Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Mapping OpenConfig Firewall Filter Commands to Junos Configuration

Note:

See OpenConfig Data Model Version topic to understand the data models supported version and its Junos OS or Junos Evolved OS release for Juniper Networks ACX Series, MX Series and PTX Series.

The following tables show the mapping of OpenConfig firewall filter commands with the relevant configuration in Junos OS:

  • Table 1: Differentiated Services code point (DSCP) Filter Configuration
  • Table 2: Google Discovery Protocol (GDP) and Traceroute Configuration
  • Table 3: MPLS Filter Configuration.

  • Table 4: IPv4 Filter Configuration
  • Table 5: IPv6 Filter Configuration
  • Table 6: Bind Configuration
  • Table 7: IPv6 Network Instance Filtering Configuration
  • Table 8: Network Instance Action Filtering Configuration
  • Table 9: Network Instance Bind Configuration
Table 1: Differentiated Services code point (DSCP) Filter Configuration

Command Name

OpenConfig Configuration

Junos Configuration

Filter

network-instances {
  network-instance n1 {
     policy-forwarding {
        policies {
            policy dscp-steer {
                config {
                    policy-id dscp-steer;
                }
                rules {
                    rule 1 { 
                        config {
                            sequence-id 1;
                        }
                        ipv4 {
                            config {
                                dscp <>;
                            }
                        }
                        ipv6 {
                            config {
                                dscp <>;
                            }
                        }
                        action {
                            config {
                                network-instance <>;
                            }
                        }
                      }
                 }
            }
        }
    }
}
firewall  {
  family inet {
    filter dscp-steer-ipv4-n1 {
        term 1 { 
            from { 
                interface et-1/0/0.0; 
                dscp <>;
           } 
            then { 
                routing-instance <>; 
            } 
        }
        term 2 {
            then accept;
  	}
    } 
  }
  family inet6 {
    filter dscp-steer-ipv6-n1 {
        term 1 { 
            from { 
                interface et-1/0/0.0; 
                traffic-class <>;
           } 
            then { 
                routing-instance <>; 
            } 
        }
        term 2 {
            then accept;
  	}
    } 
  }

}

Binding

network-instances {
  network-instance n1 {
    policy-forwarding {
        interfaces {
            interface et-1/0/0.0 {
                config {
                    apply-forwarding-policy dscp_steer;
                }
                interface-ref {
                    config {
                        interface et-1/0/0;
                        subinterface 0;
                    }
                }
            }
        }
     }
  } 
}
routing-instances {
      n1 {
            forwarding-options { 
                 family inet { 
                     filter { 
                         input dscp-steer-ipv4-n1;  
                     } 
                 } 
                 family inet6 { 
                     filter { 
                         input dscp-steer-ipv6-n1;  
                     } 
                 } 
            }
       }
} 

In case of binding to ‘default’ routing instance then following will be the junos config

forwarding-options { 
       family inet { 
              filter { 
                   input dscp-steer-ipv4-n1;  
              } 
       } 
       family inet6 { 
              filter { 
                    input dscp-steer-ipv6-n1;  
              } 
       } 
 }

This OpenConfig DSCP configuration is intended to filter traffic routed to a specific port according to the following set of input criteria specified in the device configuration:

  • An input Layer 3 interface
  • DSCP enabled
  • Using IP protocol as the transport

If there is no match, packets are filtered back to a default VRF context where they are routed according to the exposed header.

