To allow equitable bandwidth sharing between all logical interfaces on a single shared physical interface, you configure firewall filters on the logical interfaces in the PSD configuration.
Whereas the RSD controls the physical shared interface and allocates a logical interface on it to the PSD, the PSD controls the configuration under the logical interface, including the protocol family. The shared interface on the RSD is not aware of the protocol family information associated with the logical interface. Therefore, on the PSD, the firewall filter must be configured under the [edit firewall family any] hierarchy and the filter is applied to the entire logical interface (as opposed to a protocol family under the interface.) With JUNOS Release 9.4, only output filters are supported.
To configure a firewall filter, create the filter conditions and apply the filter to the logical interfaces:
In the following example, term 1 and term 2 of the firewall filter-out provide per-class policing and term 3 provides logical interface-based policing. The filter is applied to the so-4/5/6.0 logical interface.
- firewall family any {
-
- filter filter-out {
-
- term 1 {
-
- from {
- forwarding-class voice;
- }
-
- then {
- policer tx-voice;
- next term;
- }
- }
-
- term 2 {
-
- from {
- forwarding-class data;
- }
-
- then {
- policer tx-data;
- next term;
- }
- }
-
- term 3 {
- then policer iflpolicer;
- }
- }
- }
- interfaces {
-
- ut-1/2/3 {
-
- unit 0 {
- peer-interface so-4/5/6.0;
- }
- }
- }
-
- so-4/5/6 {
- encapsulation frame-relay;
-
- unit 0 {
- peer-interface ut-1/2/3.0;
- filter output filter-out;
-
- family inet {
- address 192.168.0.1/24;
- }
-
- family inet6 {
- address fec0::1/64;
- }
- }
- }
For more information about firewall filters, see the JUNOS Policy Framework Configuration Guide.