[j-nsp] Questions about count in firewall filter
陈江
ilovebgp4 at gmail.com
Thu Jun 18 22:44:41 EDT 2009
hi!
I think the answer is "NO" in Cisco high-end platforms, because Cisco use
TCAM to do firewall filter(ACL) and due to firewall filters are typically
optimized (compiled) before being downloaded to CAM, causes the filter lines
to no longer be associated with unique or single CAM cells and so you cannot
count packets per firewall filter term.
And in low-end platforms Cisco use software to do ACL, it may achieve that
but I have no experience with that.
On Fri, Jun 19, 2009 at 9:43 AM, Li Zhu <lz6 at njit.edu> wrote:
> All,
>
> In the firewall filter, the counter can count number of packets match the
> term. In the simple firewall filter below, the counter AF11_NUM and EF_NUM
> can count number packets with af11 and ef, respectively. My question is:
> can
> Cisco achieve similar goal? I know this may be a Cisco question, but I want
> to try my luck here also.
>
> Thanks,
>
> Li
>
> firewall {
> filter f1 {
> term t1 {
> from {
> dscp af11;
> }
> then {
> count AF11_NUM;
> accept;
> }
> term t2
> from {
> dscp ef
> then {
> count EF_NUM;
> accept;
> }
> }
> }
> }
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
--
BR!
James Chen
More information about the juniper-nsp
mailing list