[j-nsp] DCU matching in firewall filter
Paul S.
contact at winterei.se
Tue Sep 13 07:35:26 EDT 2016
Hi j-nsp,
I'm trying to use DCU to filter access to specific prefixes selectively
on Juniper MX. i.e: Customer on interface ge-0/0/0 cannot send traffic
to prefixes tagged by some BGP community, or perhaps it'll be sent to a
policer.
So we first match routes into a community, then use a routing-options ->
forwarding-table -> export to assign a destination class to the prefixes
that we want, and finally setup a simple firewall filter to deal with it
all.
Issue is, the filter only works when it's applied to the
'forwarding-options' level of hierarchy, not the interface itself. i.e:
If I apply it to 'unit 0 family inet filter input filter-dcu-local,'
...it does absolutely nothing.
Applying it globally isn't the most desirable solution in my opinion
(but it does work). It would appear ras had actually ran into this
before once -
https://puck.nether.net/pipermail/juniper-nsp/2008-October/011812.html
So, is there any other way to apply this only on the concerned customer
interfaces, or are we going to have to maintain a large
forwarding-options filter with entries like 'term 1 from
destination-class dcu-local; interface x; then ...' and 'term 2 from
destination-class dcu-local; interface y' ...'
Inputs welcome, thank you!
Filter config:
firewall filter filter-dcu-local {
term block-dcul-access {
from {
destination-class dcu-local;
}
then {
count dcu-local-drops;
discard;
}
}
term accept-the-rest {
then accept;
}
}
Policy config:
policy-options policy-statement community-to-class
term dcu-local {
to community dcu-local;
then {
destination-class dcu-local;
accept;
}
}
Interface config:
unit 0 {
family inet {
accounting {
destination-class-usage;
}
address 10.10.10.5/30;
}
}
More information about the juniper-nsp
mailing list