Applying Firewall Filters to Interfaces
For a firewall filter to work, you must apply it to at least one interface. To do this,
include the filter
statement when configuring a logical interface at the [edit
interfaces]
hierarchy level:
[edit interfaces] user@switch# set interface-name unit logical-unit-number family family-name filter (input | output) filter-name
In the input
statement, specify a firewall filter to be evaluated when packets
are received on the interface. Input filters applied to a loopback interface affect only traffic
destined for the Routing Engine.
In the output
statement, specify a filter to be evaluated when packets exit
the interface.
When you create a loopback interface, it is important to apply an ingress filter
to it so the Routing Engine is protected. We recommend that when you apply a filter to the
loopback interface lo0
, you include the apply-groups
statement. Doing
so ensures that the filter is automatically inherited on every loopback interface, including lo0
and other loopback interfaces.