I know this topic has been discussed ad nauseam, so I'm mostly asking about peripheral questions here (and I have read the applicable documentation on the subject).
First, I'm setting up an EX to emulate the DSCP marking strategy that we do with our Cisco access switches. I've gathered that most EX platforms can't do this inbound, so the approach is instead to classify inbound into different queues and then rewrite the DSCP tag outbound. I've got this working as a simple PoC, but I have a few questions:
1) Is there any way to reuse the same firewall filter on switched ports and routed ports? Since the filters are family-specific, you need to specify whether it's for inet or ethernet-switching or what have you, and an inet filter isn't usable on a switched port and vice versa.
2) Are from statements in a firewall filter ANDed or ORed? I'm guessing AND, but what about situations where the consituents are incompatible? I.e.
"from" : {
"destination-port" : ["161", "1812"],
"ip-protocol" : ["icmp"]
},
Does that match TCP/UDP port 161 or 1812 or ICMP? Or just nothing since a packet can't have more than one destination port (especially over ICMP)? What about a case where you're specifying source and destination ports?
Thanks much,
Ian