Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Routing Policy and Firewall Filters

  • Layer 2 and Layer 3 support for flood policers (PTX10002-36QDD)—You can configure firewall filters for flood policers on Layer 2 (family ccc) and Layer 3 (family any) traffic, in both the ingress and egress directions. Most match conditions (except packet-length) and most actions are supported.

  • Firewall filtering using flood policer, IRB, and service provider egress filtering (PTX10002-36QDD)—You can use the flood policer feature to control flooding of the network with broadcast, unknown unicast, and multicast (BUM) traffic, and this control includes the EVPN flood policer. We now support inner VLAN ID and inner VLAN priority on ingress and egress and service provider style egress filters. Service provider style egress filters are Layer 2 filters attached in the egress direction for L2 interfaces configured in the service provider style. IRB filters are attached to an IRB interface configured for transitioning packets from Layer 2 to Layer 3 forwarding and vice versa (both entering or exiting the L3 interface) to control flooding of traffic in a given bridge domain. You can attach filters to IRB interfaces for both ingress and egress, but the execution of filters is different for each direction.

    Note:

    EVPN-MPLS configurations also support flood policers.

    [See Policer Support for Aggregated Ethernet Interfaces Overview.]

  • Match the flow-label field in an IPv6 packet (PTX10002-36QDD, PTX10008)—Support is added for matching the 20-bit flow-label field in the header of an IPv6 packet. Two new match conditions have been added - flow-label flow label value and flow-label flow label value mask mask value.

    [See Firewall Filter Match Conditions for IPv6 Traffic.]

  • Increase firewall filter scale over performance (PTX10002-36QDD)—You can use scale-mode to accommodate more firewall filter terms, when the need is to provide more scale than performance. You can use no-incremental-update to prevent the filter from undergoing incremental update.

    [See scale-mode and no-incremental-update.]

  • Support added to hierarchical policers for applying user-selectable bandwidth for premium and non-premium traffic (PTX10002-36QDD)—You can use the new firewall filter action policer-charge to subtract available bandwidth credits and make it available to the aggregate policer.

    [See policer-charge.]