Skip to content

Latest commit

 

History

History
105 lines (97 loc) · 6.57 KB

juniperevo.md

File metadata and controls

105 lines (97 loc) · 6.57 KB
Raw

Juniper EVO

The Juniper EVO header designation has the following format:

target:: juniperevo [filter name] {inet|inet6|bridge}
filter name: defines the name of the Juniper EVO filter.
inet: specifies the output should be for IPv4 only filters. This is the default format.
inet6: specifies the output be for IPv6 only filters.
bridge: specifies the output should render a Juniper EVO bridge filter.

When inet4 or inet6 is specified, naming tokens with both IPv4 and IPv6 filters will be rendered using only the specified addresses.

The default format is inet4, and is implied if not other argument is given.

Juniper EVO

The Juniper EVO header designation has the following format:

target:: juniperevo [filter name] {inet|inet6|bridge} {dsmo} {not-interface-specific} {direction} {interface}
  • filter name: defines the name of the Juniper EVO filter.
  • inet: specifies the output should be for IPv4 only filters. This is the default format.
  • inet6: specifies the output be for IPv6 only filters.
  • bridge: specifies the output should render a Juniper EVO bridge filter.
  • dsmo: Enable discontinuous subnet mask summarization.
  • direction: The direction of the filter on an interface. Must be specified.
  • interface: The type of interface on which the filter will be applied. Default in physical (non-loopback) interface. When inet4 or inet6 is specified, naming tokens with both IPv4 and IPv6 filters will be rendered using only the specified addresses. The default format is inet4, and is implied if not other argument is given.

Term Format

  • action:: The action to take when matched. See Actions section for valid options.
  • address:: One or more network address tokens, matches source or destination.
  • restrict-address-family:: Only include the term in the matching address family filter (eg. for mixed filters).
  • comment:: A text comment enclosed in double-quotes. The comment can extend over multiple lines if desired, until a closing quote is encountered.
  • counter:: Update a counter for matching packets
  • destination-address:: One or more destination address tokens
  • destination-exclude:: Exclude one or more address tokens from the specified destination-address
  • destination-port:: One or more service definition tokens
  • destination-prefix:: Specify destination-prefix matching (e.g. source-prefix:: configured-neighbors-only)
  • destination-prefix_except:: Specify destination-prefix exception(TODO:cmas Fill in more).
  • dscp_except:: Do not match the DSCP number.
  • dscp_match:: Match a DSCP number.
  • dscp_set:: Match a DSCP set.
  • ether_type:: Match EtherType field.
  • expiration:: stop rendering this term after specified date. YYYY-MM-DD
  • filter-term:: Include another filter
  • _flexible-match-range Filter based on flexible match options.
  • forwarding-class:: Specify the forwarding class to match.
  • forwarding-class_except:: Do not match the specified forwarding classes.
  • fragement-offset:: specify a fragment offset of a fragmented packet
  • hop-limit:: Match the hop limit to the specified hop limit or set of hop limits.
  • icmp-code:: Specifies the ICMP code to filter on.
  • icmp-type:: Specify icmp-type code to match, see section ICMP TYPES for list of valid arguments
  • logging:: Specify that this packet should be logged via syslog.
  • loss-priority:: Specify loss priority.
  • name:: Name of the term.
  • next-ip:: Used in filter based forwarding.
  • option:: See platforms supported Options section.
  • owner:: Owner of the term, used for organizational purposes.
  • packet-length:: specify packet length.
  • platform:: one or more target platforms for which this term should ONLY be rendered. *_platform-exclude:: one or more target platforms for which this term should NEVER be rendered.
  • policer:: specify which policer to apply to matching packets.
  • port:: Matches on source or destination ports. Takes a service token.
  • port-mirror:: Sends copies of the packets to a remote port, boolean value is used to render this config.
  • precedence:: specify precedence of range 0-7. May be a single integer, or a space separated list.
  • protocol:: the network protocols this term will match, such as tcp, udp, icmp, or a numeric value.
  • protocol_except:: allow all protocol "except" specified.
  • qos:: apply quality of service classification to matching packets (e.g. qos:: af4)
  • routing-instance:: specify routing instance for matching packets.
  • source-address:: one or more source address tokens.
  • source-exclude:: exclude one or more address tokens from the specified source-address.
  • source-port:: one or more service definition tokens.
  • source-prefix:: specify source-prefix matching (e.g. source-prefix:: configured-neighbors-only).
  • source-prefix-except:: specify destination-prefix exception(TODO:cmas Fill in more).
  • traffic-class-count::
  • traffic-type:: specify traffic-type
  • ttl:: Matches on TTL.
  • verbatim:: this specifies that the text enclosed within quotes should be rendered into the output without interpretation or modification. This is sometimes used as a temporary workaround while new required features are being added.

Sub Tokens

Actions

  • accept
  • deny
  • next
  • reject
  • reject-with-tcp-rst

Option

  • .*:: wat
  • established:: Only match established connections, implements tcp-established for tcp and sets destination port to 1024- 65535 for udp if destination port is not defined.
  • first-fragment:: Only match on first fragment of a fragmented pakcet.
  • sample:: Samples traffic for netflow.
  • tcp-established:: Only match established tcp connections, based on statefull match or TCP flags. Not supported for other protocols.
  • tcp-initial:: Only match initial packet for TCP protocol.

IPv6 Protocol Match

For Juniper EVO, the direction of the filter on an interface and the interface type determines the syntax to use; either next-header or payload-protocol. The syntax usage is sumarized below for the extension headers as well as the payload header.

  • Ingress (Physical):: next-header hop-by-hop | next-header fragment | next-header routing | payload-protocol tcp|udp|ah|esp|icmpv6
  • Ingress (Loopback):: payload-protocol 0 | payload-protocol 44 | payload-protocol 43 | payload-protocol tcp|udp|ah|esp|icmpv6
  • Egress (Physical):: payload-protocol 0 | payload-protocol 44 | payload-protocol 43 | payload-protocol tcp|udp|ah|esp|icmpv6
  • Egress (Loopback):: payload-protocol 0 | payload-protocol 44 | payload-protocol 43 | payload-protocol tcp|udp|ah|esp|icmpv6