[j-nsp] DCU matching in firewall filter
Saku Ytti
saku at ytti.fi
Tue Sep 13 10:10:22 EDT 2016
On 13 September 2016 at 14:35, Paul S. <contact at winterei.se> wrote:
Hey Paul,
> Issue is, the filter only works when it's applied to the
> 'forwarding-options' level of hierarchy, not the interface itself. i.e: If I
> apply it to 'unit 0 family inet filter input filter-dcu-local,' ...it does
> absolutely nothing.
I wish I had good news for you. From my notes when labbing this many
many years ago:
Flow is:
packet > ingress int FW > SCU > ingress forw FW > DCU > egress
forw FW > egress int FW
This means:
- you cannot match on SCU/DCU at all in ingress iface
- you can do SCU matches in ingress forwarding fw filter, but not DCU
- you can do SCU and DSU matches in egress forwarding filter and
egress iface filter
- egress iface filter requires that egress is IP tagged (trinity
allows mpls)
- if egress forw FW filter is used, interface filter groups cannot be used
These limitations are certainly from IP2 days, I can't imagine Trio HW
imposing these limits. If you have leverage to JNPR, I'm confident it
would be possible to consider DCU/SCU in ingress interface filter.
--
++ytti
More information about the juniper-nsp
mailing list