Table 2: Google Discovery Protocol (GDP) and Traceroute Filter Configuration

Command Name

OpenConfig Configuration

Junos Configuration

Filter

acl-sets { 
   acl-set gdp-trace-route-filter ACL_MIXED { 
        config { 
            name gdp-trace-route-filter; 
            type ACL_MIXED; 
        } 
        acl-entries { 
            acl-entry 1 { 
                config {
                    sequence-id 1;
                }
                l2 { 
                    config { 
                       ethertype 0x6007; 
                    } 
                } 
                actions { 
                    config { 
                       jnx-redirect <>; 
                    } 
                } 
            acl-entry 2 {
                config {
                    sequence-id 2;
                } 
                ipv4 { 
                    config { 
                        hop-limit 0; 
                    } 
                } 
                actions { 
                    config { 
                      jnx-redirect <>; 
                    } 
                } 
            acl-entry 3 {
                config {                
                    sequence-id 3;      
                }  
                ipv4 { 
                    config { 
                         hop-limit 1; 
                    } 
                } 
                actions { 
                    config { 
                       jnx-redirect <>; 
                    } 
                } 
            acl-entry 4 {
                config {                
                    sequence-id 4;      
                } 
                ipv6 { 
                    config { 
                          hop-limit 0; 
                    } 
                } 
                actions { 
                    config { 
                       jnx-redirect <>; 
                    } 
                } 
            acl-entry 5 { 
                config {                
                    sequence-id 5;      
                }  
                ipv6 { 
                    config { 
                          hop-limit 1; 
                    } 
                } 
                actions { 
                    config { 
                       jnx-redirect <>; 
                    } 
                } 
            } 
            acl-entry 6 { 
                config {                
                    sequence-id 6;      
                }
                actions { 
                    config { 
                       forwarding-action ACCEPT; 
                    } 
                } 
            } 
        } 
    } 
  } 
} 
firewall {
    family any {
        filter gdp-trace-route-filter {
            term 1 {
                from {
                    ether-type 0x6007;
                }
                then redirect <>;  
            }
            term 2 {
                from {
                    ip-version {
                        ipv4 {
                            ttl 0;
                        }
                    }
                }
                then redirect <>;  
            }
            term 3 {
                from {
                    ip-version {
                        ipv4 {
                            ttl 1;
                        }
                    }
                }
                then redirect <>;  
            }
            term 4 {                    
                from {                  
                    ip-version {        
                        ipv6 {          
                            hop-limit 0;
                        }               
                    }                   
                }                       
                then redirect <>;  
            }                           
            term 5 {                    
                from {                  
                    ip-version {        
                        ipv6 {          
                            hop-limit 1;
                        }               
                    }                   
                }                       
                then redirect <>;  
            }                           
            term 6 {                    
                then accept;            
            }                           
        }                               
    }                                   
} 
services {
    inline-monitoring {
        instance {
            <> {
                controller p4;
            }
        }
    }
}

The Junos redirect statement corresponds to the redirect action in the filter term. Inline monitoring is configured implicitly. The instance-name under the redirect statement cannot be modified. You need to delete the redirect statement and commit the configuration again.

Binding

interfaces { 
    interface et-0/0/1 { 
        config { 
             id et-0/0/1; 
        } 
        interface-ref { 
            config { 
                interface et-0/0/1; 
                subinterface 4000; 
            } 
        } 
        ingress-acl-sets { 
             ingress-acl-set gdp-trace-route-filter ACL_MIXED { 
                 config { 
                      set-name gdp-trace-route-filter; 
                      type ACL_MIXED; 
                } 
             } 
         } 
    } 
} 
/* gdp-trace-route-filter binding */ 
interfaces { 
     et-0/0/1 { 
         unit 4000 { 
               filter {
		 input gdp-trace-route-filter; 
               }
         } 
     } 
} 
Table 3: MPLS Filter Configuration

Command Name

OpenConfig Configuration

Junos Configuration

Traffic class

acl-sets { 
    acl-set <> ACL_MPLS { 
        acl-entries { 
            acl-entry 1 { 
                mpls { 
                    config { 
                        traffic-class <>; 
                    } 
                } 
            } 
        } 
    } 
} 
family mpls { 
    filter <> { 
        term <> { 
            from { 
                exp0 <>; 
            } 
        } 
    } 
}  

OpenConfig path: /acl/acl-sets/acl-set/acl-entries/acl-entry/mpls/config/traffic-class

Start label value

acl-sets { 
    acl-set <> ACL_MPLS { 
        acl-entries { 
            acl-entry 1 { 
                mpls { 
                    config { 
                        start-label-value <>; 
                    } 
                } 
            } 
        } 
    } 
} 
family mpls { 
    filter <> { 
        term <> { 
            from { 
                label 0 <>; 
            } 
        } 
    } 
}  

OpenConfig path: /acl/acl-sets/acl-set/acl-entries/acl-entry/mpls/config/start-label-value

End label value

acl-sets { 
    acl-set <> ACL_MPLS { 
        acl-entries { 
            acl-entry 1 { 
                mpls { 
                    config { 
                        end-label-value <>; 
                    } 
                } 
            } 
        } 
    } 
} 
family mpls { 
    filter <> { 
        term <> { 
            from { 
                label 0 <>; 
            } 
        } 
    } 
}  

