Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ACX] Firewall filter applying to loopback interface not supported on ACX

0

0

Article ID: KB28893 KB Last Updated: 28 May 2015Version: 3.0
Summary:

ACX does not support firewall filters on a loopback interface; users will see an error message logged by the Packet Forwarding Engine. This article provides a forwarding table filter configuration.

Symptoms:

When configuring a firewall filter and applying it on a loopback interface, the following message will be logged from the Packet Forwarding Engine (PFE):

[Feb 2 22:46:16.460 LOG: Err] ACX Error (dfw):acx_dfw_bind :Filter(protect_RE-lo0.0-i) attachment to Loop-back interface is not supported
[Feb 2 22:46:54.005 LOG: Debug] PFESVCS: Input IFL not part of default RTB
[Feb 2 22:47:56.701 LOG: Err] ACX Error (dfw):acx_dfw_bind :Filter(protect_RE-lo0.0-i) attachment to Loop-back interface is not supported

Sample configuration (here we only allow the ICMP protocol to simplify):

lab# show firewall family inet filter protect_RE
interface-specific;
term 1 {
    from {
        protocol icmp;
    }
    then {
        count icmp_accept;
        accept;
    }
}
term 2 {
    then {
        count others_discard;
        discard;
    }
}
lab# show interfaces lo0
unit 0 {
    family inet {
        filter {
            input protect_RE;
        }
        address 10.255.6.6/32;
    }
}
Solution:

A solution is to either configure the forwarding table filter or attach the filter to all Layer 3 interfaces on the ACX device.

Forwarding table filter configuration:

lab# show firewall family inet filter protect_RE 
interface-specific;
term icmp_accept {
    from {
        destination-address {
            10.255.6.6/32;
        }
        protocol icmp;       
    }
    then {
        count icmp_accept;
        accept;
    }
}
/***omit other terms which may include all the procotols need to be accepted depends on design****/
term discard {
    then {
        count others_discard;
        discard;
    }
}
lab# show routing-instances test 
forwarding-options {
    family inet {
        filter {
            input protect_RE;
        }
    }
}

Note: The loopback primary address is the destination.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search