 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |
In many cases, a firewall configuration references objects outside the firewall configuration. As a general rule, the referenced object must be defined under the same logical system as the referencing object. However, there are cases when the configuration of the referenced object is not supported at the [edit logical-systems logical-system-name] hierarchy level.
In the following example, the service filter inetsf1 references prefix list prefix1. The service set fred cannot be defined under the logical system lr1. In this case, the [edit services] hierarchy is searched for the definition of fred. This configuration is allowed because the [edit logical-systems logical-system name] hierarchy already had the capability to reference service sets outside the logical system hierarchy.
- [edit]
- logical-systems {
-
- ls1 {
-
- interfaces {
-
- fe-0/3/2 {
-
- unit 0 {
-
- family inet {
-
- service {
-
- input {
- service-set fred service-filter lr1inetsf1;
- }
- }
- }
- }
- }
- }
-
- policy-options {
-
- prefix-list prefix1 {
- 1.1.0.0/16;
- 1.2.0.0/16;
- 1.3.0.0/16;
- }
- }
-
- firewall {
-
- policer pol1 {
-
- if-exceeding {
- bandwidth-limit 401k;
- burst-size-limit 50k;
- }
- then discard;
- }
-
- filter filter1 {
-
- term one {
-
- from {
-
- source-address 12.1.0.0/16;
- }
-
- then {
- reject host-unknown;
- }
- }
-
- term two {
-
- from {
- source-address 12.2.0.0/16;
- }
- then policer pol1;
- }
- }
-
- family inet {
-
- service-filter inetsf1 {
-
- term term1 {
-
- from {
-
- source-prefix-list {
- prefix1;
- }
- }
- then count prefix1;
- }
- }
- }
- }
- }
- }
- services {
-
- service-set fred {
- max-flows 100;
-
- interface-service {
- service-interface sp-1/2/0.0;
- }
- }
- }
| Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |