[j-nsp] DCU matching in firewall filter
Dragan Jovicic
draganj84 at gmail.com
Wed Sep 14 03:32:44 EDT 2016
DCU on FT is executed on ingress PFE after routing decision. This means you
can attach it to inet family regardless of egress encapsulation (MPLS).
Junos 14.X did not allow me to configure interface-groups and FT egress
filter.
But interface sets seem to be good enough for this.
Dragan
On Tue, Sep 13, 2016 at 6:40 PM, Saku Ytti <saku at ytti.fi> wrote:
> On 13 September 2016 at 19:24, Paul S. <contact at winterei.se> wrote:
>
> Hey Paul.
>
> > Could you expand a bit more about potential limitations that I might run
> > into in the future with this forwarding-options based setup?
> >
> > Mostly concerned about these two:
> >
> > - egress iface filter requires that egress is IP tagged (trinity
> > allows mpls)
> > - if egress forw FW filter is used, interface filter groups cannot
> be
> > used
> >
> > The router that this is being deployed on will likely be a part of a mpls
> > backbone at a later date.
>
> You're probably running Trio/Trinity platform, so egress IP filter
> should work even if egress is MPLS tagged, this wasn't true
> historically. The latter means, you cannot use this feature:
> http://www.juniper.net/documentation/en_US/junos16.1/
> topics/example/firewall-filter-option-received-on-
> interface-group-example.html
>
> I'm not sure if that limitation has been since lifted.
>
> --
> ++ytti
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list