Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[QFX] How does ‘packet-length’ matching condition in a firewall filter work in QFX5100

0

0

Article ID: KB30901 KB Last Updated: 04 Mar 2017Version: 2.0
Summary:
This article explains how the ‘packet-length’ matching condition works and its limitations on a QFX5100 switch. The example scenarios provided here are specific to QFX5100.
Symptoms:
Not all platforms support ‘packet-length’ matching condition. QFX5100 does support this matching condition with some limitations.
Solution:
The ‘packet-length’ matching condition in a firewall filter is useful under DDOS (Distributed Denial Of Service) attack condition. This is because DDOS volume attack uses a large specific packet size, and it can be blocked using this matching condition.

Below are four example scenarios. These examples were captured while generating 1100 byte frame traffic.

  1. L3 filter as input filter on xe-0/0/47 -> this works fine

  2. {master:0}[edit]
    labroot@jtac-QFX5100-48S-6Q-r2031# show interfaces

    (snip)
    set interfaces xe-0/0/47 unit 0 family inet filter input PL
    set interfaces xe-0/0/47 unit 0 family inet address 14.0.95.1/24
    (snip)

    {master:0}[edit]
    labroot@jtac-QFX5100-48S-6Q-r2031# show firewall | display set
    set firewall filter PL term 1 from packet-length 1000-1518
    set firewall filter PL term 1 then count PL_DROP set firewall filter PL term 1 then discard
    set firewall filter PL term 2 then accept

    {master:0}[edit]
    labroot@jtac-QFX5100-48S-6Q-r2031# run show firewall

    Filter: PL
    Counters:
    Name Bytes Packets
    PL_DROP 11355688300 10323355

    {master:0}[edit]
    labroot@jtac-QFX5100-48S-6Q-r2031# run show firewall   

    Filter: PL                                                    
    Counters:
    Name                                                Bytes              Packets
    PL_DROP                                       11739420000             10672202


  3. L3 filter as output filter on xe-0/0/47 -> this is not supported

  4. {master:0}[edit]
    labroot@jtac-QFX5100-48S-6Q-r2031# show interfaces

    (snip)
    set interfaces xe-0/0/47 unit 0 family inet filter output PL
    set interfaces xe-0/0/47 unit 0 family inet address 14.0.95.1/24
    (snip)

    {master:0}[edit]
    labroot@jtac-QFX5100-48S-6Q-r2031# commit
    [edit protocols]
    'bgp'
    warning: requires 'bgp' license
    [edit interfaces xe-0/0/47 unit 0 family inet]
    'filter'
    Referenced filter 'PL' can not be used as packet-length not supported on egress
    error: configuration check-out failed


  5. L3 filter as input filter on irb interface -> this works fine

  6. set interfaces xe-0/0/47 unit 0 family ethernet-switching vlan members V100
    set interfaces irb unit 100 family inet filter input PL
    set interfaces irb unit 100 family inet address 14.0.95.1/24
    set vlans V100 vlan-id 100
    set vlans V100 l3-interface irb.100

    set firewall filter PL term 1 from packet-length 1000-1518
    set firewall filter PL term 1 then count PL_DROP
    set firewall filter PL term 1 then discard
    set firewall filter PL term 2 then accept

    {master:0}[edit]
    labroot@jtac-QFX5100-48S-6Q-r2031# run show firewall

    Filter: PL
    Counters:
    Name Bytes Packets
    PL_DROP 995534100 905033

    {master:0}[edit]
    labroot@jtac-QFX5100-48S-6Q-r2031# run show firewall

    Filter: PL
    Counters:
    Name Bytes Packets
    PL_DROP 1201281400 1092076

  7. L2 filter does not support "packet-length" matching condition -> this is not supported

  8. You cannot see the option for "family ethernet-switching"

    {master:0}[edit]
    labroot@jtac-QFX5100-48S-6Q-r2031# set firewall family ethernet-switching filter PL term 1 from ?
    Possible completions:
    + apply-groups Groups from which to inherit configuration data
    + apply-groups-except Don't inherit configuration data from these groups
    + arp-type Match ARP type
    > destination-mac-address Match MAC destination address
    + destination-port Match TCP/UDP destination port
    > destination-prefix-list Match IP destination prefixes in named list
    + dscp Match Differentiated Services (DiffServ) code point
    + ether-type Match Ethernet Type
    fragment-flags Match fragment flags (in symbolic or hex formats) - (Ingress only)
    + icmp-code Match ICMP message code
    + icmp-type Match ICMP message type
    > interface Match interface name
    > ip-destination-address Match IP destination address
    + ip-precedence Match IP precedence value
    + ip-protocol Match IP protocol type
    > ip-source-address Match IP source address
    > ip-version Define IP version
    is-fragment Match if packet is a fragment
    + l2-encap-type Match Ethernet Encapsulation Type
    + learn-vlan-id Match Learnt VLAN ID
    > source-mac-address Match MAC source address
    + source-port Match TCP/UDP source port
    > source-prefix-list Match IP source prefixes in named list
    tcp-established Match packet of an established TCP connection
    tcp-flags Match TCP flags (in symbolic or hex formats)
    tcp-initial Match initial packet of a TCP connection
    + user-vlan-1p-priority Match User 802.1p VLAN priority
    + user-vlan-id Match User VLAN ID
    {master:0}[edit]
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search