Statement Hierarchy For Applying Firewall Filters; Protocol-Independent Firewall Filters On Mx Series Routers - Juniper ACX1000 Configuration Manual

ACX Series Universal Access Router Configuration Guide
Table 70: Firewall Filter Behavior by Filter Attachment Point (continued)
Filter Attachment Point
Multiple interfaces
Single interface with
protocol-independent
and protocol-specific
firewall filters attached

Statement Hierarchy for Applying Firewall Filters

1050
Filter Behavior
You can use the same firewall filter one or more times.
On M Series routers, except the M120 and M320 routers, if you apply a firewall filter to multiple
interfaces, the filter acts on the sum of traffic entering or exiting those interfaces.
On T Series, M120, M320, and MX Series routers, interfaces are distributed among multiple
packet-forwarding components. On these routers, you can configure firewall filters and service
filters that, when applied to multiple interfaces, act on the individual traffic streams entering or
exiting each interface, regardless of the sum of traffic on the multiple interfaces.
For more information, see Interface-Specific Firewall Filter Instances Overview.
For interfaces hosted on the following hardware only, you can attach a protocol-independent
( ) firewall filter and a protocol-specific (
family any
simultaneously. The protocol-independent firewall executes first.
ACX Series Universal Access Routers
Flexible PIC Concentrators (FPCs) in M7i and M10i Multiservice Edge Routers
Modular Interface Cards (MICs) and Modular Port Concentrators (MPCs) in MX Series 3D
Universal Edge Routers
T Series Core Routers
NOTE:
Interfaces hosted on the following hardware do not support protocol-independent firewall filters:
Forwarding Engine Boards (FEBs) in M120 routers
Enhanced III FPCs in M320 routers
FPC2 and FPC3 modules in MX Series routers
Dense Port Concentrators (DPCs) in MX Series routers
PTX Series Packet Transport Routers
To apply a standard firewall filter to a logical interface, configure the
the logical interface defined under either the
hierarchy level. Under the
logical-system-name]
more of the following statements:
,
filter-name output filter-name
attach the statement depends on the filter type and device type you are configuring.
filter

Protocol-Independent Firewall Filters on MX Series Routers

To apply a protocol-independent firewall filter to a logical interface on an MX Series
router, configure the statement directly under the logical unit:
filter
interfaces {
interface-name {
unit logical-unit-number {
filter {
group group-number;
input filter-name;
or
family inet
or
[edit] [edit logical-systems
statement, you can include one or
filter
group group-number , input filter-name
, or . The hierarchy level at which you
output-list filter-name
Copyright © 2017, Juniper Networks, Inc.
) firewall filter
family inet6
filter statement for
, input-list