Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Filter-Based Forwarding for Routing Instances

For IPv4 traffic only, you can use stateless firewall filters in routing instances to control how packets travel in a network. This is called filter-based forwarding.

You can define a firewall filtering term that directs matching packets to a specified routing instance. This type of filtering can be configured to route specific types of traffic through a firewall or other security device before the traffic continues on its path. To configure a stateless firewall filter to direct traffic to a routing instance, configure a term with the routing-instance routing-instance-name terminating action at the [edit firewall family inet] hierarchy level to specify the routing instance to which matching packets will be forwarded. You can apply a forwarding table filter to a routing instance of type forwarding and also to the default routing instance inet.0. To configure the filter to direct traffic to the master routing instance, use the routing-instance default statement at the [edit firewall family inet] hierarchy level.

The following limitations apply to filter-based forwarding table configured on routing instances:

• You cannot configure any of the following actions in a firewall filtering term when the filtering term contains the routing-instance routing-instance-name terminating action:
  • count counter-name
  • discard
  • forwarding-class class-name
  • log
  • loss-priority (high | medium-high | low)
  • policer policer-name
  • port-mirror
  • reject message-type
  • syslog
  • three-color-policer (single-rate | two-rate) policer-name
• You cannot configure the fragment-flags number match condition in the filter term.
• You cannot attach a filter that is either default or physical interface-specific.
• You cannot attach a filter to the egress direction of routing instances.

Although you can configure forwarding of packets from one VRF to another VRF, you cannot configure forwarding from a VRF to the global routing instance.

You can configure a maximum of 256 firewall filter terms for filter-based forwarding. The maximum number of routing instances supported is 64, which is the same as the maximum number of virtual routers supported. Forwarding packets to the global table (default VRF) is not supported for filter-based forwarding.