Juniper ACX1000 Configuration Manual page 951

Copyright © 2017, Juniper Networks, Inc.
NOTE: For a specified interface, you can configure both a multifield classifier
and a BA classifier without conflicts. Because the classifiers are always
applied in sequential order, the BA classifier followed by the multifield
classifier, any BA classification result is overridden by a multifield classifier
if they conflict.
To activate (apply) a multifield classifier, you must configure it on a logical interface.
There is no restriction on the number of multifield classifiers you can configure.
NOTE: For MX Series routers and EX Series switches, if you configure a firewall
filter with a DSCP action or traffic-class action on a DPC, the commit does
not fail, but a warning displays and an entry is made in the syslog.
For an L2TP LNS on MX Series routers, you can attach firewall for static LNS
sessions by configuring these at logical interfaces directly on the inline services
device (
si-fpc/pic/port
supported.
You configure multifield classifiers by:
Defining the filter—Configure either a firewall filter or a simple filter. Simple filters
1.
filter IPv4 traffic (family inet) only. Firewall filters enable you to filter additional protocol
families and more complex filters. The following sections describe both procedures.
Applying the filter—Activate the filter by configuring on a logical interface as an input
2.
filter.
To configure a firewall filter:
Under the firewall statement, specify the protocol family for which you want to filter
1.
traffic and specify a name for the filter.
edit
user@host# edit firewall family family-name filter filter-name
Specify the term name and match criteria you want to look for in incoming packets.
2.
[edit firewall family family-name filter filter-name]
user@host# set term term-name from match-conditions
Specify the action you want to take when a packet matches the conditions.
3.
[edit firewall family family-name filter filter-name]
user@host# set term term-name then actions
For multifield classifiers, you can perform the following actions:
Set the value of the DSCP field of incoming packets.
user@host# set term term-name then dscp code-point
Chapter 27: Configuring Class of Service
). RADIUS-configured firewall attachments are not
893