Table 73: Standard Firewall Filter Match Conditions for IPv4 Traffic on ACX Series
Routers (continued)
DescriptionMatch Condition
Match the Differentiated Services code point (DSCP). The DiffServ protocol uses the
type-of-service (ToS) byte in the IP header. The most significant 6 bits of this byte form the
DSCP. For more information, see “Understanding How Behavior Aggregate Classifiers Prioritize
Trusted Traffic” on page 950.
You can specify a numeric value from 0 through 63. To specify the value in hexadecimal form,
include 0x as a prefix. To specify the value in binary form, include b as a prefix.
In place of the numeric value, you can specify one of the following text synonyms (the field
values are also listed):
•
RFC 3246, An Expedited Forwarding PHB (Per-Hop Behavior), defines one code point: ef (46).
•
RFC 2597, Assured Forwarding PHB Group, defines 4 classes, with 3 drop precedences in
each class, for a total of 12 code points:
•
af11 (10), af12 (12), af13 (14)
•
af21 (18), af22 (20), af23 (22)
•
af31 (26), af32 (28), af33 (30)
•
af41 (34), af42 (36), af43 (38)
dscp number
(Ingress only) Match the three-bit IP fragmentation flags field in the IP header.
In place of the numeric field value, you can specify one of the following keywords (the field
values are also listed): dont-fragment (0x4), more-fragments (0x2), or reserved (0x8).
fragment-flags number
Match the ICMP message code field.
If you configure this match condition, we recommend that you also configure the protocol icmp
match condition in the same term.
If you configure this match condition, you must also configure the icmp-type message-type
match condition in the same term. An ICMP message code provides more specific information
than an ICMP message type, but the meaning of an ICMP message code is dependent on the
associated ICMP message type.
In place of the numeric value, you can specify one of the following text synonyms (the field
values are also listed). The keywords are grouped by the ICMP type with which they are
associated:
•
parameter-problem: ip-header-bad (0), required-option-missing (1)
•
redirect: redirect-for-host (1), redirect-for-network (0), redirect-for-tos-and-host (3),
redirect-for-tos-and-net (2)
•
time-exceeded: ttl-eq-zero-during-reassembly (1), ttl-eq-zero-during-transit (0)
•
unreachable: communication-prohibited-by-filtering (13), destination-host-prohibited (10),
destination-host-unknown (7), destination-network-prohibited (9),
destination-network-unknown (6), fragmentation-needed (4), host-precedence-violation (14),
host-unreachable (1), host-unreachable-for-TOS (12), network-unreachable (0),
network-unreachable-for-TOS (11), port-unreachable (3), precedence-cutoff-in-effect (15),
protocol-unreachable (2), source-host-isolated (8), source-route-failed (5)
icmp-code number
1055Copyright © 2017, Juniper Networks, Inc.
Chapter 32: Configuring Firewall Filters
To Next Page
Loading...
Need help?
General
