input-list not working as expected

Luca · ‎06-11-2009

I have the following configuration on a reth interface on an SRX650

# run show configuration interfaces reth0.1683 
vlan-id 1683;
family inet {
    filter {
        input-list [ AP-source-route vlan-input-1683 ];
        output vlan-output-1683;
    }
    address 10.36.96.1/20;
}



# run show configuration firewall family inet filter AP-source-route 
term route-to-AP-BGP {
    from {
        source-address {
            10.36.96.0/20;
            10.52.240.0/20;
            10.48.0.0/20;
        }
        destination-address {
            10.20.0.0/23;
            10.21.0.0/21;
        }
    }
    then {
        routing-instance customer_peering;
    }
}


# run show configuration firewall filter vlan-input-1683 
term vlan-input-1683 {
    then {
        count vlan-input-1683;
        accept;
    }
}

So the vlan-input-1683 filter is there to count traffic, this is how we do billing.

The AP-Source-Route filter is for some specifc source based routing I need to do.

The issue is that when traffic does not match the AP-Source-Route filter it does not seem to hit the vlan-input-1683 filter.

For example, if I ping 8.8.8.8, the traffic does not match the source-route filter so it should hit the vlan-input-1683 filter, but the counter does not change at all.

According to this link http://kb.juniper.net/InfoCenter/index?page=content&id=KB13057&cat=T_SERIES&actp=LIST when using an input-list, if traffic does not match the first list it will be processed by the next list...

This is not happening in my case. Any thoughts?

thanks,

arinesmith · ‎07-25-2012

I think you need to 1) add a next term statement, and 2 change the order of your list so it hits the vlan term first.

I usually add it as my last term, and just call it "NEXT"

term NEXT {

then {

next term

}

But you can probably just add it to your current "then" statement.

input-list not working as expected

Re: input-list not working as expected