Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Firewall and Policing Differences Between PTX Series Packet Transport Routers and T Series Matrix Routers

 

This topic provides a list of firewall and policier features available on PTX Packet Transport Routers and compares them with firewall and policing features on T Series routers.

Firewall Filters

Junos OS firewall and policing software on PTX Series Packet Transport Routers supports IPv4 filters, IPv6 filters, MPLS filters, CCC filters, interface policing, LSP policing, MAC filtering, ARP policing, L2 policing, and other features. Exceptions are noted below.

  • PTX Series Packet Transport Routers do not support:

    • Egress Forwarding Table Filters

    • Forwarding Table Filters for MPLS/CCC

    • Family VPLS

  • PTX Series Packet Transport Routers do not support nested firewall filters. The filter statement at the [edit firewall family family-name filter filter-name term term-name] hierarchy level is disabled.

  • Because no service PICs are present in PTX Series Packet Transport Routers, service filters are not supported for both IPv4 and IPv6 traffic. The service-filter statement at [edit firewall family (inet | inet6)] hierarchy level is disabled.

  • The PTX Series Packet Transport Routers exclude simple filters. These filters are supported on Gigabit Ethernet intelligent queuing (IQ2) and Enhanced Queuing Dense Port Concentrator (EQ DPC) interfaces only. The simple-filter statement at the [edit firewall family inet)] hierarchy level is disabled.

  • Physical interface filtering is not supported. The physical-interface-filter statement at the [edit firewall family family-name filter filter-name] hierarchy level is disabled.

  • The prefix action feature is not supported on PTX Series Packet Transport Routers. The prefix-action statement at [edit firewall family inet] hierarchy level is disabled.

  • On T Series routers, you can collect a variety of information about traffic passing through the device by setting up one or more accounting profiles that specify some common characteristics of the data. The PTX Series Packet Transport Routers do not support accounting configurations for firewall filters. The accounting-profile statement at the [edit firewall family family-name filter filter-name] hierarchy level is disabled.

  • The reject action is not supported on the loopback (lo0) interface. If you apply a filter to the lo0 interface and the filter includes a reject action, an error message appears.

  • PTX Series Packet Transport Routers do not support aggregated ethernet logical interface match conditions. However, child link interface matching is supported.

  • PTX Series Packet Transport Routers displays both counts if two different terms in a filter have the same match condition but they have different counts. T Series routers display one count only.

  • PTX Series Packet Transport Routers do not have separate policer instances when a filter is bound to multiple interfaces. Use the interface-specific configuration statement to create the configuration.

  • On PTX Series Packet Transport Routers, when an ingress interface has CCC encapsulation, packets coming in through the ingress CCC interface will not be processed by the egress filters.

  • For CCC encapsulation, the PTX Series Packet Transport Routers append an extra 8 bytes for egress Layer 2 filtering. The T Series routers do not. Therefore, egress counters on PTX Series Packet Transport Routers show an extra eight bytes for each packet which impacts policer accuracy.

  • On PTX Series Packet Transport Routers, output for the show pfe statistics traffic CLI command includes the packets discarded by DMAC and SMAC filtering. On T Series routers, the command output does not include these discarded packets because MAC filters are implemented in the PIC and not in the FPC.

  • The last-fragment packet that goes through a PTX firewall cannot be matched by the is-fragment matching condition. This feature is supported on T Series routers.

    A possible workaround on PTX Series Packet Transport Routers is to configure two separate terms with same the actions: one term contains a match to is-fragment and the other term contains a match to fragment-offset -except 0.

  • On PTX Series Packet Transport Routers, MAC pause frames are generated when packet discards exceed 100 Mbps. This occurs only for frame sizes that are less than 105 bytes.

Traffic Policiers

Junos OS firewall and policing software on PTX Series Packet Transport Routers supports IPv4 filters, IPv6 filters, MPLS filters, CCC filters, interface policing, LSP policing, MAC filtering, ARP policing, L2 policing, and other features. Exceptions are noted below.

  • PTX Series Packet Transport Routers support ARP policing. T Series routers do not.

  • PTX Series Packet Transport Routers do not support LSP policing.

  • PTX Series Packet Transport Routers do not support the hierarchical-policer configuration statement. .

  • PTX Series Packet Transport Routers do not support the interface-set configuration statement. This statement groups a number of interfaces into a single, named interface set.

  • PTX Series Packet Transport Routers do not support the following policer types for both normal policers and three-color policers:

    • logical-bandwidth-policer — Policer uses logical interface bandwidth.

    • physical-interface-policer — Policer is a physical interface policer.

    • shared-bandwidth-policer — Share policer bandwidth among bundle links.

  • When a policer action and forwarding-class, loss-priority actions are configured within the same rule (a Multifield Classification), the PTX Series Packet Transport Routers work differently than T Series routers. As shown below, you can configure two rules in the filter to make the PTX filter behave the same as the T Series filter:

    PTX Series configuration:

    T Series configuration: