per-logical-interface-firewall
Syntax
per-logical-interface-firewall
Hierarchy Level
[edit chassis]
Description
Enables per logical interface firewall filtering in the ingress direction. When
enabled, the same set of match conditions and actions that are used for port
firewall filters can be used for firewall filters on logical interfaces. The
following example depicts the creation of a firewall filter and it being
subsequently applied to a logical interface, after the enabling of the
per-logical-interface-firewall setting.
firewall {
family ethernet-switching {
filter <filter-name> {
term <rule-name> {
from {
source-mac-address {
<mac-address>;
}
}
then {
count <count>;
policer <policer>;
}
}
}
}
policer <policer-name> {
if-exceeding {
bandwidth-limit <bandwidth-limit>;
burst-size-limit <burst-size-limit>;
}
then discard;
}
}
interfaces {
<interface-name> {
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
unit <interface-unit-number> {
vlan-id <vlan-id>;
family ethernet-switching {
filter {
input <filter-name>;
}
}
}
}
Caveats
-
per-logical-interface-firewallis not supported on enterprise style logical interfaces. -
Per logical interface firewall filtering with mix of services provider and enterprise logical interfaces is not supported.
-
per-logical-interface-firewallscope is limited to non-VxLAN interfaces. -
With
per-logical-interface-firewall, IPv6 address in filters across ifls of an ifd should be exclusive. -
Interface specific knob is not recommended with IPv6 address match.
-
IFLs belongs to different vlans cannot have the same filter with IPv6 address match.
Required Privilege Level
interface
Release Information
Statement introduced in Junos OS Release 22.2R1 (QFX5110, QFX5120-32C, QFX5120-48T, QFX5120-48Y, QFX5120-48YM, QFX5200, and QFX5210)