Protocol Families Description
Nonterminating Action
family inet Configure the value of the Don’t Fragment bit (flag) in the IPv4 header to specify
whether the datagram can be fragmented:
• set—Change the flag value to one, preventing fragmentation.
• clear—Change the flag value to zero, allowing fragmentation.
NOTE: Thedont-fragment (set | clear)actions are supported only on MPCs.
dont-fragment (set | clear)
Table 23: Nonterminating Actions for Firewall Filters (continued)
Protocol Families Description
Nonterminating Action
family inet Set the IPv4 Differentiated Services code point (DSCP) bit. You can specify a
numerical value from0through63. To specify the value in hexadecimal form, include0xas a prefix. To specify the value in binary form, includebas a prefix.
The default DSCP value is best effort, that is,beor0. You can also specify one of the following text synonyms:
• af11—Assured forwarding class 1, low drop precedence
• af12—Assured forwarding class 1, medium drop precedence
• af13—Assured forwarding class 1, high drop precedence
• af21—Assured forwarding class 2, low drop precedence
• af22—Assured forwarding class 2, medium drop precedence
• af23—Assured forwarding class 2, high drop precedence
• af31—Assured forwarding class 3, low drop precedence
• af32—Assured forwarding class 3, medium drop precedence
• af33—Assured forwarding class 3, high drop precedence
• af41—Assured forwarding class 4, low drop precedence
• af42—Assured forwarding class 4, medium drop precedence
• af43—Assured forwarding class 4, high drop precedence
• be—Best effort
• cs0—Class selector 0
• cs1—Class selector 1
• cs2—Class selector 2
• cs3—Class selector 3
• cs4—Class selector 4
• cs5—Class selector 5
• cs6—Class selector 6
• cs7—Class selector 7
• ef—Expedited forwarding
NOTE: This action is not supported on PTX Series Packet Transport Routers.
NOTE: The actionsdscp 0anddscp beare supported only on T320, T640, T1600, TX Matrix, TX Matrix Plus. and M320 routers and on the 10-Gigabit Ethernet Modular Port Concentrators (MPC), 60-Gigabit Ethernet MPC, 60-Gigabit Ethernet Queuing MPC, and 60-Gigabit Ethernet Enhanced Queuing MPC on MX Series routers. However, these actions are not supported on Enhanced III Flexible PIC Concentrators (FPCs) on M320 routers.
NOTE: On T4000 routers, thedscp 0action is not supported during the interoperation between a T1600 Enhanced Scaling Type 4 FPC and a T4000 Type 5 FPC.
dscp value
Chapter 2: Firewall Filter Match Conditions and Actions
Table 23: Nonterminating Actions for Firewall Filters (continued)
By default, a hierarchical policer processes the traffic it receives according tothe traffic’s forwarding class. Premium, expedited-forwarding traffic has priority for bandwidth over aggregate, best-effort traffic.force-premiumensures that traffic matching the term is treated as premium traffic by a subsequent hierarchical policer, regardless of its forwarding class. This traffic is given preference over any aggregate traffic received by that policer.
NOTE: Theforce-premiumfilter option is supported only on MPCs.
force-premium Classify the packet to the named forwarding class:
• forwarding-class-name Police the packet using the specified hierarchical policer
hierarchical-policer
family inet Use the specified IPsec security association.
NOTE: This action is not supported on MX Series routers, Type 5 FPCs on T4000 routers, and PTX Series Packet Transport Routers.
ipsec-sa ipsec-sa
family inet Use the specified load-balancing group.
NOTE: This action is not supported on MX Series routers or PTX Series Packet Transport Routers.
load-balance group-name
• family inet
• family inet6 Log the packet header information in a buffer within the Packet Forwarding
Engine. You can access this information by issuing theshow firewall log command at the command-line interface (CLI).
log
• family inet
• family inet6 Direct packets to a specific logical system.
logical-system logical-system-name
Table 23: Nonterminating Actions for Firewall Filters (continued)
Set the packet loss priority (PLP) level.You cannot also configure thethree-color-policernonterminating action for the same firewall filter term. These two nonterminating actions are mutually exclusive.
Supported on M120 and M320 routers; M7i and M10i routers with the Enhanced CFEB (CFEB-E); and MX Series routers.
For IP traffic on M320, MX Series, and T Series routers with Enhanced II Flexible PIC Concentrators (FPCs), you must include thetri-colorstatement at the[edit class-of-service]hierarchy level to commit a PLP configuration with any of the four levels specified. If thetri-colorstatement is not enabled, you can only configure thehighandlowlevels. This applies to all protocol families.
