Configuring Selective Stateless Packet-Based Services

Selective stateless packet-based services are configured using the stateless firewall filters (ACLs). You classify traffic for packet-based forwarding by specifying match conditions in the firewall filters and configure a packet-mode action modifier to specify the action. Once match conditions and actions are defined, firewall filters are applied to relevant interfaces.

To configure a firewall filter:

1. Define the address family—First define the address family of the packets that a firewall filter matches. To define the family name, specify inet to filter IPv4 packets. Specify mpls to filter MPLS packets. Specify ccc to filter Layer 2 switching cross-connects.
2. Define terms—Define one or more terms that specify the filtering criteria and the action to take if a match occurs. Each term consists of two components—match conditions and actions.
   • Match conditions—Specify certain characteristics that the packet must match for the action to be performed. You can define various match conditions, such as the IP source address field, IP destination address field, and IP protocol field.
   • Action—Specify what is to be done with the packet if it matches the match conditions. Possible actions are to accept, discard, or reject a packet; go to the next term; or take no action.

     You can specify only one action statement (or omit it) in a term, but you can specify any combination of action modifiers with it. Action modifiers include a default accept action. For example, if you specify an action modifier and do not specify an action, the specified action modifier is implemented and the packet is accepted.

     The packet-mode action modifier specifies traffic to bypass flow-based forwarding. Like other action modifiers, you can configure the packet-mode action modifier along with other actions, such as accept or count.

3. Apply firewall filters to interfaces—To have the firewall filter take effect, apply it to an interface.

When the packet comes in on an interface, the input packet filters configured on the interface are applied. If the packet matches the specified conditions and packet-mode action is configured, the packet bypasses the flow-based forwarding completely.

When configuring filters, be mindful of the order of the terms within the firewall filter. Packets are tested against each term in the order in which it is listed in the configuration. When the first matching conditions are found, the action associated with that term is applied to the packet and the evaluation of the firewall filter ends, unless the next term action modifier is included. If the next term action is included, the matching packet is then evaluated against the next term in the firewall filter; otherwise, the matching packet is not evaluated against subsequent terms in the firewall filter.

When configuring firewall filters for selective stateless packet-based services:

• Accurately identify traffic that needs to bypass flow to avoid unnecessary packet drops.
• Make sure to apply the firewall filter with packet-mode action on all interfaces involved in the packet-based flow path.
• Make sure to configure host-bound TCP traffic to use flow-based forwarding—exclude this traffic when specifying match conditions for the firewall filter term containing the packet-mode action modifier. Any host-bound TCP traffic configured to bypass flow is dropped. Asynchronous flow-mode processing is not supported with selective stateless packet-based services.
• Configure input packet filters (not output) with the packet-mode action modifier.

Note: Nested firewall filters (configuring a filter within the term of another filter) are not supported with selective stateless packet-based services.

Some typical deployment scenarios where you can configure selective stateless packet-based services are:

• Traffic flow between private LAN and WAN interfaces, such as for Intranet traffic, where end-to-end forwarding is packet-based
• Traffic flow between private LAN and not-so-secure WAN interfaces, where traffic uses packet-based and flow-based forwarding for secure and not so secure traffic respectively
• Traffic flow between the private LAN and WAN interface with failover to flow-based IPsec WAN when the private WAN link is down
• Traffic flow from flow-based LAN to packet-based MPLS WAN

This chapter covers the deployment scenarios for end-to-end packet-based forwarding and traffic flow with packet-based to flow-based forwarding. For information about configuring other deployment scenarios, contact your Juniper channel-partner/value-added-reseller, sales account team or customer support representative, or refer to the Selective Packet Services App. Note.