On Thu, Oct 30, 2008 at 11:38:18AM -0700, Curtis Call wrote: > To match DCU in distributed PFE platforms use an egress forwarding-table > filter: > > http://www.juniper.net/techpubs/software/junos/junos92/swconfig-policy/c > onfiguring-a-forwarding-table-filter_1.html#id-11341452
I need to do a DCU match on ingress traffic only, and only on specific interfaces. If the DCU match worked in a normal firewall filter, I would just apply it as an ingress filter only to specific interfaces. Can you still achieve this by creating an interface-group or interface-set and referencing it in an egress forwarding-table filter? And would this really match only ingress traffic on specific interfaces? The page you mentioned is a little unclear, specifically: > Note: The egress forwarding table filter will be applied on the > ingress of the flexible PIC concentrator (FPC). If different packets > to the same destination arrive on different FPCs, they may encounter > different policers. > Note: You cannot configure both an egress forwarding table filter and > the interface-group statement at the [edit interfaces family inet > filter] hierarchy level. The egress forwarding table filter is applied > to transit packets only. To me that reads as though the filter will be applied at ingress time, but still happen with egress match logic (i.e. I couldn't specify source interfaces and match ingress traffic only). -- Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp