ACX does not support firewall filters on a loopback interface; users will see an error message logged by the Packet Forwarding Engine. This article provides a forwarding table filter configuration.
When configuring a firewall filter and applying it on a loopback interface, the following message will be logged from the Packet Forwarding Engine (PFE):
[Feb 2 22:46:16.460 LOG: Err] ACX Error (dfw):acx_dfw_bind :Filter(protect_RE-lo0.0-i) attachment to Loop-back interface is not supported
[Feb 2 22:46:54.005 LOG: Debug] PFESVCS: Input IFL not part of default RTB
[Feb 2 22:47:56.701 LOG: Err] ACX Error (dfw):acx_dfw_bind :Filter(protect_RE-lo0.0-i) attachment to Loop-back interface is not supported
Sample configuration (here we only allow the ICMP protocol to simplify):
lab# show firewall family inet filter protect_RE
interface-specific;
term 1 {
from {
protocol icmp;
}
then {
count icmp_accept;
accept;
}
}
term 2 {
then {
count others_discard;
discard;
}
}
lab# show interfaces lo0
unit 0 {
family inet {
filter {
input protect_RE;
}
address 10.255.6.6/32;
}
}
A solution is to either configure the forwarding table filter or attach the filter to all Layer 3 interfaces on the ACX device.
Forwarding table filter configuration:
lab# show firewall family inet filter protect_RE
interface-specific;
term icmp_accept {
from {
destination-address {
10.255.6.6/32;
}
protocol icmp;
}
then {
count icmp_accept;
accept;
}
}
/***omit other terms which may include all the procotols need to be accepted depends on design****/
term discard {
then {
count others_discard;
discard;
}
}
lab# show routing-instances test
forwarding-options {
family inet {
filter {
input protect_RE;
}
}
}
Note: The loopback primary address is the destination.