Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Routing Policy and Firewall Filters

  • Layer 2 and layer 3 support for flood policers (PTX10001-36MR, PTX10004, PTX10008, and PTX10016)—Starting in Junos OS Evolved Release 21.4R1, you can configure firewall filters for flood policers on L2 (family CCC) and L3 (family any) traffic, in both the ingress and egress directions. Most match conditions (except Packet-length) and most actions are supported.

    See Firewall Filter Match Conditions and Actions.

  • Support for forwarding class and PLP as policer actions (PTX10001-36MR, PTX10003, PTX10004, PTX10008, and PTX10016)—Starting in Junos OS Evolved Release 21.4R1, you can use forwarding class, and both forwarding class and packet loss priority (PLP) together, as policer actions in policer policy configurations. This includes both the ingress and egress directions.

    See Forwarding Class and Loss Priority.

  • Support for input-chain and output-chain CLI filters (PTX10001-36MR, PTX10003, PTX10004, PTX10008, and PTX10016)—Starting from Junos OS Evolved Release 21.4R1, you can use multiple levels of CLI filters. The filter chain helps in logically grouping filters with a specific pattern of rules, instead of evaluating all the filter terms in one filter and deciding at the last term of it. The feature provides you the flexibility in modeling the filters as and when it is applicable in the solution. You can configure up to 8 filters in both input-chain and output-chains.

    You can apply the filter chain as follows:

    set interfaces interface-name unit unit family inet filter input-chain [filter1 filter2 filter3];

    set interfaces interface-name unit unit family inet filter output-chain [filter1 filter2 filter3];

    [See input-chain, output-chain, and Example: Using Firewall Filter Chains.]

  • Support for profiles to improve the firewall filter scale (QFX5130-32CD, QFX5700, and QFX5220 )—Starting in Junos OS Evolved Release 21.4R1, you can apply firewall filters for inet and Ethernet-based switching using firewall filter profiles. You can use the profiles configuration statement at the [edit system packet-forwarding-options firewall] hierarchy level to configure firewall filter profiles. The firewall filter profiles are mapped to a subset of match conditions. This helps you to plan and apply firewall filter profiles to achieve maximum scale.

    You can use the following CLI commands to display the profile information and the pipe that each physical interface is mapped to:

    • show pfe filter hw profile-info

    • show pfe filter hw port-pipe-info

    [See How to Increase the Scale of Firewall Filters Using Profiles.]