juniper EX系列交换机 包过滤（Packet Filtering）配置

Juniper EX交换机支持基于物理端口、VLAN和三层VLAN接口的包过滤技术：

在二层过滤下支持：

■?Ingress port firewall filter

■?Ingress VLAN firewall filter

■?Egress VLAN firewall filter

在三层过滤下支持：

■?Ingress port firewall filter

■?Ingress VLAN firewall filter (Layer 2 CoS)

■?Ingress router firewall filter (Layer 3 CoS)

■?Egress router firewall filter

■?Egress VLAN firewall filter

配置命令：

firewall?{

family?family-name {

filter?filter-name {

term?term-name {

from?{

match-conditions;

}

then?{

action;

action-modifiers;

}

}

}

}

policer?policer-name {

if-exceeding?{

bandwidth-limit?bps;

burst-size-limit?bytes;

}

then?{

policer-action;

}

}

}

在接口下配置：

[edit interfaces]

user@switch# set ge-0/0/1 unit 0 family ethernet-switching filter input?ingress-port-filter

在VLAN接口下配置：

[edit vlans]

user@switch# set employee-vlan vlan 20 filter output egress-vlan-filter

在RVI接口下配置：

[edit interfaces]

user@switch# set ge-0/1/0 unit 0 family inet source-address 10.10.10.1/24

filter input ingress-router-filter

[edit interfaces]

user@switch# set ge-0/1/0 unit 0 family inet source-address 10.10.10.1/24

filter output egress-router-filter

配置接口限速：

(1)

firewall {

policer AAAAAAAAAAAAAAAAAAA {

if-exceeding {

bandwidth-limit 1m;

burst-size-limit 30k;

}

then {

discard;

}

}

family ethernet-switching {

filter ccccccccccccccccccc {

term xxxxx-connection {

then {

policer? AAAAAAAAAAAAAAAAAA

}

}

(2)

interfaces {

ge-0/0/0 {

unit 0 {

family ethernet-switching {

filter {

input ccccccccccccccccccc;

}

}

}

}

查看命令：

user@Shiraz> show firewall

user@Shiraz> show firewall?log

user@Shiraz> show firewall?log detail

user@Shiraz> show firewall?log messages

user@Shiraz> show interfaces filters

user@Shiraz> show interfaces policers