OpenConfig path: /acl/acl-sets/acl-set/acl-entries/acl-entry/mpls/config/end-label-value

Table 4: IPv4 Filter Configuration

Command Name

OpenConfig Configuration

Junos Configuration

destination address

acl-sets {
     acl-set <> ACL_IPV4 {
         acl-entries {
             acl-entry <> {
                 ipv4 {
                     config {
                         destination-address <>;
                     }
                 }
             }
         }
     }
 }
firewall {
    family inet {
        filter <> {
            term <> {
                from {
                    destination-address {
                        <>;
                    }
                }
            }
        }
    }
}  

OpenConfig path: acl/acl-sets/acl-set/acl-entries/acl-entry/ipv4/config/destination-address

DSCP

acl-sets {
     acl-set <> ACL_IPV4 {
         acl-entries {
             acl-entry <> {
                 ipv4 {
                     config {
                         dscp <>;
                     }
                 }
             }
         }
     }
 }
Firewall {
    family inet {
        filter <> {
            term <> {
                from {
                    dscp <>;
                }
            }
        }
    }
}

OpenConfig path: acl/acl-sets/acl-set/acl-entries/acl-entry/ipv4/config/dscp

hop limit

acl-sets {
     acl-set <> ACL_IPV4 {
         acl-entries {
             acl-entry <> {
                 ipv4 {
                     config {
                         hop-limit <>;
                     }
                 }
             }
         }
     }
 }
firewall {
    family inet {
        filter <> {
            term <> {
                from {
                    ttl <>;
                }
            }
        }
    }
}

OpenConfig path: acl/acl-sets/acl-set/acl-entries/acl-entry/ipv4/config/hop-limit

protocol

acl-sets {
     acl-set <> ACL_IPV4 {
         acl-entries {
             acl-entry <> {
                 ipv4 {
                     config {
                         protocol <>;
                     }
                 }
             }
         }
     }
 }
firewall {
    family inet {
        filter <> {
            term <> {
                from {
                    protocol <>;
                }
            }
        }
    }
}

OpenConfig path: acl/acl-sets/acl-set/acl-entries/acl-entry/ipv4/config/protocol

source address

acl-sets {
     acl-set <> ACL_IPV4 {
         acl-entries {
             acl-entry <> {
                 ipv4 {
                     config {
                         source-address <>;
                     }
                 }
             }
         }
     }
 }
firewall {
    family inet {
        filter <> {
            term <> {
                from {
                    source-address {
                        <>;
                    }
                }
            }
        }
    }
}

OpenConfig path: acl/acl-sets/acl-set/acl-entries/acl-entry/ipv4/config/source-address

destination port

acl-sets {
    acl-set <> ACL_IPV4 {
        acl-entries {
            acl-entry <> {
                transport {
                    config {
                        destination-port <>;
                    }
                }
            }
        }
    }
}
firewall {
    family inet {
        filter <> {
            term <> {
                from {
                    destination-port <>;
                }
            }
        }
    }
}

OpenConfig path: /acl/acl-sets/acl-set/acl-entries/acl-entry/transport/config/destination-port

source port

acl-sets {
    acl-set <> ACL_IPV4 {
        acl-entries {
            acl-entry <> {
                transport {
                    config {
                        source-port <>;
                    }
                }
            }
        }
    }
}
firewall {
    family inet {
        filter <> {
            term <> {
                from {
                    source-port <>;
                }
            }
        }
    }
}

OpenConfig path: /acl/acl-sets/acl-set/acl-entries/acl-entry/transport/config/source-port

TCP flags

acl-sets {
    acl-set <> ACL_IPV4 {
        acl-entries {
            acl-entry <> {
                transport {
                    config {
                        tcp-flags <>;
                    }
                }
            }
        }
    }
}
firewall {
    family inet {
        filter <> {
            term <> {
                from {
                    tcp-flags <>;
                }
            }
        }
    }
}

OpenConfig path: /acl/acl-sets/acl-set/acl-entries/acl-entry/transport/config/tcp-flags

interface

acl-sets {
    acl-set <> ACL_IPV4 {
        acl-entries {
            acl-entry <> {
                input-interface {
                    interface-ref {
                        config {
                            interface <>;
                            subinterface <>;
                        }
                    }
                }
            }
        }
    }
}
firewall {
    family inet {
        filter <> {
            term <> {
                from {
                    interface <>;
                }
            }
        }
    }
}

