Table 70: Firewall Filter Behavior by Filter Attachment Point (continued)
Filter BehaviorFilter Attachment Point
You can use the same firewall filter one or more times.
On M Series routers, except the M120 and M320 routers, if you apply a firewall filter to multiple
interfaces, the filter acts on the sum of traffic entering or exiting those interfaces.
On T Series, M120, M320, and MX Series routers, interfaces are distributed among multiple
packet-forwarding components. On these routers, you can configure firewall filters and service
filters that, when applied to multiple interfaces, act on the individual traffic streams entering or
exiting each interface, regardless of the sum of traffic on the multiple interfaces.
For more information, see Interface-Specific Firewall Filter Instances Overview.
Multiple interfaces
For interfaces hosted on the following hardware only, you can attach a protocol-independent
(family any) firewall filter and a protocol-specific (family inet or family inet6) firewall filter
simultaneously. The protocol-independent firewall executes first.
•
ACX Series Universal Access Routers
•
Flexible PIC Concentrators (FPCs) in M7i and M10i Multiservice Edge Routers
•
Modular Interface Cards (MICs) and Modular Port Concentrators (MPCs) in MX Series 3D
Universal Edge Routers
•
T Series Core Routers
NOTE:
Interfaces hosted on the following hardware do not support protocol-independent firewall filters:
•
Forwarding Engine Boards (FEBs) in M120 routers
•
Enhanced III FPCs in M320 routers
•
FPC2 and FPC3 modules in MX Series routers
•
Dense Port Concentrators (DPCs) in MX Series routers
•
PTX Series Packet Transport Routers
Single interface with
protocol-independent
and protocol-specific
firewall filters attached
Statement Hierarchy for Applying Firewall Filters
To apply a standard firewall filter to a logical interface, configure the filter statement for
the logical interface defined under either the [edit] or [edit logical-systems
logical-system-name] hierarchy level. Under the filter statement, you can include one or
more of the following statements: group group-number, input filter-name, input-list
filter-name, output filter-name, or output-list filter-name. The hierarchy level at which you
attach the filter statement depends on the filter type and device type you are configuring.
Protocol-Independent Firewall Filters on MX Series Routers
To apply a protocol-independent firewall filter to a logical interface on an MX Series
router, configure the filter statement directly under the logical unit:
interfaces {
interface-name {
unit logical-unit-number {
filter {
group group-number;
input filter-name;
Copyright © 2017, Juniper Networks, Inc.1050
ACX Series Universal Access Router Configuration Guide
To Next Page
Loading...
Need help?
General
