Policy Framework Configuration Guide - Juniper Networks

Junos 10.4 Policy Framework Configuration Guide
NOTE: On MX Series routers only, you cannot apply as an output filter, a
firewall filter configured at the [edit firewall filter family ccc] hierarchy level.
Firewall filters configured for the family ccc statement can be applied only
as input filters on MX Series routers.
In the input-list statement, list the names of firewall filters to be evaluated when packets
are received on the interface. You can specify up to 16 firewall filters for the filter input
list. In the output-list statement, list the names of firewall filters to be evaluated when
packets are transmitted from the interface. You can specify up to 16 firewall filters for
the filter output list.
Unless you use an input filter list or an output filter list, you can apply only one input and
one output firewall filter to each interface. You can use the same filter one or more times.
The input-list and output-list statements are not supported for simple filters or service
filters.
NOTE: The input-list filter-names and output-list filter-names statements for
firewall filters for the ccc and mpls protocol families are supported on all
interfaces except management and internal Ethernet (fxp) interfaces,
loopback (lo0) interfaces, and USB modem (umd) interfaces.
For more information about applying input lists and output lists, see “Overview of Firewall
Filter Lists” on page 239. For more general information about configuring filters on
interfaces, see the Junos OS Network Interfaces Configuration Guide.
When you apply a filter to an interface, it is evaluated against all the data packets passing
through that interface. The exception is the loopback interface, lo0, which is the interface
to the Routing Engine and carries no data packets. If you apply a filter to the lo0 interface,
the filter affects the local packets received or transmitted by the Routing Engine.
Filters apply to all packets entering an interface, not just the packets destined for the
Routing Engine. To filter packets destined for the Routing Engine, configure the group
statement at the [edit interfaces interface-name unit logical-unit-number family family-name
filter] hierarchy level. For more information, see “Defining Interface Groups” on page 237.
You can configure the following additional properties when applying filters to interfaces:
• Configuring Interface-Specific Counters on page 236
• Defining Interface Groups on page 237
Configuring Interface-Specific Counters
When you configure a firewall filter that is applied to multiple interfaces, you can name
individual counters specific to each interface. These counters enable you to easily maintain
statistics on the traffic transiting the different interfaces. A separate instance of the
interface-specific firewall filter is created for each interface to which you apply the filter.
236
Copyright © 2010, Juniper Networks, Inc.