Policy Framework Configuration Guide - Juniper Networks

Junos 10.4 Policy Framework Configuration Guide
Table 25: IPv4 Firewall Filter Match Conditions (continued)
Match Condition
Description
interface-set
interface-set-name
(MX Series routers and routers with Enhanced IQ2 [IQ2E] PICs only) Interface set on which the packet
was received. An interface set is a set of logical interfaces used to configure hierarchical class-of-service
schedulers. For information about configuring an interface set, see the Junos Class of Service
Configuration Guide and the Junos Network Interfaces Configuration Guide.
ip-options values
IP optional header fields. In place of the numeric value, you must specify one of the following text
synonyms: any, loose-source-route, route-record, router-alert, security, stream-id, strict-source-route, or
timestamp.
Do not use a numerical value for any of the IP optional header fields. Use only the text values.
NOTE: For most interfaces, packets that match any of values for the ip-options match condition—except
for the any option—are sent to the Routing Engine for processing. Use the ip-options option any to
ensure that packets are sent to the Packet Forwarding Engine for processing.
Interfaces configured on the 10-Gigabit Ethernet Modular Port Concentrator (MPC), 60-Gigabit Ethernet
MPC, 60-Gigabit Queuing Ethernet MPC, and 60-Gigabit Ethernet Enhanced Queuing MPC on MX
Series routers do send all packets that match any of the supported ip-options match conditions to the
Packet Forwarding Engine.
is-fragment
This condition matches if the packet is a trailing fragment; it does not match the first fragment of a
fragmented packet. To match both first and trailing fragments, you can use two terms.
loss-priority level
Packet loss priority (PLP) level. Specify a single level or multiple levels: low, medium-low, medium-high,
or high.
Supported on MX Series routers; M120 and M320 routers; and M7i and M10i routers with the Enhanced
CFEB (CFEB-E).
On M320 routers, you must enable the tricolor statement at the [edit class-of-service] hierarchy level
to commit a PLP configuration with any of the four levels specified. If the tricolor statement is not
referenced, you can only configure the high and low levels. This applies to all protocol families.
For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets,
see the Junos Class of Service Configuration Guide.
loss-priority-except
level
Do not match on the packet loss priority level. Specify a single level or multiple levels: low, medium-low,
medium-high, or high.
For information about using behavior aggregate (BA) classifiers to set the PLP level of incoming packets,
see the Junos Class of Service Configuration Guide.
packet-length bytes
Length of the received packet, in bytes. The length refers only to the IP packet, including the packet
header, and does not include any Layer 2 encapsulation overhead.
port number
TCP or UDP source or destination port field. You cannot specify both the port match and either the
destination-port or source-port match conditions in the same term.
Normally, you specify this match in conjunction with the protocol match statement to determine which
protocol is being used on the port. For more information, see “Overview of Protocol Match Conditions”
on page 217.
In place of the numeric value, you can specify one of the text synonyms listed under destination-port.
200
Copyright © 2010, Juniper Networks, Inc.