Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

AACL Overview

Note:

Starting with Junos OS Release 12.1, all interface-style services are supported for dynamic Point-to-Point Protocol over Ethernet (PPPoE) subscribers on all MX Series routers with modular Modular Port Concentrators (MPCs).

The application-aware access list (AACL) service adds support for a new service that uses application names and groups as matching criteria for filtering traffic. AACL is a stateless, rules-based service that must be combined with application identification to enable policies to be applied to flows based on application and application group membership in addition to traditional packet matching rules. It is supported on MX Series routers equipped with Multiservices DPCs and on M120 or M320 routers equipped with Multiservices 400 PICs. Starting with Junos OS Release 11.3, AACL is supported on T320, T640, and T1600 routers also.

AACL is configured in a similar way to other rules-based services such as Network Address Translation (NAT), class of service (CoS), and stateful firewall. To configure AACL, include rule specifications for match criteria and actions at the [edit services aacl] hierarchy level. You can chain AACL rules along with other service rules by including them in a service-set definition at the [edit services service-set] hierarchy level, as previously documented.

There is one pair of related operational commands, show/clear application-aware-access-list statistics.

For more information on the operational command, see the CLI Explorer.

Note:

Because the Junos OS extension-provider package framework lacks aggressive constraint checks, you should not set the policy-db-size statement at the [edit chassis fpc slot-number pic pic-number adaptive-services service-package extension-provider] hierarchy level to a high value. For Junos Application Aware (previously known as dynamic application awareness) configurations, the recommended values for the extension-provider options at this hierarchy level are as follows:

  • control-cores = 1

  • data-cores = 7

  • object-cache-size = 1280 (for Multiservices 400 PIC and Multiservices DPC)

  • policy-db-size = 200

  • Include these package values: jservices-aacl

Related Documentation