Routing

firewall { family inet { filter PROTECT_RE { I want to know whether this inet filter can match layer 2 packet? such as stp or layer2 storm if I set up policer in this filter

Robbie,

To match L2 parameters (like MAC addresses etc), you need to configure a filter under family type 'ethernet-switching'.

Check out the options that Junos allows for a family inet filter:

regress@beta-mclag1# set firewall family inet filter test term one from ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> destination-address Match IP destination address
+ destination-port Match TCP/UDP destination port
destination-port-range-optimize Optimize the destination port range
> destination-prefix-list Match IP destination prefixes in named list
+ dscp Match Differentiated Services (DiffServ) code point
fragment-flags Match fragment flags (in symbolic or hex formats) - (Ingress only)
+ fragment-offset Match fragment offset
+ icmp-code Match ICMP message code
+ icmp-type Match ICMP message type
> interface Match interface name
+ ip-options Match IP options
is-fragment Match if packet is a fragment
+ packet-length Match packet length
+ packet-length-except Do not match packet length
+ precedence Match IP precedence value
+ protocol Match IP protocol type
> source-address Match IP source address
+ source-port Match TCP/UDP source port
source-port-range-optimize Optimize the source port range
> source-prefix-list Match IP source prefixes in named list
tcp-established Match packet of an established TCP connection
tcp-flags Match TCP flags (in symbolic or hex formats)
tcp-initial Match initial packet of a TCP connection
+ ttl Match IP ttl type
[edit]


=======
now the options for family ethernet-switching filter:

regress@beta-mclag1# set firewall family ethernet-switching filter test term one from ?
Possible completions:
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> destination-address Match IP destination address
> destination-mac-address Match MAC destination address
+ destination-port Match TCP/UDP destination port
> destination-prefix-list Match IP destination prefixes in named list
+ dot1q-tag Match Dot1Q Tag Value
+ dot1q-user-priority Match Dot1Q user priority
+ dscp Match Differentiated Services (DiffServ) code point
+ ether-type Match Ethernet Type
fragment-flags Match fragment flags (in symbolic or hex formats) - (Ingress only)
+ icmp-code Match ICMP message code
+ icmp-type Match ICMP message type
> interface Match interface name
is-fragment Match if packet is a fragment
+ l2-encap-type Match Ethernet Encapsulation Type
+ precedence Match IP precedence value
+ protocol Match IP protocol type
> source-address Match IP source address
> source-mac-address Match MAC source address
+ source-port Match TCP/UDP source port
> source-prefix-list Match IP source prefixes in named list
tcp-established Match packet of an established TCP connection
tcp-flags Match TCP flags (in symbolic or hex formats)
tcp-initial Match initial packet of a TCP connection
+ vlan Match Vlan Id or Name
[edit]

Filters under family ethernet-switching allow matching on MAC/ether-type etc while family-inet filters do not.

HTH,
ankit
#family
#inet
#ethernet-switching
#filter
#firewall
#ether-type

since filter under family inet can't match layer2 info, packet such stp,arp will not be handled by the default term if there is a default term,right?

correct, these will not be affected.
ARP replies will be processed just fine. Also, you ideally shouldn't receive any STP BPDUs on a layer-3 interface 🙂