Junos
Highlighted
Junos

Prefix-action with filter input-list

‎08-28-2012 05:55 AM

Hi All,

I'm trying to use prefix-action policer beside regular firewall rules on Junos 11.4R3.7 on MX80. I've prepared configuration as below. It is working fine when I enable single filter using set interfaces ge-1/1/1 unit 0 family inet filter prefixactionfilter.

[edit]
admin@MX1# set interfaces ge-1/1/0 unit 0 family inet filter input prefixactionfilter

[edit]
admin@MX1# commit
commit complete

[edit]
admin@MX1> run show firewall prefix-action-stats filter prefixactionfilter prefix-action psa-per-destination-15-24-clients | except " 0$"
 Filter: prefixactionfilter
 Counters: Name Bytes Packets
 psa-per-destination-15-24-clients-132 319235 1042
 ..
 ..
Counters are rising steadily. But when I'm trying to combine prefixaction with other filter using input-list [ prefixactionfilter testallowall ] or even input-list [ prefixactionfilter ] all counters are zeros:
[edit]
admin@MX1# show interfaces ge-1/1/0 unit 0 family inet filter
input-list prefixactionfilter;

[edit]
admin@MX1# commit
commit complete

[edit] 
admin@MX1# run show firewall prefix-action-stats filter prefixactionfilter prefix-action psa-per-destination-15-24-clients
 Filter: prefixactionfilter
 Counters: Name Bytes Packets
 psa-per-destination-15-24-clients-0 0 0
 psa-per-destination-15-24-clients-1 0 0
 ..
 ..
My config:
admin@MX1> show configuration firewall family inet
prefix-action psa-per-destination-15-24 {
    policer policer-from-universe;
    count;
    subnet-prefix-length 15;
    destination-prefix-length 24;
}
filter prefixactionfilter {
    term clients {
        from {
            destination-address {
                10.0.128.0/22 except;
                10.0.128.0/17;
                10.1.0.0/16;
            }                           
        }                               
        then prefix-action psa-per-destination-15-24;
    }                                   
    term default {                      
        then {                          
            count pre-default;          
            accept;                     
        }                               
    }                                   
}
filter testallowall {
    term allowall {
        then accept;
    }
}
admin@MX1# show firewall policer policer-from-universe 
if-exceeding {
    bandwidth-limit 150m;
    burst-size-limit 512k;
}
then discard;

Is it possible to use it in that way?

Thanks in advance,
Tomek

1 REPLY 1
Highlighted
Junos

Re: Prefix-action with filter input-list

‎05-28-2020 03:50 AM

Hello,

 

I have the same issue like you and I think this is a Juniper limitation to have only one filter applied on input(didn't check output) on an interface. This means the "input-list" is not working.

 

However I found this: https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/input-cha...

 

Hope it help.

Feedback