Apply a Filter to an Interface

To apply firewall filters to an interface, include the filter statement:

filter { 

    group filter-group-number;

    input filter-name;

    output filter-name;

}

You can configure these statements at the following hierarchy levels:

• [edit interfaces interface-name unit logical-unit-number family family]
• [edit logical-routers logical-router-name interfaces interface-name unit logical-unit-number family family]

In the family statement, the protocol family can be inet, inet6, mpls, or vpls.

In the group statement, specify the interface group number to associate with the filter.

In the input statement, list the name of one firewall filter to be evaluated when packets are received on the interface.

In the output statement, list the name of one firewall filter to be evaluated when packets are transmitted on the interface.

You can use the same filter one or more times.

For filter-based forwarding (FBF), you can configure input packet filters only; FBF is not supported for output filters.

If you apply the filter to the interface lo0, it is applied to packets received or transmitted by the Routing Engine. You cannot apply MPLS filters to the management interface (fxp0) or the loopback interface (lo0).

For more information about firewall filters, see the JUNOS Internet Software Configuration Guide: Policy Framework. For more information about MPLS filters, see the JUNOS Internet Software Configuration Guide: MPLS Applications. For more information about FBF, see the JUNOS Internet Software Configuration Guide: Routing Protocols.

Define Interface Groups in Firewall Filters

When applying a firewall filter, you can define an interface to be part of an interface group. Packets received on that interface are tagged as being part of the group. You can then match these packets using the interface-group match statement, as described in the JUNOS Internet Software Configuration Guide: Policy Framework.

To define the interface to be part of an interface group, include the group statement:

group filter-group-number;

You can configure this statement at the following hierarchy levels:

• [edit interfaces interface-name unit logical-unit-number family family filter]
• [edit logical-routers logical-router-name interfaces interface-name unit logical-unit-number family family filter]