OpenConfig path: /acl/acl-sets/acl-set/acl-entries/acl-entry/input-interface/interface-ref/config/interface-subinterface

forwarding-action ACCEPT

acl-sets {
    acl-set <> ACL_IPV4 {
        acl-entries {
            acl-entry <> {
                actions {
                    config {
                        forwarding-action ACCEPT;
                    }
                }
            }
        }
    }
}
firewall {
    family inet {
        filter <> {
            term <> {
                then accept;
            }
        }
    }
}

OpenConfig path: /acl/acl-sets/acl-set/acl-entries/acl-entry/actions/config/forwarding-action

forwarding-action DROP

acl-sets {
    acl-set <> ACL_IPV4 {
        acl-entries {
            acl-entry <> {
                actions {
                    config {
                        forwarding-action DROP;
                    }
                }
            }
        }
    }
}
firewall {
    family inet {
        filter <> {
            term <> {
                then {
                    discard;
                }
            }
        }
    }
}

OpenConfig path: /acl/acl-sets/acl-set/acl-entries/acl-entry/actions/config/forwarding-action

forwarding-action REJECT

acl-sets {
    acl-set <> ACL_IPV4 {
        acl-entries {
            acl-entry <> {
                actions {
                    config {
                        forwarding-action REJECT;
                    }
                }
            }
        }
    }
}
firewall {
    family inet {
        filter <> {
            term <> {
                then {
                    reject;
                }
            }
        }
    }
}

OpenConfig path: /acl/acl-sets/acl-set/acl-entries/acl-entry/actions/config/forwarding-action

log-action LOG_SYSLOG

acl-sets {
    acl-set <> ACL_IPV4 {
        acl-entries {
            acl-entry <> {
                actions {
                    config {
                        log-action LOG_SYSLOG;
                    }
                }
            }
        }
    }
}
firewall {
    family inet {
        filter <> {
            term <> {
                then syslog;
            }
        }
    }
}

OpenConfig path: /acl/acl-sets/acl-set/acl-entries/acl-entry/actions/config/log-action

Table 5: IPv6 Filter Configuration

Command Name

OpenConfig Configuration

Junos Configuration

destination address

acl-sets {
    acl-set <> ACL_IPV6 {
        acl-entries {
            acl-entry <> {
                ipv6 {
                    config {
                        destination-address <>;
                    }
                }
            }
        }
    }
}
firewall {
    family inet6 {
        filter <> {
            term <> {
                from {
                    destination-address {
                        <>;
                    }
                }
            }
        }
    }
}

OpenConfig path: /acl/acl-sets/acl-set/acl-entries/acl-entry/ipv6/config/destination-address

hop limit

acl-sets {
    acl-set <> ACL_IPV6 {
        acl-entries {
            acl-entry <> {
                ipv6 {
                    config {
                        hop-limit <>;
                    }
                }
            }
        }
    }
}
firewall {
    family inet6 {
        filter <> {
            term <> {
                from {
                    hop-limit <>;
                }
            }
        }
    }
}

OpenConfig path: /acl/acl-sets/acl-set/acl-entries/acl-entry/ipv6/config/hop-limit

protocol

acl-sets {
    acl-set <> ACL_IPV6 {
        acl-entries {
            acl-entry <> {
                ipv6 {
                    config {
                        protocol <>;
                    }
                }
            }
        }
    }
}
firewall {
    family inet6 {
        filter <> {
            term <> {
                from {
                    next-header <>;
                }
            }
        }
    }
}

OpenConfig path: /acl/acl-sets/acl-set/acl-entries/acl-entry/ipv6/config/protocol

source address

acl-sets {
    acl-set <> ACL_IPV6 {
        acl-entries {
            acl-entry <> {
                ipv6 {
                    config {
                        source-address <>;
                    }
                }
            }
        }
    }
}
firewall {
    family inet6 {
        filter <> {
            term <> {
                from {
                    source-address {
                        <>;
                    }
                }
            }
        }
    }
}

OpenConfig path: /acl/acl-sets/acl-set/acl-entries/acl-entry/ipv6/config/source-address

