Parameterized Filters Configuration Considerations

Subscriber IP Address

In most deployment scenarios, the interface is based on the subscriber’s IP address. Because subscribers may not be unique, they cannot be used in determining similar filters and policers. Do not use the junos-subscriber-ip-address IP address as a match candidate. Doing so causes unique filters per subscriber, which inhibits scaling.

Interaction with Static Configuration

Searching for a filter to attach takes place in the following order:

1. Static filter. For example, firewall family inet filter my-filter.

2. Fast update filter within the current dynamic profile. For example, dynamic-profile [profile-name] firewall family inet fast-update-filter my-filter.

3. Parameterized filter within the current dynamic profile. For example, dynamic-profile [profile-name] firewall family inet filter.

The following static configuration objects may be referenced by a parameterized filter. The search order is first in the static configuration and then in the current dynamic-profile:

• firewall policer

• firewall hierarchical-policer

• three-color policer

• policy-options prefix-list

If an object in the static configuration is being used by an active parameterized filter, you cannot delete that object from the configuration while the subscriber is logged in.

Interface-Specific Dynamic Service Filters

All dynamic service filters must be defined as interface-specific.

Service Session Support

Parameterized filters and policers are supported for service activations only, not client sessions.

Filter Naming Conventions

The base filter name is based on the interface and direction (ingress and egress) appended to it. With parameterized filters, the filter-naming process comes from the UID.