On Tue, 12 Jul 2011, Stefan Fouant wrote:
Hi Clarke,
If you are using an MX platform, instead of using family-inet on your
interfaces, configure them in a bridge-group using family bridge (simply use
an IRB interface for the routing functions). Then you can create firewall
filters for those respective interfaces under [firewall filter family bridge]
as in the following:
root@lab-mx1# show firewall
family bridge {
filter test {
term arp {
from {
ether-type arp;
}
then {
count arp;
accept;
}
}
}
}
Once you have a counter assigned, you can now poll this via SNMP as well.
Hi, Stefan,
I guess I should have been more descriptive. In my MX configuration, the
IRB interface is the only interface in the VPLS domain, so there are no
"bridge" interfaces where I can configure a "bridge" filter. In other
words, the VPLS instance is configured as "connectivity-type irb". The
only interface I can configure in that VPLS domain for a filter is the IRB
itself, which requires "family inet", unless there is something I don't
know about.
instance-type vpls;
vlan-id 100;
routing-interface irb.100;
route-distinguisher 192.168.0.1:100;
vrf-target target:65000:100;
protocols {
vpls {
connectivity-type irb;
}
}
So my example is a little problematic since the ether-type part of the
packet I need to look at on ingress is buried under the mpls header.
Your suggestion does work well in other configuration contexts.
Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
