[j-nsp] DCU matching in firewall on MX

Richard A Steenbergen ras at e-gerbil.net
Thu Oct 30 20:44:23 EDT 2008


On Thu, Oct 30, 2008 at 11:38:18AM -0700, Curtis Call wrote:
> To match DCU in distributed PFE platforms use an egress forwarding-table
> filter:
> 
> http://www.juniper.net/techpubs/software/junos/junos92/swconfig-policy/c
> onfiguring-a-forwarding-table-filter_1.html#id-11341452

I need to do a DCU match on ingress traffic only, and only on specific
interfaces. If the DCU match worked in a normal firewall filter, I would
just apply it as an ingress filter only to specific interfaces.

Can you still achieve this by creating an interface-group or
interface-set and referencing it in an egress forwarding-table filter? 
And would this really match only ingress traffic on specific interfaces? 
The page you mentioned is a little unclear, specifically:

> Note: The egress forwarding table filter will be applied on the
> ingress of the flexible PIC concentrator (FPC). If different packets
> to the same destination arrive on different FPCs, they may encounter
> different policers.

> Note: You cannot configure both an egress forwarding table filter and
> the interface-group statement at the [edit interfaces family inet
> filter] hierarchy level. The egress forwarding table filter is applied
> to transit packets only.

To me that reads as though the filter will be applied at ingress time, 
but still happen with egress match logic (i.e. I couldn't specify source 
interfaces and match ingress traffic only).

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)


More information about the juniper-nsp mailing list