Technical Documentation
Configuring Firewall Filters on Shared Interfaces
To allow equitable bandwidth sharing between all logical interfaces on a single shared physical interface, you configure firewall filters on the logical interfaces in the PSD configuration.
Whereas the RSD controls the physical shared interface and allocates a logical interface on it to the PSD, the PSD controls the configuration under the logical interface, including the protocol family. The shared interface on the RSD is not aware of the protocol family information associated with the logical interface. Therefore, on the PSD, the firewall filter must be configured under the [edit firewall family any] hierarchy level and the filter applied to the entire logical interface (as opposed to a protocol family under the interface). With Junos OS Release 9.4, only output filters are supported.
To configure a firewall filter on the PSD, create the filter conditions and apply the filter to the logical interfaces:
- Configure the firewall filter conditions:
- Include the filter filter-name statement at the [edit firewall family any] hierarchy level.
- Include the term term-name statement at the [edit firewall family any filter filter-name] hierarchy level.
- Include the from match-conditions statement at the [edit firewall family any filter filter-name term term-name] hierarchy level.
- Include the then action statement at the [edit firewall family any filter filter-name term term-name] hierarchy level.
- Include the then action-modifiers statement at the [edit firewall family any filter filter-name term term-name] hierarchy level.
- Apply the firewall filter to the logical interface on the shared interface by including the filter output filter-name statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level.
Starting with Junos OS Release 10.1, firewall filters on logical interfaces can be configured on the RSD. Filtering is performed on the PSD, but logical interface filters configured on the RSD are applied automatically by the PSD.
To configure a logical interface filter on the RSD, apply the firewall filter to the logical interface on the shared interface by including the filter output filter-name statement at the [edit interfaces interface-name unit logical-unit-number] hierarchy level on the RSD.
Filters configured on the RSD can co-exist with filters configured on the PSD. Counter statistics related to PSD filtering are available on the RSD.
In the following example, term 1 and term 2 of the firewall filter-out provide per-class policing and term 3 provides logical interface-based policing. The filter is applied to the so-4/5/6.0 logical interface.
For more information about firewall filters, see the Junos OS Policy Framework Configuration Guide 
.
