Policy Framework Configuration Guide - Juniper Networks

Junos 10.4 Policy Framework Configuration Guide
This section includes the following topics:
• Guidelines for Firewall Configuration in Logical Systems on page 256
• Unsupported Configuration Statements, Actions, and Action Modifiers on page 263
Guidelines for Firewall Configuration in Logical Systems
As a general rule, firewall filters configured under a logical system must be complete and
self-contained. Typically, the filters cannot reference firewall elements configured at the
[edit firewall] hierarchy level or at another [edit logical-systems logical-system-name]
hierarchy level. If no firewall filters are configured for a logical system, the firewall filters
at the [edit firewall] hierarchy level are applied.
In some situations, firewall statements that are valid under the [edit firewall] hierarchy
are not supported under the [edit logical-systems logical-system-name firewall] hierarchy.
There are three scenarios to consider:
• Scenario 1. An object in the firewall hierarchy references another object in the hierarchy;
for example, when a firewall filter references a firewall policer.
• Scenario 2. An object outside the firewall references an object inside the firewall
hierarchy; for example, a firewall filter is applied to an interface.
• Scenario 3. An object in the firewall hierarchy references an object outside the firewall
hierarchy; for example, when a firewall filter references a prefix list (defined under the
[edit policy-options] hierarchy).
This section includes the following topics:
• Scenario 1: Firewall Objects Reference Other Firewall Objects on page 256
• Scenario 2: Nonfirewall Objects Reference Firewall Objects on page 257
• Scenario 3: Firewall Objects Reference Nonfirewall Objects on page 261
Scenario 1: Firewall Objects Reference Other Firewall Objects
If a firewall object references a subordinate object (for example, a policer or prefix list),
that subordinate object must be defined within the firewall object. For example, if a
firewall filter configuration references a policer, that policer must be configured under
the same firewall object as the filter. This rule applies even if the same policer is configured
under the main firewall configuration or if the same policer is configured as part of a
firewall in another logical system.
In this example, the filter1 filter references the pol1 policer. Both filter1 and pol1 are defined
under the same firewall object. This configuration is valid. If pol1 were defined under
another firewall object, the configuration would not be valid.
[edit]
logical systems {
ls1 {
firewall {
policer pol1 {
if-exceeding {
bandwidth-limit 401k;
burst-size-limit 50k;
256
Copyright © 2010, Juniper Networks, Inc.