Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Interface-Specific Firewall Filter Instances Overview

Instantiation of Interface-Specific Firewall Filters

You can enable the Junos OS to automatically create an interface-specific instance of a firewall filter for each interface to which you apply the filter. If you enable interface-specific instantiation of a firewall filter and then apply that filter to multiple interfaces, any count actions or policer actions configured in the filter terms act on the traffic stream entering or exiting each individual interface, regardless of the sum of traffic on the multiple interfaces.

You can enable this option per firewall filter by including the interface-specific statement in the filter configuration.

Interface-specific firewall filtering is supported for standard stateless firewall filters and for service filters. Interface-specific instances are not supported for simple filters.

Note:

A firewall filter cannot be both interface-specific and interface-shared.

Interface-Specific Names for Firewall Filter Instances

When the Junos OS creates a separate instance of a firewall filter for a logical interface, the instance is associate with an interface-specific name. The system-generated name of a firewall filter instance consists of the name of the configured filter followed by a hyphen (’-’), the full interface name, and either ’-i’ for an input filter instance or ’-o’ for an output filter instance.

  • Input filter instance name—For example, if you apply the interface-specific firewall filter filter_s_tcp to the input at logical interface at-1/1/1.0, the Junos OS instantiates an interface-specific filter instance with the following system-generated name:

  • Output filter instance name—For example, if you apply the interface-specific firewall filter filter_s_tcp to the output at logical interface so-2/2/2.2, the Junos OS instantiates an interface-specific filter instance with the following system-generated name:

You can use the interface-specific name of a filter instance when you enter a Junos OS operational mode command that specifies a stateless firewall filter name.

Tip:

When you configure a firewall filter with interface-specific instances enabled, we recommend you limit the filter name to 52 bytes in length. This is because firewall filter names are restricted to 64 bytes in length. If a system-generated filter instance name exceeds this maximum length, the policy framework software might reject the instance name.

Interface-Specific Firewall Filter Counters

Instantiation of interface-specific firewall filters causes the Packet Forwarding Engine to maintain any counters for the firewall filter separately for each interface. You specify interface-specific counters per firewall filter term by specifying the count counter-name non-terminating action.

The system-generated name of an interface-specific firewall filter counter consists of the name of the configured counter followed by a hyphen (’-’), the full interface name, and either ’-i’ for an input filter instance or ’-o’ for an output filter instance.

  • Interface-specific input filter counter name—For example, suppose you configure the filter counter count_tcp for an interface-specific firewall filter. If the filter is applied to the input at logical interface at-1/1/1.0, the Junos OS creates the following system-generated counter name:

  • Interface-specific output filter counter name—For example, suppose you configure the filter counter count_udp for an interface-specific firewall filter. If the filter is applied to the output at logical interface so-2/2/2.2, the Junos OS creates the following system-generated counter name:

Interface-Specific Firewall Filter Policers

Instantiation of interface-specific firewall filters not only creates separate instances of any firewall filter counters but also creates separate instances of any policer actions. Any policers applied through an action specified in the firewall filter configuration are applied separately to each interface in the interface group. You specify interface-specific policers per firewall filter term by specifying the policer policer-name non-terminating action.

Related Documentation