DSCP

acl-sets {
    acl-set <> ACL_IPV6 {
        acl-entries {
            acl-entry <> {
                ipv6 {
                    config {
                        dscp <>;
                    }
                }
            }
        }
    }
}
firewall {
    family inet6 {
        filter <> {
            term <> {
                from {
                    traffic-class <>;
                    }
                }
            }
        }
    }
}

OpenConfig path: /acl/acl-sets/acl-set/acl-entries/acl-entry/ipv6/config/dscp

destination port

acl-sets {
    acl-set <> ACL_IPV6 {
        acl-entries {
            acl-entry <> {
                transport {
                    config {
                        destination-port <>;
                    }
                }
            }
        }
    }
}
firewall {
    family inet6 {
        filter <> {
            term <> {
                from {
                    destination-port <>;
                }
            }
        }
    }
}

OpenConfig path: /acl/acl-sets/acl-set/acl-entries/acl-entry/transport/config/destination-port

source port

acl-sets {
    acl-set <> ACL_IPV6 {
        acl-entries {
            acl-entry <> {
                transport {
                    config {
                        source-port <>;
                    }
                }
            }
        }
    }
}
firewall {
    family inet6 {
        filter <> {
            term <> {
                from {
                    source-port <>;
                }
            }
        }
    }
}

OpenConfig path: /acl/acl-sets/acl-set/acl-entries/acl-entry/transport/config/source-port

TCP flags

acl-sets {
    acl-set <> ACL_IPV6 {
        acl-entries {
            acl-entry <> {
                transport {
                    config {
                        tcp-flags <>;
                    }
                }
            }
        }
    }
}
firewall {
    family inet6 {
        filter <> {
            term <> {
                from {
                    tcp-flags <>;
                }
            }
        }
    }
}

OpenConfig path: /acl/acl-sets/acl-set/acl-entries/acl-entry/transport/config/tcp-flags

interface

acl-sets {
    acl-set <> ACL_IPV6 {
        acl-entries {
            acl-entry <> {
                input-interface {
                    interface-ref {
                        config {
                            interface <>;
                            subinterface <>;
                        }
                    }
                }
            }
        }
    }
}
firewall {
    family inet6 {
        filter <> {
            term <> {
                from {
                    interface <>;
                }
            }
        }
    }
}

OpenConfig path: /acl/acl-sets/acl-set/acl-entries/acl-entry/input-interface/interface-ref/config/interface

forwarding-action ACCEPT

acl-sets {
    acl-set <> ACL_IPV6 {
        acl-entries {
            acl-entry <> {
                actions {
                    config {
                        forwarding-action ACCEPT;
                    }
                }
            }
        }
    }
}
firewall {
    family inet6 {
        filter <> {
            term <> {
                then accept;
            }
        }
    }
}

OpenConfig path: /acl/acl-sets/acl-set/acl-entries/acl-entry/actions/config/forwarding-action

forwarding-action DROP

acl-sets {
    acl-set <> ACL_IPV6 {
        acl-entries {
            acl-entry <> {
                actions {
                    config {
                        forwarding-action DROP;
                    }
                }
            }
        }
    }
}
firewall {
    family inet6 {
        filter <> {
            term <> {
                then discard;
            }
        }
    }
}

OpenConfig path: /acl/acl-sets/acl-set/acl-entries/acl-entry/actions/config/forwarding-action

forwarding-action REJECT

acl-sets {
    acl-set <> ACL_IPV6 {
        acl-entries {
            acl-entry <> {
                actions {
                    config {
                        forwarding-action REJECT;
                    }
                }
            }
        }
    }
}
firewall {
    family inet6 {
        filter <> {
            term <> {
                then {
                    reject;
                }
            }
        }
    }
}

OpenConfig path: /acl/acl-sets/acl-set/acl-entries/acl-entry/actions/config/forwarding-action

log-action LOG_SYSLOG

acl-sets {
    acl-set <> ACL_IPV6 {
        acl-entries {
            acl-entry <> {
                actions {
                    config {
                        log-action LOG_SYSLOG;
                    }
                }
            }
        }
    }
}
firewall {
    family inet6 {
        filter <> {
            term <> {
                then syslog;
            }
        }
    }
}

OpenConfig path: /acl/acl-sets/acl-set/acl-entries/acl-entry/actions/config/log-action

