On Ex Series Switches - Juniper JUNOS OS 10.4 - FOR EX REV 1 Manual

Complete Software Guide for Junos
Related
Documentation
3230
®
OS for EX Series Ethernet Switches, Release 10.4
Possible actions to take if a match occurs are accept, discard, and forward to a routing
instance.
What additional action modifiers might be required?
4.
Determine whether additional actions are required if a packet matches a match
condition; for example, you can specify an action modifier to count, analyze, or police
packets.
On what interface should the firewall filter be applied?
5.
Start with the following basic guidelines:
If all the packets entering a port need to be exposed to filtering, then use port firewall
filters.
If all the packets that are bridged need filtering, then use VLAN firewall filters.
If all the packets that are routed need filtering, then use router firewall filters.
Before you choose the interface on which to apply a firewall filter, understand how
that placement can impact traffic flow to other interfaces. In general, apply a firewall
filter that filters on source and destination IP addresses, IP protocols, or protocol
information—such as ICMP message types, and TCP and UDP port numbers—nearest
to the source devices. However, typically apply a firewall filter that filters only on a
source IP address nearest to the destination devices. When applied too close to the
source device, a firewall filter that filters only on a source IP address could potentially
prevent that source device from accessing other services that are available on the
network.
NOTE: Egress firewall filters do not affect the flow of locally generated
control packets from the Routing Engine.
In which direction should the firewall filter be applied?
6.
You can apply firewall filters to ports on the switch to filter packets that are entering
a port. You can apply firewall filters to VLANs, and Layer 3 (routed) interfaces to filter
packets that are entering or exiting a VLAN or routed interface. Typically, you configure
different sets of actions for traffic entering an interface than you configure for traffic
exiting an interface.
Firewall Filters for EX Series Switches Overview on page 3225
Understanding the Use of Policers in Firewall Filters on page 3259
Understanding How Firewall Filters Are Evaluated on page 3253
Understanding Filter-Based Forwarding for EX Series Switches on page 3260
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX Series
Switches on page 3261
Example: Using Filter-Based Forwarding to Route Application Traffic to a Security
Device on EX Series Switches on page 3280
Copyright © 2010, Juniper Networks, Inc.