[j-nsp] DCU matching in firewall on MX
Curtis Call
ccall at juniper.net
Thu Oct 30 14:38:18 EDT 2008
To match DCU in distributed PFE platforms use an egress forwarding-table
filter:
http://www.juniper.net/techpubs/software/junos/junos92/swconfig-policy/c
onfiguring-a-forwarding-table-filter_1.html#id-11341452
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of Richard A Steenbergen
> Sent: Thursday, October 30, 2008 11:05 AM
> To: juniper-nsp at puck.nether.net
> Subject: [j-nsp] DCU matching in firewall on MX
>
> Does anyone know if DCU matching in a firewall filter is supposed to
be
> working on MX, and if not, if is it possible to support in the future
> (and when)?
>
> The explanation I had previously heard about the reason this wasn't
> supportable on T-series/M320 was that with the change to a distributed
> forwarding architecture and you would now need a mechanism to pass the
> SCU/DCU classification across the fabric, and the LMNR chips weren't
> capable of doing this. I had also heard that the I-chip resolved this
> issue by increasing the available space in the notification cell so
> this information could be passed. The SCU/DCU documentation says
> nothing about the MX one way or the other, but I've tried configuring
> it and even on 9.2 it definitely does not work.
>
> I noticed that on recent code the documentation has added M120 to the
> "does not work" list, which would imply that if this really is an I-
> chip issue that it won't work on the MX either. If this is the case,
> can anyone confirm or deny the supposition that it is now possible to
> support this on I-chip platforms, and it just hasn't been written into
> the pfe code yet?
>
> >From
> >http://www.juniper.net/techpubs/software/junos/junos92/swconfig-
> network
> >-interfaces/enabling-source-class-and-destination-class-usage.html
>
> > On T-series, M120, and M320 platforms, the destination-class and
> > source-class statements are not supported at the [edit firewall
> family
> > family-name > filter filter-name term term-name from] hierarchy
> level.
> > On other M-series platforms, these statements are supported.
>
> --
> Richard A Steenbergen <ras at e-gerbil.net> http://www.e-
> gerbil.net/ras
> GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1
> 2CBC) _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list