header
without ever checking the IP protocol field.
Firewall Filters for EX Series Switches Overview on page 3001
Understanding Firewall Filter Match Conditions on page 3032
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX Series
Switches on page 3039
Policing, or rate limiting, is an important component of firewall filters that lets you control
the amount of traffic that enters an interface.
A single firewall filter configured with a policer permits only traffic at specified data rates
to provide protection from denial-of-service (DOS) attacks. Traffic that exceeds the rate
limits specified by the policer can be discarded. Discard is the only supported policer
action. Typically, traffic that exceeds the rate limits specified by the policer is either
discarded or marked as lower priority than traffic that meets the rate limits specified by
the policer. When necessary, low-priority traffic can be discarded by the switch to prevent
congestion.
A policer applies two types of rate limits on traffic:
Bandwidth—The number of bits per second permitted, on average.
Maximum burst size—The maximum size permitted for bursts of data that exceed the
given bandwidth limit.
protocol
or
protocol tcp
protocol udp
or
protocol tcp
protocol udp
, the switch deterministically matches any packets that
Copyright © 2010, Juniper Networks, Inc.
field match conditions in
.
.
Advertisement
Chapters
Table of Contents
Troubleshooting
