[j-nsp] DCU matching in firewall filter
Saku Ytti
saku at ytti.fi
Tue Sep 13 12:40:29 EDT 2016
On 13 September 2016 at 19:24, Paul S. <contact at winterei.se> wrote:
Hey Paul.
> Could you expand a bit more about potential limitations that I might run
> into in the future with this forwarding-options based setup?
>
> Mostly concerned about these two:
>
> - egress iface filter requires that egress is IP tagged (trinity
> allows mpls)
> - if egress forw FW filter is used, interface filter groups cannot be
> used
>
> The router that this is being deployed on will likely be a part of a mpls
> backbone at a later date.
You're probably running Trio/Trinity platform, so egress IP filter
should work even if egress is MPLS tagged, this wasn't true
historically. The latter means, you cannot use this feature:
http://www.juniper.net/documentation/en_US/junos16.1/topics/example/firewall-filter-option-received-on-interface-group-example.html
I'm not sure if that limitation has been since lifted.
--
++ytti
More information about the juniper-nsp
mailing list