Juniper JUNOS OS 10.4 - FOR EX REV 1 Manual page 3357

Related
Documentation
Understanding How Firewall Filters Are Evaluated
Copyright © 2010, Juniper Networks, Inc.
Firewall Filter Configuration Statements Supported by Junos OS for EX Series Switches
on page 3318
Example: Configuring Firewall Filters for Port, VLAN, and Router Traffic on EX Series
Switches on page 3261
Example: Using Filter-Based Forwarding to Route Application Traffic to a Security
Device on EX Series Switches on page 3280
Understanding Firewall Filter Match Conditions on page 3255
Understanding How Firewall Filters Are Evaluated on page 3253
Understanding How Firewall Filters Test a Packet's Protocol on page 3258
Understanding the Use of Policers in Firewall Filters on page 3259
Understanding Filter-Based Forwarding for EX Series Switches on page 3260
A firewall filter consists of one or more terms, and the order of the terms within a firewall
filter is important. Before you configure firewall filters, you should understand how Juniper
Networks EX Series Ethernet Switches evaluate the terms within a firewall filter and how
packets are evaluated against the terms.
When a firewall filter consists of a single term, the filter is evaluated as follows:
If the packet matches all the conditions, the action in the
If the packet matches all the conditions, and no action is specified in the
the default action
accept
When a firewall filter consists of more than one term, the firewall filter is evaluated
sequentially:
The packet is evaluated against the conditions in the
1.
If the packet matches all the conditions in the term, the action in the
2.
is taken and the evaluation ends. Subsequent terms in the filter are not evaluated.
If the packet does not match all the conditions in the term, the packet is evaluated
3.
against the conditions in the
This process continues until either the packet matches the conditions in the
statement in one of the subsequent terms or there are no more terms in the filter.
If a packet passes through all the terms in the filter without a match, the packet is
4.
discarded.
Figure 85 on page 3254 shows how an EX Series switch evaluates the terms within a firewall
filter.
is taken.
from statement in the second term.
Chapter 106: Firewall Filters—Overview
statement is taken.
then
then statement,
from statement in the first term.
statement
then
from
3253