diff --git a/includes/junos-v21-core-router/firewall.j2 b/includes/junos-v21-core-router/firewall.j2
index 3056417..c257615 100644
--- a/includes/junos-v21-core-router/firewall.j2
+++ b/includes/junos-v21-core-router/firewall.j2
@@ -24,9 +24,55 @@
         {%- endif %}
     {%- endfor %}
 
+    {%- set as_set_prefixes = 59811|get_prefixes_for_asn %}
+    {%- set linknets_ipv4 = [] %}
+    {%- set linknets_ipv6 = [] %}
+
+    {% for interface in device_interfaces %}
+        {%- set interface_tags = [] %}
+        {%- for tag in interface.tags %}
+        {%- do interface_tags.append(tag.slug) %}
+        {%- endfor %}
+        {%- if 'transit-link' in interface_tags or 'ix-link' in interface_tags or 'pni-link' in interface_tags %}
+            {%- for address in interface|get_addresses %}
+                {%- if address|ipv4 %}
+                    {%- do linknets_ipv4.append(address.address.split("/")[0]) %}
+                {%- elif address|ipv6 %}
+                    {%- do linknets_ipv6.append(address.address.split("/")[0]) %}
+                {%- endif %}
+            {%- endfor %}
+        {%- endif %}
+    {% endfor %}
+
     family inet {
-        filter control-plane-protection-IPv4 {
+        filter BCP38-edge-IPv4 {
+            term allow-AS59811-set {
+                from {
+                    source-address {
+                        {% for prefix in as_set_prefixes['ipv4'] %}
+                            {{ prefix['prefix'] }};
+                        {% endfor %}
+                    }
+                }
+                then {
+                    accept
+                }
+            }
+            term allow-interfaces {
+                from {
+                    source-address {
+                        {%- for address in linknets_ipv4 %}
+                            {{ address }};
+                        {%- endfor %}
+                    }
+                }
+                then {
+                    accept
+                }
+            }
+        }
 
+        filter control-plane-protection-IPv4 {
             {% if bgp_multihop_prefixes_v4 %}
             term allow-multihop-bgp {
                 from {
@@ -118,6 +164,33 @@
         }
     }
     family inet6 {
+        filter BCP38-edge-IPv6 {
+            term allow-AS59811-set {
+                from {
+                    source-address {
+                        {% for prefix in as_set_prefixes['ipv6'] %}
+                            {{ prefix['prefix'] }};
+                        {% endfor %}
+                    }
+                }
+                then {
+                    accept
+                }
+            }
+            term allow-interfaces {
+                from {
+                    source-address {
+                        {%- for address in linknets_ipv6 %}
+                            {{ address }};
+                        {%- endfor %}
+                    }
+                }
+                then {
+                    accept
+                }
+            }
+        }
+
         filter control-plane-protection-IPv6 {
             {% if bgp_multihop_prefixes_v6 %}
             term allow-multihop-bgp {
diff --git a/includes/junos-v21-core-router/interfaces.j2 b/includes/junos-v21-core-router/interfaces.j2
index 90a163f..8a2079f 100644
--- a/includes/junos-v21-core-router/interfaces.j2
+++ b/includes/junos-v21-core-router/interfaces.j2
@@ -22,6 +22,9 @@
 
         filter {
             input control-plane-protection-IPv4;
+            {%- if 'transit-link' in interface_tags or 'ix-link' in interface_tags or 'pni-link' in interface_tags %}
+                output BCP38-edge-IPv4;
+            {%- endif %}
         }
     }
     family inet6 {
@@ -37,6 +40,9 @@
 
         filter {
             input control-plane-protection-IPv6;
+            {%- if 'transit-link' in interface_tags or 'ix-link' in interface_tags or 'pni-link' in interface_tags %}
+                output BCP38-edge-IPv6;
+            {%- endif %}
         }
     }
     {%- set tags = interface.tags|tags_to_map %}