Table 6: Bind Configuration

Command Name

OpenConfig Configuration

Junos Configuration

ingress bind configuration

openconfig-acl:acl {
    interfaces {
        interface <> {
            interface-ref {
                config {
                    interface <>;
                    subinterface <>;
                }
            }
            ingress-acl-sets {
                ingress-acl-set <> ACL_IPV6;
            }
        }
    }
}
interfaces {
    xe-<> {
        unit 0 {
            family inet6 {
                filter {
                    input <>;
                }
            }
        }
    }
}

OpenConfig path: /acl/interfaces/interface/config/interface/interface-ref/config/interface/ingress-acl-sets/ingress-acl-set

egress bind configuration

openconfig-acl:acl {
    interfaces {
        interface <> {
            interface-ref {
                config {
                    interface <>;
                    subinterface <>;
                }
            
            }
            egress-acl-sets {
                egress-acl-set <> ACL_IPV6;
            }
        }
    }
}
interfaces {
    <> {
        unit 0 {
            family inet6 {
                filter {
                    output <>;
                    
                }
            }
        }
    }
}

OpenConfig path: /acl/interfaces/interface/config/interface/interface-ref/config/interface/egress-acl-sets/egress-acl-set

Table 7: IPv6 Network Instance Filtering Configuration

Command Name

OpenConfig Configuration

Junos Configuration

destination address

network-instances {
    network-instance <> {
        policy-forwarding {
            policies {
                policy <> {
                    rules {
                        rule <> {
                            ipv6 {
                                config {
                                    destination-address <>;
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}
firewall {
    family inet6 {
        filter <> {
            term <> {
                from {
                    destination-address {
                        <>;
                    }
                }
            }
        }
    }
}

OpenConfig path: /network-instances/network-instance/policy-forwarding/policies/policy/rules/rule/ipv6/config/destination-address

hop limit

network-instances {
    network-instance <> {
        policy-forwarding {
            policies {
                policy <> {
                    rules {
                        rule <> {
                            ipv6 {
                                config {
                                    hop-limit <>;
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}
firewall {
    family inet6 {
        filter <> {
            term <> {
                from {
                    ttl <>;
                }
            }
        }
    }
}

OpenConfig path: /network-instances/network-instance/policy-forwarding/policies/policy/rules/rule/ipv6/config/hop-limit

protocol

network-instances {
    network-instance <> {
        policy-forwarding {
            policies {
                policy <> {
                    rules {
                        rule <> {
                            ipv6 {
                                config {
                                    protocol <>;
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}
firewall {
    family inet6 {
        filter <> {
            term <> {
                from {
                    protocol <>;
                }
            }
        }
    }
}

OpenConfig path: /network-instances/network-instance/policy-forwarding/policies/policy/rules/rule/ipv6/config/protocol

source address

network-instances {
    network-instance <> {
        policy-forwarding {
            policies {
                policy dscp <> {
                    rules {
                        rule <> {
                            ipv6 {
                                config {
                                    source-address <>;
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}
firewall {
    family inet6 {
        filter <> {
            term <> {
                from {
                    source-address <>;
                }
            }
        }
    }
}

OpenConfig path: /network-instances/network-instance/policy-forwarding/policies/policy/rules/rule/ipv6/config/source-address

action: discard

network-instances {
    network-instance <> {
        policy-forwarding {
            policies {
                policy <> {
                    rules {
                        rule <> {
                            action {
                                config {
                                    discard <>;
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}
firewall {
    family inet6 {
        filter <> {
            term <> {
                then {
                    discard;
                }
            }
        }
    }
}
Table 8: Network Instance Action Filtering Configuration

Command Name

OpenConfig Configuration

Junos Configuration

action: discard

network-instances {
    network-instance <> {
        policy-forwarding {
            policies {
                policy <> {
                    rules {
                        rule <> {
                            action {
                                config {
                                    discard <>;
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}
firewall {
    family inet {
        filter <> {
            term <> {
                then {
                    discard;
                }
            }
        }
    }
}

firewall {
    family inet6 {
        filter <> {
            term <> {
                then {
                    discard;
                }
            }
        }
    }
}

OpenConfig path: /network-instances/network-instance/policy-forwarding/policies/policy/rules/rule/action/config/discard

action: config network-instance

network-instances {
    network-instance <> {
        policy-forwarding {
            policies {
                policy dscp-steer {
                    rules {
                        rule <> {
                            action {
                                config {
                                    network-instance <>;
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}
firewall {
    family inet {
        filter <> {
            term <> {
                then {
                    routing-instance <>;
                }
            }
        }
    }
}

firewall {
    family inet6 {
        filter <> {
            term <> {
                then {
                    routing-instance <>;
                }
            }
        }
    }
}

OpenConfig path: /network-instances/network-instance/policy-forwarding/policies/policy dscp-steer/rules/rule/action/config/network-instance

Note:

When the network-instance leaf is set, packets matching the match criteria for the forwarding rule should be looked up in the network instance that is referenced rather than the network-instance with which the interface is associated. This configuration permits policy routing for multiple subtopologies from a single ingress access interface.

