Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Firewall Filter Support on Loopback Interface

A loopback interface is a gateway for all the control traffic that enters the Routing Engine of the router. If you want to monitor this control traffic, you must configure a firewall filter on the loopback interface (lo0).

Loopback firewall filters are only applied to packets sent to the Routing Engine for further processing. Both inet and inet6 family filters are supported, and you can apply a firewall filter in the ingress and egress directions on the lo0 interface. However, only interface-specific instances of the firewall filter are supported.

For standard firewall filter match conditions, see Match Conditions for IPv4 Traffic (ACX Series Routers).

The firewall filter on lo0 handles the following exception packets in ingress direction:

  • TTL exception packets

  • Multicast packets having 224.0.0.x as the destination IP address

  • Broadcast packets

  • IP option packets


Although policer actions can be attached to loopback filters in the ingress direction, the exact behavior depends on the CPU RX queue configurations. For example, rate limiting in ingress direction (through policer configuration) occurs after any CPU rate limiters.

The following is a sample configuration for attaching a firewall to the loopback interface: