Table of Contents
Advertisement
Firewall Filter Components
Firewall Filter Processing
Copyright © 2010, Juniper Networks, Inc.
In a firewall filter, you first define the family address type (
inet6
), and then you define one or more terms that specify the filtering criteria and the
action to take if a match occurs.
The maximum number of terms allowed per firewall filter for EX Series switches is:
512 for EX2200 switches
7168 for EX3200 and EX4200 switches—as allocated by the dynamic allocation of
ternary content addressable memory (TCAM) for port, VLAN, and router firewall filters.
1536 for EX4500 switches
32768 for EX8200 switches
NOTE: The on-demand dynamic allocation of the shared space TCAM in
EX8200 switches is achieved by assigning free space blocks to firewall filters.
Firewall filters are categorized into two different pools. Port and VLAN filters
are pooled together (the memory threshold for this pool is 22K) while router
firewall filters are pooled separately (the threshold for this pool is 32K). The
assignment happens based on the filter pool type. Free space blocks can be
shared only among the firewall filters belonging to the same filter pool type.
An error message is generated when you try to configure a firewall filter
beyond the TCAM threshold.
Each term consists of the following components:
Match conditions—Specify the values or fields that the packet must contain. You can
define various match conditions, including the IP source address field, IP destination
address field, Transmission Control Protocol (TCP) or User Datagram Protocol (UDP)
source port field, IP protocol field, Internet Control Message Protocol (ICMP) packet
type, TCP flags, and interfaces.
Action—Specifies what to do if a packet matches the match conditions. Possible
actions are to accept or discard the packet or to send the packet to a specific virtual
routing interface. In addition, packets can be counted to collect statistical information.
If no action is specified for a term, the default action is to accept the packet.
The order of the terms within a firewall filter configuration is important. Packets are
tested against each term in the order in which the terms are listed in the firewall filter
configuration. When a firewall filter contains multiple terms, the switch takes a top-down
approach and compares a packet against the first term in the firewall filter. If the packet
matches the first term, the switch executes the action defined by that term to either
permit or deny the packet, and no other terms are evaluated. If the switch does not find
a match between the packet and first term, it compares the packet to the next term in
the firewall filter by using the same match process. If no match occurs between the
Chapter 106: Firewall Filters—Overview
,
ethernet-switching
inet
, or
3227
Advertisement
Chapters
Table of Contents
Troubleshooting
