On Wed, Apr 27, 2011 at 12:24:25PM +0100, Nick Ryce wrote: > > Any ideas if this is supported in 10.4 as we have a standard ACL we > use on most customer vlans and then a customer specific vlan?
Nah, filter chains are definitely not supported on EX, and I'm not aware of any near term plans to add it. Even on the major platforms, filter chains aren't exactly a completely well-thought-out solution. Doing the "next term" operation that you need to force packets to be evaluated all the way through the chain actually consumes lookup capacity inside the firewall processing, and it is surprisingly easy to exhaust this capacity. For example, something on the order of a dozen filter terms in a chain, doing relatively simple matching, is enough to exhaust the capacity of an I-Chip on an MX DPC. When this happens, you'll suddenly discover that your ports are no longer capable of doing line rate packets/sec, and there will be no indications of the drops short of poking around in the "show ichip" commands on the PFE. Needless to say, this can make for a really bad day. We use a commit script to automatically build unique per-interface firewall filters out of individual filter config components. It's not pretty, but unfortunately this is really the only practical way to get the kind of config reuse you're looking for, not to mention the only way to actually protect the control plane on the EX. :) -- Richard A Steenbergen <r...@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp