Offers and

Why Juniper? Products & Solu!ons Support Training Search Juniper.net Trials
/

TechLibrary Day One+ Product Documentation Design Center Learning Center Tools & Applications

Home TechLibrary Junos OS Routing Policies, Firewall Filters, and Traffic Policers User Guide

Rou!ng Policies, Firewall Filters, and Traffic Policers User Guide

Junos OS

. Expand All + Example: Configuring a Stateless Firewall Filter on an ) PDF +

Interface Group
Beta
English
Filter by !tle *
! 17-Jun-22 " Product and Release Support
Filter Counters #$%&' (
Example: Configuring a ON THIS PAGE
Stateless Firewall Filter on Firewall filters are essen!al for securing a network and simplifying network management. In Junos OS, you can configure
Requirements
an Interface Group a stateless firewall filters to control the transit of data packets through the system and to manipulate packets as
Overview
necessary. Applying a stateless firewall filter to an interface group helps to filter packets transi!ng through each interface
/ Configuring Filter-Based Configura!on
in the interface group. This example shows how to configure a standard stateless firewall filter to match packets tagged
Tunneling Across IP Networks Verifica!on
for a par!cular interface group.
/ Configuring Service Filters

/ Configuring Simple Filters

Requirements
/ Configuring Layer 2 Firewall
Filters This example uses the following hardware and so#ware components:

/ Configuring Firewall Filters for

Any two Juniper Networks routers or switches that are physically or logically connected to each other through
Forwarding, Fragments, and
interfaces belonging to a rou!ng instance
Policing

/ Configuring Firewall Filters ( Junos OS Release 7.4 or later

EX2300, EX3400, EX4300
Series Switches)
Overview
/ Configuring Firewall Filters
(QFX Series Switches, EX4600 You can apply a stateless firewall filter to an interface group to apply it across all the interfaces in the interface group. This
Switches, PTX Series Routers) helps you to manage the packet filtering on various interfaces simultaneously.
/ Configuring Firewall Filter
In this example, you configure two router or switch interfaces to belong to the interface group. You also configure a
Accounting and Logging
(EX9200 Switches) stateless firewall filter with three terms. In term term1, the filter matches packets that have been tagged as received on
that interface group and contain an ICMP protocol tag. The filter counts, logs, and rejects packets that match the
/ Configuring Traffic Policers
condi!ons. In term term2, the filter matches packets that contain the ICMP protocol tag. The filter counts, logs, and
/ Configuration Statements accepts all packets that match the condi!on. In term term3, the filter counts all the transit packets.
/ Operational Commands
By applying the firewall filter to the rou!ng instance, you can simultaneously apply the filtering mechanism on all the
interfaces in the interface group. For this to happen, all the interfaces in the interface group must belong to a single
rou!ng instance.

NOTE: When you apply a firewall filter to a loopback interface, the interface filters all the packets des!ned to
the Rou!ng Engine.

Figure 1: Configuring a Stateless Firewall Filter on an Interface Group

CLI Quick Configura!on shows the configura!on for all of the devices in Figure 1. The sec!on Step-by-Step Procedure
describes the steps on Device R1.

Configura!on
CLI Quick Configura!on

Configure and Apply the Stateless Firewall Filter on an Interface Group

Results

CLI Quick Configura!on

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configura!on, copy and paste the commands into the CLI at the
[edit] hierarchy level, and then enter commit from configura!on mode.

Device R0

, -

set interfaces ge-0/0/0 unit 0 family inet address 172.16.17.1/30

set interfaces ge-0/0/1 unit 0 family inet address 172.16.19.1/30
set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.1/30
set interfaces lo0 unit 0 family inet address 10.0.0.1/32

Device R1

, -
set firewall family inet filter filter_if_group term term1 then log
set firewall family inet filter filter_if_group term term1 then reject
set firewall family inet filter filter_if_group term term2 from protocol icmp
set firewall family inet filter filter_if_group term term2 then count if_group_counter2
set firewall family inet filter filter_if_group term term2 then log
set firewall family inet filter filter_if_group term term2 then accept
set firewall family inet filter filter_if_group term term3 then count default
set interfaces ge-0/0/0 unit 0 family inet filter group 1
set interfaces ge-0/0/0 unit 0 family inet address 172.16.17.2/30
set interfaces ge-0/0/1 unit 0 family inet address 172.16.19.2/30
set interfaces ge-0/0/2 unit 0 family inet filter group 1
set interfaces ge-0/0/2 unit 0 family inet address 20.1.1.2/30
set interfaces lo0 unit 0 family inet address 20.0.0.1/32
set forwarding-options family inet filter input filter_if_group Show more

Configure and Apply the Stateless Firewall Filter on an Interface Group

Step-by-Step Procedure
The following example requires you to navigate various levels in the configura!on hierarchy. For informa!on about
naviga!ng the CLI, see Use the CLI Editor in Configura!on Mode in the CLI User Guide.

To configure the stateless firewall filter filter_if_group on an interface group:

1. Create the stateless firewall filter filter_if_group.

, -

[edit firewall]
user@R1# edit family inet filter filter_if_group

2. Configure the interfaces and assign two interfaces to interface group 1.

, -

[edit interfaces]
user@R1# set ge-0/0/0 unit 0 family inet filter group 1
user@R1# set ge-0/0/0 unit 0 family inet address 172.16.17.2/30
user@R1# set ge 0/0/1 unit 0 family inet address 172.16.19.2/30
user@R1# set ge-0/0/2 unit 0 family inet filter group 1
user@R1# set ge-0/0/2 unit 0 family inet address 20.1.1.2/30
user@R1# set lo0 unit 0 family inet address 20.0.0.1/32

3. Configure term term1 to match packets received on interface group 1 and with the ICMP protocol.

, -

[edit firewall]
user@R1# set family inet filter filter_if_group term term1 from interface-group 1
user@R1# set family inet filter filter_if_group term term1 from protocol icmp

4. Configure term term1 to count, log, and reject all the matching packets.

, -

[edit firewall]
user@R1# set family inet filter filter_if_group term term1 then count if_group_counter1
user@R1# set family inet filter filter_if_group term term1 then log
user@R1# set family inet filter filter_if_group term term1 then reject

5. Configure term term2 to match packets with the ICMP protocol.

, -

[edit firewall]
user@R1# set family inet filter filter_if_group term term2 from protocol icmp

6. Configure term term2 to count, log, and accept all the matching packets.

, -

[edit firewall]
user@R1# set family inet filter filter_if_group term term2 then count if_group_counter2
user@R1# set family inet filter filter_if_group term term2 then log
user@R1# set family inet filter filter_if_group term term2 then accept

7. Configure term term3 to count all the transit packets.

, -

[edit firewall]
user@R1# set family inet filter filter_if_group term term3 then count default

8. Apply the firewall filter to the router’s (or switch’s) interface group by applying it to the rou!ng instance.

, -

[edit]
user@R1# set forwarding-options family inet filter input filter_if_group

9. If you are done configuring the device, commit your candidate configura!on.

, -

[edit]
user@host# commit

Results
From configura!on mode, confirm your configura!on by issuing the show interfaces, show firewall, and show forwarding-
options commands. If the output does not display the intended configura!on, repeat the instruc!ons in this example to
correct the configura!on.

, -

[edit]
user@R1# show interfaces
ge-0/0/0 {
unit 0 {
family inet {
filter {
group 1;
}
address 172.16.17.2/30;
}
}
}
Show more
ge-0/0/1 {

, -

[edit]
user@R1# show firewall
family inet {
filter filter_if_group {
term term1 {
from {
interface-group 1;
protocol icmp;
}
then {
count if_group_counter1;
log;
Show more
reject;

, -

[edit]
user@R1# show forwarding-options
family inet {
filter {
input filter_if_group;
}
}

Verifica!on
Confirm that the configura!on is working properly.

Verifying the Configura!on of the Interfaces

Verifying Stateless Firewall Filter Configura!on

Verifying the Configura!on of the Interfaces

Purpose

Ac!on

Meaning

Purpose
Verify that the interfaces are properly configured.

Ac!on
To display the state of the interfaces, use the show interfaces terse opera!onal mode command.

Device R0

, -

user@R0> show interfaces terse

Interface Admin Link Proto Local Remote
ge-0/0/0 up up
ge-0/0/0.0 up up inet 172.16.17.1/30
multiservice
ge-0/0/1 up up
ge-0/0/1.0 up up inet 172.16.19.1/30
multiservice
ge-0/0/2 up up
ge-0/0/2.0 up up inet 20.1.1.1/30
multiservice
lo0 up up
lo0.0 up up inet 10.0.0.1 --> 0/0

Device R1

, -

user@R1> show interfaces terse

Interface Admin Link Proto Local Remote
ge-0/0/0 up up
ge-0/0/0.0 up up inet 172.16.17.2/30
multiservice
...
ge-0/0/1 up up
ge-0/0/1.0 up up inet 172.16.19.2/30
multiservice
ge-0/0/2 up up
ge-0/0/2.0 up up inet 20.1.1.2/30
multiservice
...

Meaning
All the interfaces on Devices R0 and R1 are physically connected and up. The interface group 1 on Device R1 consists of
two interfaces, namely ge-0/0/0.0 and ge-0/0/2.0.

Verifying Stateless Firewall Filter Configura!on

Purpose

Ac!on

Meaning

Purpose
Verify that the firewall filter match condi!ons are configured properly.

Ac!on

To display the firewall filter counters, enter the show firewall filter filter_if_group opera!onal mode command.

, -

user@R1> show firewall filter filter_if_group

Filter: filter_if_group
Counters:
Name Bytes Packets
default 192975 3396
if_group_counter1 2520 30
if_group_counter2 2604 41

To display the local log of packet headers for packets evaluated by the firewall filter, enter the show firewall log
opera!onal mode command.

, -

user@R1> show firewall log

Log :
Time Filter Action Interface Protocol Src Addr Dest Addr
22:27:33 pfe A lo0.0 ICMP 20.1.1.2 20.1.1.1
22:27:33 pfe R ge-0/0/2.0 ICMP 20.1.1.1 20.1.1.2
22:27:32 pfe A lo0.0 ICMP 20.1.1.2 20.1.1.1
22:27:32 pfe R ge-0/0/2.0 ICMP 20.1.1.1 20.1.1.2
22:27:31 pfe A lo0.0 ICMP 20.1.1.2 20.1.1.1
22:27:31 pfe R ge-0/0/2.0 ICMP 20.1.1.1 20.1.1.2
22:27:30 pfe A lo0.0 ICMP 20.1.1.2 20.1.1.1
22:27:30 pfe R ge-0/0/2.0 ICMP 20.1.1.1 20.1.1.2
22:27:29 pfe A lo0.0 ICMP 20.1.1.2 20.1.1.1
Show more
22:27:29 pfe A lo0.0 ICMP 20.1.1.2 20.1.1.1

To make sure that the firewall filters are ac!ve on interface group 1 on Device R1, use the ping <address> opera!onal
mode command on the CLI of Device R0.

, -

user@R0> ping 172.16.17.2

PING 172.16.17.2 (172.16.17.2): 56 data bytes
36 bytes from 172.16.17.2: Communication prohibited by filter
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 f46b 0 0000 40 01 6239 172.16.17.1 172.16.17.2

36 bytes from 172.16.17.2: Communication prohibited by filter

Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 f479 0 0000 40 01 622b 172.16.17.1 172.16.17.2

36 bytes from 172.16.17.2: Communication prohibited by filter

Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 f487 0 0000 40 01 621d 172.16.17.1 172.16.17.2

, -

user@R0> ping 20.1.1.2

PING 20.1.1.2 (20.1.1.2): 56 data bytes
36 bytes from 20.1.1.2: Communication prohibited by filter
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 f5bd 0 0000 40 01 5ae7 20.1.1.1 20.1.1.2

36 bytes from 20.1.1.2: Communication prohibited by filter

Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 0054 f5cd 0 0000 40 01 5ad7 20.1.1.1 20.1.1.2

36 bytes from 20.1.1.2: Communication prohibited by filter

Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
Show more
4 5 00 0054 f5d9 0 0000 40 01 5acb 20.1.1.1 20.1.1.2

To make sure that the firewall filter is not applied on an interface that is not in interface group 1, use the ping
<address> opera!onal mode command on the CLI of Device R0.

, -

user@R0> ping 172.16.19.2

PING 172.16.19.2 (172.16.19.2): 56 data bytes
64 bytes from 172.16.19.2: icmp_seq=0 ttl=64 time=8.689 ms
64 bytes from 172.16.19.2: icmp_seq=1 ttl=64 time=4.076 ms
64 bytes from 172.16.19.2: icmp_seq=2 ttl=64 time=8.501 ms
64 bytes from 172.16.19.2: icmp_seq=3 ttl=64 time=3.954 ms
...

Meaning
The stateless firewall filter is applied to all interfaces in interface group 1. The term term1 match condi!on in the stateless
firewall filter counts, logs, and rejects packets that are received on or sent from the interfaces in interface group 1 and
with a source ICMP protocol. The term term2 match condi!on matches packets tagged with the ICMP protocol and
counts, logs, and accepts those packets. The term term3 match condi!on counts all the transit packets.

RELATED DOCUMENTATION

Filtering Packets Received on a Set of Interface Groups Overview

#$%&' PREVIOUS NEXT (

Example: Configuring Interface-Specific Firewall Understanding Filter-Based Tunneling Across IPv4
Filter Counters Networks

Related Informa!on Configuring Firewall Filters (CLI Procedure) Stateless Firewall Filter Overview Example: Configuring a Firewall Filter on a...

Company Partners Get updates from Juniper Follow us

About Us Partner Program

Sign up
Careers Find a Partner

Corporate Responsibility Find a Distributor

Investor Rela!ons Become a Partner

Newsroom Partner Login

Events

Contact Us

Image Library © 1999 - 2022 Juniper Networks, Inc.

All rights reserved

Contacts Feedback Site Map Privacy Policy Legal No!ces DMCA Policy Cookie ⾸选项
0 Feedback