[Contents] [Prev] [Next] [Index] [Report an Error]

Applying a Filter to an Interface

To apply firewall filters to an interface, include the filter statement:




filter {
group filter-group-number;
input filter-name;
output filter-name;
}

To apply a single filter, include the input statement:




filter {
input filter-name;
}

To apply a list of filters to evaluate packets received on an interface, include the input-list statement.



filter {

input-list [ filter-names ];
}

Up to 16 filter names can be included in an input list.

To apply a list of filters to evaluate packets transmitted on an interface, include the output-list statement.




filter {

output-list [ filter-names ];
}

When you apply filters using the input-list statement or the output-list statement, a new filter is created with the name <interface-name>.<unit-direction>. This filter is exclusively interface-specific.

You can include these statements at the following hierarchy levels:

[edit interfaces interface-name unit logical-unit-number family family]
[edit logical-systems logical-system-name interfaces interface-name unit logical-unit-number family family]

In the family statement, the protocol family can be ccc, inet, inet6, mpls, or vpls.

In the group statement, specify the interface group number to associate with the filter.

In the input statement, list the name of one firewall filter to be evaluated when packets are received on the interface.

In the input-list statement, list the names of filters to evaluate when packets are received on the interface. You can include up to 16 filter names.

In the output statement, list the name of one firewall filter to be evaluated when packets are transmitted on the interface.

Note: Output filters do not work for broadcast and multicast traffic, including VPLS traffic, as shown in Example: Applying a Filter to an Interface.

In the output-list statement, list the names of filters to evaluate when packets are transmitted on the interface. You can include up to 16 filter names.

You can use the same filter one or more times. On M-series platforms (except the M320 and M120 routers), if you apply a firewall filter or policer to multiple interfaces, the filter or policer acts on the sum of traffic entering or exiting those interfaces.

On T-series, M120, and M320 platforms, interfaces are distributed among multiple packet forwarding components. Therefore, on these platforms, if you apply a firewall filter or policer to multiple interfaces, the filter or policer acts on the traffic stream entering or exiting each interface, regardless of the sum of traffic on the multiple interfaces.

If you apply the filter to the interface lo0, it is applied to packets received or transmitted by the Routing Engine. You cannot apply MPLS filters to the management interface (fxp0) or the loopback interface (lo0).

For more information about firewall filters, see the JUNOS Policy Framework Configuration Guide. For more information about MPLS filters, see the JUNOS MPLS Applications Configuration Guide.