Junos uses the concept of a firewall filter instead of an Acess Control List (ACL), but they are essentially the same thing: A stateless packet filter.
In the Cisco world you define a filter as an ACL and typically apply it to an interface either inbound or outbound, for example let’s suppose we only want to allow traffic from source 10.1.1.0/24 through an interface,outbound.
First we would define the ACL:
access-list 101 permit ip 10.1.1.0 0.0.0.255 any access-list 101 deny ip any any
Then we would apply it to the interface:
interface GigabitEthernet0 ip access-list 101 out
In the Junos world you would define the filter under the firewall section. In the below example the filter is named ‘1o1’. Two terms are then defined, term ‘allow-10.1.1.0/24’ and term ‘reject’. The first term allows all packets with a source IP in the subnet 10.1.1.0/24, and the second terms rejects everything else.
firewall {
family inet {
filter 101 {
term allow-10.1.1.0/24 {
from {
source-address {
10.1.1.0/24;
}
}
then accept;
}
term reject {
then {
reject;
}
}
}
}
}
The filter is then applied to the interface as follows:
ge-0/0/0 {
unit 0 {
family inet {
filter {
output 101;
}
}
}
}
As with IOS, Junos has an explicit deny at the end of the filter, however I prefer to add it in for good measure.
The Traceroute Blog 