Table 81: Firewall Filter Match Conditions for VPLS Traffic (continued)
Description
Match Condition
(ACX Series routers, MX Series routers, and EX Series switches only) Match the source prefixes
in the specified prefix list. Specify a prefix list name defined at the [edit policy-options prefix-list
prefix-list-name] hierarchy level.
NOTE: VPLS prefix lists support only IPV4 addresses. IPV6 addresses included in a VPLS prefix
list will be discarded.
source-prefix-list name
(MX Series routers and EX Series switches only) Do not match the source prefixes in the specified
prefix list. For more information, see the source-prefix-list match condition.
source-prefix-list name
except
Match one or more of the low-order 6 bits in the 8-bit TCP flags field in the TCP header.
To specify individual bit fields, you can specify the following text synonyms or hexadecimal values:
•
fin (0x01)
•
syn (0x02)
•
rst (0x04)
•
push (0x08)
•
ack (0x10)
•
urgent (0x20)
In a TCP session, the SYN flag is set only in the initial packet sent, while the ACK flag is set in all
packets sent after the initial packet.
You can string together multiple flags using the bit-field logical operators.
If you configure this match condition for IPv6 traffic, we recommend that you also configure the
next-header tcp match condition in the same term to specify that the TCP protocol is being used
on the port.
tcp-flags flags
(MX Series routers and EX Series switches only) Traffic type. Specify broadcast, multicast,
unknown-unicast, or known-unicast.
traffic-type type-name
(MX Series routers and EX Series switches only) Do not match on the traffic type. Specify
broadcast, multicast, unknown-unicast, or known-unicast.
traffic-type-except
type-name
(MX Series routers, M320 router, and EX Series switches only) Match on the IEEE 802.1p user
priority bits in the customer VLAN tag (the inner tag in a dual-tag frame with 802.1Q VLAN tags).
Specify a single value or multiple values from 0 through 7.
Compare with the learn-vlan-1p-priority match condition.
NOTE: This match condition supports the presence of a control word for MX Series routers and
the M320 router.
user-vlan-1p-priority number
(MX Series routers, M320 rouer, and EX Series switches only) Do not match on the IEEE 802.1p
user priority bits. For details, see the user-vlan-1p-priority match condition.
NOTE: This match condition supports the presence of a control word for MX Series routers and
the M320 router.
user-vlan-1p-priority-except
number
(MX Series routers and EX Series switches only) Match the first VLAN identifier that is part of the
payload.
user-vlan-id number
1079Copyright © 2017, Juniper Networks, Inc.
Chapter 32: Configuring Firewall Filters
To Next Page
Loading...
Need help?
General
