juniper EX系列交换机 包过滤（Packet Filtering）配置

Juniper EX交换机支持基于物理端口、VLAN和三层VLAN接口的包过滤技术：

在二层过滤下支持：

■ Ingress port firewall filter

■ Ingress VLAN firewall filter

■ Egress VLAN firewall filter

在三层过滤下支持：

■ Ingress port firewall filter

■ Ingress VLAN firewall filter (Layer 2 CoS)

■ Ingress router firewall filter (Layer 3 CoS)

■ Egress router firewall filter

■ Egress VLAN firewall filter

配置命令：

firewall {

family family-name {

filter filter-name {

term term-name {

from {

match-conditions;

}

then {

action;

action-modifiers;

}

}

}

}

policer policer-name {

if-exceeding {

bandwidth-limit bps;

burst-size-limit bytes;

}

then {

policer-action;

}

}

}

在接口下配置：

[edit interfaces]

user@switch# set ge-0/0/1 unit 0 family ethernet-switching filter input ingress-port-filter

在VLAN接口下配置：

[edit vlans]

user@switch# set employee-vlan vlan 20 filter output egress-vlan-filter

在RVI接口下配置：

[edit interfaces]

user@switch# set ge-0/1/0 unit 0 family inet source-address 10.10.10.1/24

filter input ingress-router-filter

[edit interfaces]

user@switch# set ge-0/1/0 unit 0 family inet source-address 10.10.10.1/24

filter output egress-router-filter

配置接口限速：

(1)

firewall {

policer AAAAAAAAAAAAAAAAAAA {

if-exceeding {

bandwidth-limit 1m;

burst-size-limit 30k;

}

then {

discard;

}

}

family ethernet-switching {

filter ccccccccccccccccccc {

term xxxxx-connection {

then {

policer  AAAAAAAAAAAAAAAAAA

}

}

(2)

interfaces {

ge-0/0/0 {

unit 0 {

family ethernet-switching {

filter {

input ccccccccccccccccccc;

}

}

}

}

查看命令：

user@Shiraz> show firewall

user@Shiraz> show firewall log

user@Shiraz> show firewall log detail

user@Shiraz> show firewall log messages

user@Shiraz> show interfaces filters

user@Shiraz> show interfaces policers