[j-nsp] DCU matching in firewall filter
Paul S.
contact at winterei.se
Tue Sep 13 12:24:55 EDT 2016
Hi Saku,
Many thanks for your reply.
Could you expand a bit more about potential limitations that I might run
into in the future with this forwarding-options based setup?
Mostly concerned about these two:
- egress iface filter requires that egress is IP tagged (trinity
allows mpls)
- if egress forw FW filter is used, interface filter groups
cannot be used
The router that this is being deployed on will likely be a part of a
mpls backbone at a later date.
On 9/13/2016 11:10 PM, Saku Ytti wrote:
> On 13 September 2016 at 14:35, Paul S. <contact at winterei.se> wrote:
>
> Hey Paul,
>
>> Issue is, the filter only works when it's applied to the
>> 'forwarding-options' level of hierarchy, not the interface itself. i.e: If I
>> apply it to 'unit 0 family inet filter input filter-dcu-local,' ...it does
>> absolutely nothing.
> I wish I had good news for you. From my notes when labbing this many
> many years ago:
>
> Flow is:
> packet > ingress int FW > SCU > ingress forw FW > DCU > egress
> forw FW > egress int FW
> This means:
> - you cannot match on SCU/DCU at all in ingress iface
> - you can do SCU matches in ingress forwarding fw filter, but not DCU
> - you can do SCU and DSU matches in egress forwarding filter and
> egress iface filter
> - egress iface filter requires that egress is IP tagged (trinity
> allows mpls)
> - if egress forw FW filter is used, interface filter groups cannot be used
>
> These limitations are certainly from IP2 days, I can't imagine Trio HW
> imposing these limits. If you have leverage to JNPR, I'm confident it
> would be possible to consider DCU/SCU in ingress interface filter.
>
More information about the juniper-nsp
mailing list