addresses. When a condition defines a list of values, a match occurs if one of the values
in the list matches the packet.
Individual conditions in a from statement can be negated. When you negate a condition,
you are defining an explicit mismatch. For example, the negated match condition for
forwarding-class is forwarding-class-except. If a packet matches a negated condition, it
is immediately considered not to match the from statement, and the next term in the
filter is evaluated, if there is one. If there are no more terms, the packet is discarded.
You can configure a firewall filter with match conditions for Virtual Private LAN Service
(VPLS) traffic (family vpls). Table 81 on page 1071 describes the match-conditions you can
configure at the [edit firewall family vpls filter filter-name term term-name from] hierarchy
level.
NOTE: Not all match conditions for VPLS traffic are supported on all routing
platforms or switching platforms. A number of match conditions for VPLS
traffic are supported only on MX Series 3D Universal Edge Routers.
In the VPLS documentation, the word router in terms such as PE router is used
to refer to any device that provides routing functions.
Table 81: Firewall Filter Match Conditions for VPLS Traffic
Description
Match Condition
Match the destination media access control (MAC) address of a VPLS packet.destination-mac-address
address
(MX Series routers and EX Series switches only) Match the UDP or TCP destination port field.
You cannot specify both the port and destination-port match conditions in the same term.
In place of the numeric value, you can specify one of the following text synonyms (the port
numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514),
cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79),
ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88),
klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), ldp (646),
login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138),
netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110),
pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25),
snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514),
tacacs (49), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), or xdmcp (177).
destination-port number
(MX Series routers and EX Series switches only) Do not match on the TCP or UDP destination
port field. You cannot specify both the port and destination-port match conditions in the same
term.
destination-port-except
number
(ACX Series routers, MX Series routers, and EX Series switches only) Match destination prefixes
in the specified list. Specify the name of a prefix list defined at the [edit policy-options prefix-list
prefix-list-name] hierarchy level.
NOTE: VPLS prefix lists support only IPv4 addresses. IPv6 addresses included in a VPLS prefix
list will be discarded.
destination-prefix-list name
1071Copyright © 2017, Juniper Networks, Inc.
Chapter 32: Configuring Firewall Filters
To Next Page
Loading...
Need help?
General
