Table of Contents
Advertisement
Complete Software Guide for Junos
Firewall Filter Types
3226
®
OS for EX Series Ethernet Switches, Release 10.4
The following firewall filter types are supported for EX Series switches:
Port (Layer 2) firewall filter—Port firewall filters apply to Layer 2 switch ports. You can
apply port firewall filters in both ingress and egress directions on a physical port.
VLAN firewall filter—VLAN firewall filters provide access control for packets that enter
a VLAN, are bridged within a VLAN, or leave a VLAN. You can apply VLAN firewall filters
in both ingress and egress directions on a VLAN. VLAN firewall filters are applied to all
packets that are forwarded to or forwarded from the VLAN.
Router (Layer 3) firewall filter—You can apply a router firewall filter in both ingress and
egress directions on Layer 3 (routed) interfaces and routed VLAN interfaces (RVIs).
You can apply a router firewall filter in the ingress direction on the loopback interface
(
lo0
) also.
NOTE: You can apply a firewall filter to aggregated Ethernet interfaces
and loopback interfaces also. Firewall filters configured on loopback
interfaces are applied only to packets that are sent to the Routing Engine
CPU for further processing.
On Juniper Networks EX3200, EX4200, and EX8200 Ethernet Switches, you can apply
port, VLAN, or router firewall filters to both IPv4 and IPv6 traffic, whereas on Juniper
Networks EX4500 Ethernet Switches, you can apply port, VLAN, or router firewall filters
to IPv4 traffic only. For information on firewall filters supported on different switches,
see "Firewall Filter Match Conditions and Actions for EX Series Switches" on page 3233.
You can apply firewall filter match conditions to IPv6 traffic on Layer 3 interfaces,
aggregated Ethernet interfaces, and loopback interfaces. To configure port firewall filters
and VLAN firewall filters for IPv6 traffic, you must include the match condition
and apply the filter on Layer 2 interfaces or VLANs. When you include the match
ipv6
condition
in a term, you must ensure that other match conditions specified
ether-type ipv6
in the term are valid for IPv6 traffic. If the port firewall filter or VLAN firewall filter term
contains the match condition
all IPv6 traffic is matched.
NOTE: A term without the match condition
IPv4 traffic, and a term with that match condition applies only to IPv6 traffic.
Hence, to configure port and VLAN firewall filters for both IPv4 and IPv6
traffic, you should configure two different terms, one each for IPv4 and IPv6
traffic.
To apply a firewall filter, you must:
Configure the firewall filter.
1.
Apply the firewall filter to a port, VLAN, or Layer 3 interface.
2.
, with no other IPv6 match condition specified,
ether-type ipv6
Copyright © 2010, Juniper Networks, Inc.
ether-type
ether-type ipv6
applies only to
Advertisement
Chapters
Table of Contents
Troubleshooting
