Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

English  

English

Example: Configuring Filter-Based Forwarding on the Source Address

Requirements

In this example, no special configuration beyond device initialization is required.

Overview

Filter-based forwarding is supported for IP version 4 (IPv4) and IP version 6 (IPv6).

Use filter-based forwarding for service provider selection when customers have Internet connectivity provided by different ISPs yet share a common access layer. When a shared media (such as a cable modem) is used, a mechanism on the common access layer looks at Layer 2 or Layer 3 addresses and distinguishes between customers. You can use filter-based forwarding when the common access layer is implemented using a combination of Layer 2 switches and a single router.

With filter-based forwarding, all packets received on an interface are considered. Each packet passes through a filter that has match conditions. If the match conditions are met for a filter and you have created a routing instance, filter-based forwarding is applied to a packet. The packet is forwarded based on the next hop specified in the routing instance. For static routes, the next hop can be a specific LSP.

Note: Source-class usage filter matching and unicast reverse-path forwarding checks are not supported on an interface configured with filter-based forwarding (FBF).

To configure filter-based forwarding, perform the following tasks:

• Create a match filter on an ingress router or switch. To specify a match filter, include the filter filter-name statement at the [edit firewall] hierarchy level. A packet that passes through the filter is compared against a set of rules to classify it and to determine its membership in a set. Once classified, the packet is forwarded to a routing table specified in the accept action in the filter description language. The routing table then forwards the packet to the next hop that corresponds to the destination address entry in the table.
• Create routing instances that specify the routing table(s) to which a packet is forwarded, and the destination to which the packet is forwarded at the [edit routing-instances] hierarchy level. For example:
  [edit]

  routing-instances {routing-table-name1 {instance-type forwarding;routing-options {static {route 0.0.0.0/0 nexthop 10.0.0.1;}}}routing-table-name2 {instance-type forwarding;routing-options {static {route 0.0.0.0/0 nexthop 10.0.0.2;}}}}
• Create a routing table group that adds interface routes to the forwarding routing instances used in filter-based forwarding (FBF), as well as to the default routing instance inet.0. This part of the configuration resolves the routes installed in the routing instances to directly connected next hops on that interface. Create the routing table group at the [edit routing-options] hierarchy level.

Note: Specify inet.0 as one of the routing instances that the interface routes are imported into. If the default instance inet.0 is not specified, interface routes are not imported into the default routing instance.

This example shows a packet filter that directs customer traffic to a next-hop router in the domains, SP 1 or SP 2, based on the packet’s source address.

If the packet has a source address assigned to an SP 1 customer, destination-based forwarding occurs using the sp1-route-table.inet.0 routing table. If the packet has a source address assigned to an SP 2 customer, destination-based forwarding occurs using the sp2-route-table.inet.0 routing table. If a packet does not match either of these conditions, the filter accepts the packet, and destination-based forwarding occurs using the standard inet.0 routing table.

Figure 1 shows the topology used in this example.

On Device P1, an input filter classifies packets received from Device PE3 and Device PE4. The packets are routed based on the source addresses. Packets with source addresses in the 10.1.1.0/24 and 10.1.2.0/24 networks are routed to Device PE1. Packets with source addresses in the 10.2.1.0/24 and 10.2.2.0/24 networks are routed to Device PE2.

Figure 1: Filter-Based Forwarding

To establish connectivity, OSPF is configured on all of the interfaces. For demonstration purposes, loopback interface addresses are configured on the routing devices to represent networks in the clouds.

The CLI Quick Configuration section shows the entire configuration for all of the devices in the topology. The Configuring the Routing Instances on the Device P1 section shows the step-by-step configuration of the ingress routing device, Device P1.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Configuring the Firewall Filter

Step-by-Step Procedure

1. Configure the source addresses for SP1 customers.
   [edit firewall filter classify-customers term sp1-customers]user@host# set from source-address 10.1.1.0/24user@host# set from source-address 10.1.2.0/24
2. Configure the actions that are taken when packets are received with the specified source addresses.

   To track the action of the firewall filter, a log action is configured. The sp1-route-table.inet.0 routing table on Device P1 routes the packets.

   [edit firewall filter classify-customers term sp1-customers]user@host# set then loguser@host# set then routing-instance sp1-route-table
3. Configure the source addresses for SP2 customers.
   [edit firewall filter classify-customers term sp2-customers]user@host# set from source-address 10.2.1.0/24user@host# set from source-address 10.2.2.0/24
4. Configure the actions that are taken when packets are received with the specified source addresses.

   To track the action of the firewall filter, a log action is configured. The sp2-route-table.inet.0 routing table on Device P1 routes the packet.

   [edit firewall filter classify-customers term sp2-customers]user@host# set then loguser@host# set then routing-instance sp2-route-table
5. Configure the action to take when packets are received from any other source address.

   All of these packets are simply accepted and routed using the default IPv4 unicast routing table, inet.0.

   [edit firewall filter classify-customers term default]user@host# set then accept

Configuring the Routing Instances on the Device P1

Step-by-Step Procedure

1. Configure the interfaces.

   [edit interfaces fe-1/2/0]user@host# set unit 0 family inet address 172.16.0.10/30
   [edit interfaces fe-1/2/1]user@host# set unit 0 family inet address 172.16.0.13/30
   [edit interfaces fe-1/2/2]user@host# set unit 0 family inet address 172.16.0.17/30
2. Assign the classify-customers firewall filter to router interface fe-1/2/0.0 as an input packet filter.
   [edit interfaces fe-1/2/0]user@host# set unit 0 family inet filter input classify-customers

3. Configure connectivity, using either a routing protocol or static routing.

   As a best practice, disable routing on the management interface.

   [edit protocols ospf area 0.0.0.0]user@host# set interface alluser@host# set interface fxp0.0 disable

4. Create the routing instances.

   These routing instances are referenced in the classify-customers firewall filter.

   The forwarding instance type provides support for filter-based forwarding, where interfaces are not associated with instances. All interfaces belong to the default instance, in this case Device P1.

   [edit routing-instances]user@host# set sp1-route-table instance-type forwarding
   user@host# set sp2-route-table instance-type forwarding

5. Resolve the routes installed in the routing instances to directly connected next hops.

   [edit routing-instances sp1-route-table routing-options]user@host# set static route 0.0.0.0/0 next-hop 172.16.0.13
   user@host# set static route 0.0.0.0/0 next-hop 172.16.0.17

6. Group together the routing tables to form a routing table group.

   The first routing table, inet.0, is the primary routing table, and the additional routing tables are the secondary routing tables.

   The primary routing table determines the address family of the routing table group, in this case IPv4.

   [edit routing-options]user@host# set rib-groups fbf-group import-rib inet.0user@host# set rib-groups fbf-group import-rib sp1-route-table.inet.0user@host# set rib-groups fbf-group import-rib sp2-route-table.inet.0
7. Apply the routing table group to OSPF.

   This causes the OSPF routes to be installed into all the routing tables in the group.

   [edit protocols ospf]user@host# set rib-group fbf-group

8. If you are done configuring the device, commit the configuration.

   [edit]user@host# commit

Results

Confirm your configuration by issuing the show interfaces, show firewall, show protocols, show routing-instances, and show routing-options commands.

Verification

Confirm that the configuration is working properly.

Pinging with Specified Source Addresses

Purpose

Send some ICMP packets across the network to test the firewall filter.

Action

1. Run the ping command, pinging the lo0.0 interface on Device PE1.

   The address configured on this interface is 1.1.1.1.

   Specify the source address 10.1.2.1, which is the address configured on the lo0.0 interface on Device PE3.

   user@PE3> ping 1.1.1.1 source 10.1.2.1

   PING 1.1.1.1 (1.1.1.1): 56 data bytes
   64 bytes from 1.1.1.1: icmp_seq=0 ttl=62 time=1.444 ms
   64 bytes from 1.1.1.1: icmp_seq=1 ttl=62 time=2.094 ms
   ^C
   --- 1.1.1.1 ping statistics ---
   2 packets transmitted, 2 packets received, 0% packet loss
   round-trip min/avg/max/stddev = 1.444/1.769/2.094/0.325 ms

2. Run the ping command, pinging the lo0.0 interface on Device PE2.

   The address configured on this interface is 2.2.2.2.

   Specify the source address 10.2.1.1, which is the address configured on the lo0.0 interface on Device PE4.

   user@PE4> ping 2.2.2.2 source 10.2.1.1

   PING 2.2.2.2 (2.2.2.2): 56 data bytes
   64 bytes from 2.2.2.2: icmp_seq=0 ttl=62 time=1.473 ms
   64 bytes from 2.2.2.2: icmp_seq=1 ttl=62 time=1.407 ms
   ^C
   --- 2.2.2.2 ping statistics ---
   2 packets transmitted, 2 packets received, 0% packet loss
   round-trip min/avg/max/stddev = 1.407/1.440/1.473/0.033 ms

Meaning

Sending these pings activates the firewall filter actions.

Verifying the Firewall Filter

Purpose

Make sure the firewall filter actions take effect.

Action

1. Run the show firewall log command on Device P1.
   user@P1> show firewall log

   Log :
   Time      Filter    Action Interface     Protocol        Src Addr            Dest Addr
   13:52:20  pfe       A      fe-1/2/0.0   ICMP            10.2.1.1            2.2.2.2
   13:52:19  pfe       A      fe-1/2/0.0   ICMP            10.2.1.1            2.2.2.2
   13:51:53  pfe       A      fe-1/2/0.0   ICMP            10.1.2.1            1.1.1.1
   13:51:52  pfe       A      fe-1/2/0.0   ICMP            10.1.2.1            1.1.1.1