[j-nsp] DCU matching in firewall on MX

Curtis Call ccall at juniper.net
Fri Oct 31 13:01:08 EDT 2008 

Egress Forwarding-Table-Filters are performed on the ingress PFE, but
after the forwarding decision process has completed.

You can't use interface-groups with egress FTFs, the two features cannot
be configured at the same time.  You should be able to use
interface-sets though.

> -----Original Message-----
> From: Richard A Steenbergen [mailto:ras at e-gerbil.net]
> Sent: Thursday, October 30, 2008 5:44 PM
> To: Curtis Call
> Cc: juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] DCU matching in firewall on MX
> 
> On Thu, Oct 30, 2008 at 11:38:18AM -0700, Curtis Call wrote:
> > To match DCU in distributed PFE platforms use an egress
> > forwarding-table
> > filter:
> >
> > http://www.juniper.net/techpubs/software/junos/junos92/swconfig-
> policy
> > /c
> > onfiguring-a-forwarding-table-filter_1.html#id-11341452
> 
> I need to do a DCU match on ingress traffic only, and only on specific
> interfaces. If the DCU match worked in a normal firewall filter, I
> would just apply it as an ingress filter only to specific interfaces.
> 
> Can you still achieve this by creating an interface-group or
interface-
> set and referencing it in an egress forwarding-table filter?
> And would this really match only ingress traffic on specific
> interfaces?
> The page you mentioned is a little unclear, specifically:
> 
> > Note: The egress forwarding table filter will be applied on the
> > ingress of the flexible PIC concentrator (FPC). If different packets
> > to the same destination arrive on different FPCs, they may encounter
> > different policers.
> 
> > Note: You cannot configure both an egress forwarding table filter
and
> > the interface-group statement at the [edit interfaces family inet
> > filter] hierarchy level. The egress forwarding table filter is
> applied
> > to transit packets only.
> 
> To me that reads as though the filter will be applied at ingress time,
> but still happen with egress match logic (i.e. I couldn't specify
> source interfaces and match ingress traffic only).
> 
> --
> Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-
> gerbil.net/ras
> GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1
> 2CBC)

More information about the juniper-nsp mailing list