Policy Framework Configuration Guide - Juniper Networks

Junos 10.4 Policy Framework Configuration Guide
match these packets using the interface-group match statement, as described in
“Configuring IPv4 Match Conditions” on page 197. The interface-group match statement
is supported only by the IPv4, IPv6, circuit cross-connects (CCC), and VPLS protocol
families.
To define an interface to be part of an interface group, include the group statement at
the [edit interfaces interface-name unit logical-unit-number family family-name filter]
hierarchy level:
[edit interfaces interface-name unit logical-unit-number family filter]
group group-number;
input filter-name;
output filter-name;
In the group statement, specify the interface group number to be associated with the
filter.
In the input statement, list the name of one firewall filter to be evaluated when packets
are received on the interface.
In the output statement, list the name of one firewall filter to be evaluated when packets
are transmitted on the interface.
NOTE: The Junos OS also supports defining interface sets to which to you
can apply a firewall filter. An interface set lets you define a group a set of
logical interfaces and apply hierarchical schedulers for class of services (CoS)
to the interface set. For more information about the interface-set
interface-set-name firewall filter match condition, see “Configuring IPv4 Match
Conditions” on page 197. The interface-set match condition is supported by
the IPv4, IPv6, and protocol-independent protocol families and on MX Series
routers only. For more information about configuring hierarchical schedulers
for CoS, see the Junos Class of Service Configuration Guide.
Example: Defining Interface Groups
Create a filter that contains an interface group:
[edit firewall]
family inet {
filter if-group {
term group1 {
from {
interface-group 1;
address {
192.168.80.114/32;
}
protocol tcp;
port finger;
}
then {
count if-group-counter1;
log;
238
Copyright © 2010, Juniper Networks, Inc.