[j-nsp] DCU matching in firewall on MX

[Richard A Steenbergen]

Does anyone know if DCU matching in a firewall filter is supposed to be
working on MX, and if not, if is it possible to support in the future
(and when)?

The explanation I had previously heard about the reason this wasn't
supportable on T-series/M320 was that with the change to a distributed
forwarding architecture and you would now need a mechanism to pass the
SCU/DCU classification across the fabric, and the LMNR chips weren't
capable of doing this. I had also heard that the I-chip resolved this
issue by increasing the available space in the notification cell so this
information could be passed. The SCU/DCU documentation says nothing
about the MX one way or the other, but I've tried configuring it and
even on 9.2 it definitely does not work.

I noticed that on recent code the documentation has added M120 to the
"does not work" list, which would imply that if this really is an I-chip
issue that it won't work on the MX either. If this is the case, can
anyone confirm or deny the supposition that it is now possible to
support this on I-chip platforms, and it just hasn't been written into
the pfe code yet?

From http://www.juniper.net/techpubs/software/junos/junos92/swconfig-network-interfaces/enabling-source-class-and-destination-class-usage.html

> On T-series, M120, and M320 platforms, the destination-class and 
> source-class statements are not supported at the [edit firewall family 
> family-name > filter filter-name term term-name from] hierarchy level. 
> On other M-series platforms, these statements are supported.

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)