[j-nsp] DCU matching in firewall filter

Alexandre Snarskii snar at snar.spb.ru
Tue Sep 13 10:31:25 EDT 2016

On Tue, Sep 13, 2016 at 08:35:26PM +0900, Paul S. wrote:
> Hi j-nsp,
> I'm trying to use DCU to filter access to specific prefixes selectively 
> on Juniper MX. i.e: Customer on interface ge-0/0/0 cannot send traffic 
> to prefixes tagged by some BGP community, or perhaps it'll be sent to a 
> policer.
> So, is there any other way to apply this only on the concerned customer 
> interfaces, or are we going to have to maintain a large 
> forwarding-options filter with entries like 'term 1 from 
> destination-class dcu-local; interface x; then ...' and 'term 2 from 
> destination-class dcu-local; interface y' ...'

You can group customer interfaces using interface-set, e.g.

set firewall interface-set customer-local ge-0/0/0.0
set firewall interface-set customer-local ge-0/0/1.0

and then use that interface set together with DCU in pfe filter, 

term cust-local from destination-class dcu-local interface-set customer-local

Not as nice as having DCU in ingress filter, but still much better than 
one term per interface. 

More information about the juniper-nsp mailing list