On EX, you should be able to protect the RE using a filter on lo0 in the main routing instance (not in the VRF itself). But be aware that this does not work on tha ACX-series (for some strange reason)...
Yep the firewall filter work for interfaces that are on the main routing-instance. But for some reason the filter does not apply on traffic coming from interface placed in a vrf to the RE.
-- Raphael Mazelier _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp