[j-nsp] DCU matching in firewall filter
Alexandre Snarskii
snar at snar.spb.ru
Tue Sep 13 10:31:25 EDT 2016
On Tue, Sep 13, 2016 at 08:35:26PM +0900, Paul S. wrote:
> Hi j-nsp,
>
> I'm trying to use DCU to filter access to specific prefixes selectively
> on Juniper MX. i.e: Customer on interface ge-0/0/0 cannot send traffic
> to prefixes tagged by some BGP community, or perhaps it'll be sent to a
> policer.
[...]
> So, is there any other way to apply this only on the concerned customer
> interfaces, or are we going to have to maintain a large
> forwarding-options filter with entries like 'term 1 from
> destination-class dcu-local; interface x; then ...' and 'term 2 from
> destination-class dcu-local; interface y' ...'
You can group customer interfaces using interface-set, e.g.
set firewall interface-set customer-local ge-0/0/0.0
set firewall interface-set customer-local ge-0/0/1.0
and then use that interface set together with DCU in pfe filter,
term cust-local from destination-class dcu-local interface-set customer-local
Not as nice as having DCU in ingress filter, but still much better than
one term per interface.
More information about the juniper-nsp
mailing list