[j-nsp] Questions about count in firewall filter
Li Zhu
lz6 at njit.edu
Mon Jun 22 09:18:55 EDT 2009
Chen Jiang,
Thank you for the explanation. I will do more investigation to see if there
is a work around.
Li
On Thu, Jun 18, 2009 at 10:44 PM, 陈江 <ilovebgp4 at gmail.com> wrote:
> hi!
>
> I think the answer is "NO" in Cisco high-end platforms, because Cisco use
> TCAM to do firewall filter(ACL) and due to firewall filters are typically
> optimized (compiled) before being downloaded to CAM, causes the filter lines
> to no longer be associated with unique or single CAM cells and so you cannot
> count packets per firewall filter term.
>
> And in low-end platforms Cisco use software to do ACL, it may achieve that
> but I have no experience with that.
>
> On Fri, Jun 19, 2009 at 9:43 AM, Li Zhu <lz6 at njit.edu> wrote:
>
>> All,
>>
>> In the firewall filter, the counter can count number of packets match the
>> term. In the simple firewall filter below, the counter AF11_NUM and EF_NUM
>> can count number packets with af11 and ef, respectively. My question is:
>> can
>> Cisco achieve similar goal? I know this may be a Cisco question, but I
>> want
>> to try my luck here also.
>>
>> Thanks,
>>
>> Li
>>
>> firewall {
>> filter f1 {
>> term t1 {
>> from {
>> dscp af11;
>> }
>> then {
>> count AF11_NUM;
>> accept;
>> }
>> term t2
>> from {
>> dscp ef
>> then {
>> count EF_NUM;
>> accept;
>> }
>> }
>> }
>> }
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>
>
> --
> BR!
>
>
>
> James Chen
>
More information about the juniper-nsp
mailing list