For information about thetri-colorstatement and using behavior aggregate (BA) classifiers to set the PLP level of incoming packets, see Understanding How Behavior Aggregate Classifiers Prioritize Trusted Traffic.
loss-priority (high | medium-high | medium-low | low)
• family any
• family inet Use the specified next-hop group.
next-hop-group group-name
• family inet
• family inet6 (MX Series) Direct packets to the specified outgoing interface.
next-interface interface-name
family inet (MX Series) Direct packets to the specified destination IPv4 address.
next-ip ip-address
family inet6 (MX Series) Direct packets to the specified destination IPv6 address.
next-ip6 ipv6-address
family any Updates a bit field in the packet key buffer, which specifies traffic that will
bypass flow-based forwarding. Packets with thepacket-modeaction modifier follow the packet-based forwarding path and bypass flow-based forwarding completely. For more information about selective stateless packet-based services, see the Junos OS Security Configuration Guide.
packet-mode Name of policer to use to rate-limit traffic.
policer policer-name
Chapter 2: Firewall Filter Match Conditions and Actions
Table 23: Nonterminating Actions for Firewall Filters (continued)
Port-mirror the packet based on the specified family. Supported on M120routers, M320 routers configured with Enhanced III FPCs, MX Series routers, and PTX Series Packet Transport Routers only.
port-mirror Port mirror a packet for an instance. This action is only supported on the MX
series routers.
port-mirror-instance instance-name
family inet Count or police packets based on the specified action name.
NOTE: This action is not supported on PTX Series Packet Transport Routers.
prefix-action action-name
• family inet
• family inet6 Direct packets to the specified routing instance.
routing-instance
NOTE: Junos OS does not sample packets originating from the router. If you configure a filter and apply it to the output side of an interface, then only the transit packets going through that interface are sampled. Packets that are sent from the Routing Engine to the Packet Forwarding Engine are not sampled.
sample
• family inet
• family inet6 Use the inline counting mechanism when capturing subscriber per-service
statistics.
Count the packet for service accounting. The count is applied to a specific named counter (__junos-dyn-service-counter) that RADIUS can obtain.
Theservice-accountingandservice-accounting-deferredkeywords are mutually exclusive, both per-term and per-filter.
NOTE: This action is not supported on T4000 Type 5 FPCs and PTX Series Packet Transport Routers.
service-accounting
Table 23: Nonterminating Actions for Firewall Filters (continued)
Protocol Families Description
Nonterminating Action
Use the deferred counting mechanism when capturing subscriber per-service statistics. The count is applied to a specific named counter
(__junos-dyn-service-counter) that RADIUS can obtain.
Theservice-accountingandservice-accounting-deferredkeywords are mutually exclusive, both per-term and per-filter.
NOTE: This action is not supported on T4000 Type 5 FPCs and PTX Series Packet Transport Routers.
service-accounting-deferred
• family inet
• family inet6 (Only if theservice-filter-hitflag is marked by a previous filter in the current
type of chained filters) Direct the packet to the next type of filters.
Indicate to subsequent filters in the chain that the packet was already processed. This action, coupled with theservice-filter-hitmatch condition in receiving filters, helps to streamline filter processing.
NOTE: This action is not supported on T4000 Type 5 FPCs and PTX Series Packet Transport Routers.
service-filter-hit
• family inet
• family inet6 Log the packet to the system log file.
syslog
• family bridge
• family ccc
• family inet
• family inet6
• family mpls
• family vpls Police the packet using the specified single-rate or two-rate three-color-policer.
NOTE: You cannot also configure theloss-priorityaction for the same firewall filter term. These two actions are mutually exclusive.
three-color-policer (single-rate | two-rate) policer-name
Chapter 2: Firewall Filter Match Conditions and Actions
Table 23: Nonterminating Actions for Firewall Filters (continued)
Protocol Families Description
Nonterminating Action
family inet6 Specify the traffic-class code point. You can specify a numerical value from0
through63. To specify the value in hexadecimal form, include0xas a prefix.
To specify the value in binary form, includebas a prefix.
The default traffic-class value is best effort, that is,beor0.
In place of the numeric value, you can specify one of the following text synonyms:
• af11—Assured forwarding class 1, low drop precedence
• af12—Assured forwarding class 1, medium drop precedence
• af13—Assured forwarding class 1, high drop precedence
• af21—Assured forwarding class 2, low drop precedence
• af22—Assured forwarding class 2, medium drop precedence
• af23—Assured forwarding class 2, high drop precedence
• af31—Assured forwarding class 3, low drop precedence
• af32—Assured forwarding class 3, medium drop precedence
• af33—Assured forwarding class 3, high drop precedence
• af41—Assured forwarding class 4, low drop precedence
• af42—Assured forwarding class 4, medium drop precedence
• af43—Assured forwarding class 4, high drop precedence
• be—Best effort
• cs0—Class selector 0
• cs1—Class selector 1
• cs2—Class selector 2
• cs3—Class selector 3
• cs4—Class selector 4
• cs5—Class selector 5
• cs6—Class selector 6
• cs7—Class selector 7
• ef—Expedited forwarding
NOTE: The actionstraffic-class 0andtraffic-class beare supported only on T Series and M320 routers and on the 10-Gigabit Ethernet Modular Port Concentrator (MPC), 60-Gigabit Ethernet MPC, 60-Gigabit Ethernet Queuing MPC, and 60-Gigabit Ethernet Enhanced Queuing MPC on MX Series routers.
However, these actions are not supported on Enhanced III Flexible PIC Concentrators (FPCs) on M320 routers.
traffic-class value
Related Documentation
• Guidelines for Configuring Firewall Filters on page 22
• Firewall Filter Terminating Actions on page 98