Statement introduced in Junos OS Release 11.4.
Statement introduced in Junos OS Release 12.3R2 for EX Series switches.
Limit static service filters or API-client filters
to term-based filter format only for inet or inet6 families when enhanced
network services mode is configured at the [edit chassis network-services] hierarchy level. You cannot attach enhanced mode filters to local
loopback, management, or MS-DPC interfaces. These interfaces are processed
by the Routing Engine and DPC modules and can accept only compiled
firewall filter format. In cases where both filter formats are needed
for dynamic service filters, you can use the enhanced-mode-override statement on the specific filter definition to override the default
filter term-based only format of chassis network-service enhanced
enhanced-mode and the
enhanced-mode-override statements are mutually exclusive;
you can define the filter with either
enhanced-mode-override, but not both.
For MX Series routers with MPCs, you need to initialize Trio-only match filters (that is, a filter that includes at least one match condition or action that is only supported by the Trio chipset) by walking the corresponding SNMP MIB. For example, for any filter that is configured or changed with respect to their Trio only filters, you need to run a command such as the following: show snmp mib walk (ascii | decimal) object-id. This forces Junos to learn the filter counters and ensure that the filter statistics are displayed. This guidance applies to all enhanced-mode firewall filters. It also applies to Firewall Filter Match Conditions for IPv4 Traffic with flexible match filter terms for offset-range or offset-mask, gre-key, and Firewall Filter Match Conditions for IPv6 Traffic with any of the following match conditions: payload-protocol, extension headers, is_fragment. It also applies to filters with either of the following Firewall Filter Terminating Actions: encapsulate or decapsulate, or either of the following Firewall Filter Nonterminating Actions: policy-map, and clear-policy-map.
When used with one of the chassis enhanced network services modes, firewall filters are generated in term-based format for use with MPC modules. Do not use enhanced mode for firewall filters that are intended for control plane traffic. Control plane filtering is handled by the Routing Engine kernel, which cannot use the term-based format of the enhanced mode filters.
If enhanced network services are not configured for the chassis, the enhanced-mode statement is ignored and any enhanced mode firewall filters are generated in both term-based and the default, compiled format. Only term-based (enhanced) firewall filters will be generated, regardless of the setting of the enhanced-mode statement at the [edit chassis network-services] hierarchy level, if any of the following are true:
Flexible filter match conditions are configured at the [edit firewall family family-name filter filter-name term term-name from] or [edit firewall filter filter-name term term-name from] hierarchy levels.
A tunnel header push or pop action, such as GRE encapsulate or decapsulate is configured at the [edit firewall family family-name filter filter-name term term-name then] hierarchy level.
Payload-protocol match conditions are configured at the [edit firewall family family-name filter filter-name term term-name from] or [edit firewall filter filter-name term term-name from] hierarchy levels.
An extension-header match is configured at the [edit firewall family family-name filter filter-name term term-name from] or [edit firewall filter filter-name term term-name from] hierarchy levels.
A match condition is configured that only works with MPC cards, such as firewall bridge filters for IPv6 traffic.
For packets sourced from the Routing Engine, the Routing Engine processes Layer 3 packets by applying output filters to the packets and forwards Layer 2 packets to the Packet Forwarding Engine for transmission. By configuring the enhanced mode filter, you explicitly specify that only the term-based filter format is used, which also implies that the Routing Engine cannot use this filter.
Required Privilege Level
firewall—To view this statement in the configuration.
firewall-control—To add this statement to the configuration.