Egress Forwarding-Table-Filters are performed on the ingress PFE, but after the forwarding decision process has completed.
You can't use interface-groups with egress FTFs, the two features cannot be configured at the same time. You should be able to use interface-sets though. > -----Original Message----- > From: Richard A Steenbergen [mailto:[EMAIL PROTECTED] > Sent: Thursday, October 30, 2008 5:44 PM > To: Curtis Call > Cc: juniper-nsp@puck.nether.net > Subject: Re: [j-nsp] DCU matching in firewall on MX > > On Thu, Oct 30, 2008 at 11:38:18AM -0700, Curtis Call wrote: > > To match DCU in distributed PFE platforms use an egress > > forwarding-table > > filter: > > > > http://www.juniper.net/techpubs/software/junos/junos92/swconfig- > policy > > /c > > onfiguring-a-forwarding-table-filter_1.html#id-11341452 > > I need to do a DCU match on ingress traffic only, and only on specific > interfaces. If the DCU match worked in a normal firewall filter, I > would just apply it as an ingress filter only to specific interfaces. > > Can you still achieve this by creating an interface-group or interface- > set and referencing it in an egress forwarding-table filter? > And would this really match only ingress traffic on specific > interfaces? > The page you mentioned is a little unclear, specifically: > > > Note: The egress forwarding table filter will be applied on the > > ingress of the flexible PIC concentrator (FPC). If different packets > > to the same destination arrive on different FPCs, they may encounter > > different policers. > > > Note: You cannot configure both an egress forwarding table filter and > > the interface-group statement at the [edit interfaces family inet > > filter] hierarchy level. The egress forwarding table filter is > applied > > to transit packets only. > > To me that reads as though the filter will be applied at ingress time, > but still happen with egress match logic (i.e. I couldn't specify > source interfaces and match ingress traffic only). > > -- > Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e- > gerbil.net/ras > GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 > 2CBC) _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp