[j-nsp] DCU matching in firewall filter

Paul S. contact at winterei.se
Tue Sep 13 07:35:26 EDT 2016

Hi j-nsp,

I'm trying to use DCU to filter access to specific prefixes selectively 
on Juniper MX. i.e: Customer on interface ge-0/0/0 cannot send traffic 
to prefixes tagged by some BGP community, or perhaps it'll be sent to a 

So we first match routes into a community, then use a routing-options -> 
forwarding-table -> export to assign a destination class to the prefixes 
that we want, and finally setup a simple firewall filter to deal with it 

Issue is, the filter only works when it's applied to the 
'forwarding-options' level of hierarchy, not the interface itself. i.e: 
If I apply it to 'unit 0 family inet filter input filter-dcu-local,' 
...it does absolutely nothing.

Applying it globally isn't the most desirable solution in my opinion 
(but it does work). It would appear ras had actually ran into this 
before once - 

So, is there any other way to apply this only on the concerned customer 
interfaces, or are we going to have to maintain a large 
forwarding-options filter with entries like 'term 1 from 
destination-class dcu-local; interface x; then ...' and 'term 2 from 
destination-class dcu-local; interface y' ...'

Inputs welcome, thank you!

Filter config:

firewall filter filter-dcu-local {
     term block-dcul-access {
         from {
             destination-class dcu-local;
         then {
             count dcu-local-drops;
     term accept-the-rest {
         then accept;

Policy config:

policy-options policy-statement community-to-class

term dcu-local {
     to community dcu-local;
     then {
         destination-class dcu-local;

Interface config:

unit 0 {
     family inet {
         accounting {

More information about the juniper-nsp mailing list