Table 9: Network Instance Bind Configuration

Command Name

OpenConfig Configuration

Junos Configuration

INET: apply forwarding policy (default routing instance)

INET interface bind ingress (default routing instance)

network-instances {
    network-instance <> {
        policy-forwarding {
            interfaces {
                interface <> {
                    config {
                        apply-forwarding-policy <>;
                    }
                    interface-ref {
                        config {
                            interface <>;
                            subinterface <>;
                        }
                    }
                }
            }
        }
    }
}

INET interface bind ingress (default routing instance)

firewall {
    family inet {
        filter <> {
            term <> { 
                then {
                    next-interface; 
                }
            }
        }
    }
}

forwarding-options {
    family inet {
        filter {
            input <>;
        }
    }
}

OpenConfig path: /network-instances/network-instance/policy-forwarding/interfaces/interface/config/apply-forwarding-policy/interface-ref/config/interface/subinterface

Note:

Use the apply-forwarding-policy leaf to apply the policy to an interface. Packets ingressing on the referenced interface should be compared to the match criteria within the specified policy. If the criteria are met, the forwarding actions specified are applied. These policies do not take precedence over any quality of service classification or ACL actions on the corresponding interface.

INET: apply forwarding policy (not a default routing instance)

INET interface bind ingress (not a default routing instance)

network-instances {
    network-instance <> {
        policy-forwarding {
            interfaces {
                interface <> {
                    config {
                        apply-forwarding-policy <>;
                    }
                    interface-ref {
                        config {
                            interface <>;
                            subinterface <>;
                        }
                    }
                }
            }
        }
    }
}

INET interface bind ingress (not a default routing instance)

firewall {
    family inet {
        filter <> {
            term <> { 
                then {
                    next-interface; 
                }
            }
        }
    }
}

routing-instances {
    <> {
        forwarding-options {
            family inet {
                filter {
                    input <>;
                }
            }
        }
    }
}

OpenConfig path: /network-instances/network-instance/policy-forwarding/interfaces/interface/config/apply-forwarding-policy/interface-ref/config/interface/subinterface

INET6: apply forwarding policy (default routing instance)

INET6 interface bind ingress (default routing instance)

network-instances {
    network-instance <> {
        policy-forwarding {
            interfaces {
                interface <> {
                    config {
                        apply-forwarding-policy <>;
                    }
                    interface-ref {
                        config {
                            interface <>;
                            subinterface <>;
                        }
                    }
                }
            }
        }
    }
}

INET6 interface bind ingress (default routing instance)

firewall {
    family inet6 {
        filter <> {
            term <> { 
                then {
                    next-interface; 
                }
            }
        }
    }
}

forwarding-options {
    family inet6 {
        filter {
            input <>;
        }
    }
}

OpenConfig path: /network-instances/network-instance/policy-forwarding/interfaces/interface/config/apply-forwarding-policy/interface-ref/config/interface/subinterface

INET6: apply forwarding policy (not a default routing instance)

INET6 interface bind ingress (not a default routing instance)

network-instances {
    network-instance <> {
        policy-forwarding {
            interfaces {
                interface <> {
                    config {
                        apply-forwarding-policy <>;
                    }
                    interface-ref {
                        config {
                            interface <>;
                            subinterface <>;
                        }
                    }
                }
            }
        }
    }
}

INET6 interface bind ingress (not a default routing instance)

firewall {
    family inet6 {
        filter <> {
            term <> { 
                then {
                    next-interface; 
                }
            }
        }
    }
}

routing-instances {
    <> {
        forwarding-options {
            family inet6 {
                filter {
                    input <>;
                }
            }
        }
    }
}
Note:

Please note that these filters will be implemented as an input forwarding table filter.

Note:

Egress filtering is not supported.