Rate and give feedback:  Feedback Received. Thank You!

Rate and give feedback: 

X

This document helped resolve my issue

Yes No

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:  

E-mail: 

Enter a valid Email ID

Need product assistance? Contact Juniper Support

Submit

This site is protected by hCaptcha and its Privacy Policy and Terms of Service apply.

Example: Configuring and Applying Service Filters

Requirements

• Adaptive Services (AS) PIC on an M Series or T Series router
• Multiservices (MS) PIC on an M Series or T Series router
• Multiservices (MS) DPC on an MX Series router
• EX Series switch

• Installed your supported router (or switch) and PICs or DPCs and performed the initial router (or switch) configuration.
• Configured basic Ethernet in the topology, and verified that traffic is flowing in the topology and that IPv4 traffic is flowing through logical interface xe-0/1/0.0.
• Configured the service set vrf_svcs with service input and output rules and default settings for services at a service interface.

For guidelines for configuring service sets, see “Configuring Service Sets to be Applied to Services Interfaces” in the Junos Services Interfaces Configuration Release 11.2.

Overview

In this example, you create three types of service filters for IPv4 traffic: one input service filter, one postservice input filter, and one output service filter.

Topology

• Filtering IPv4 traffic before it is accepted for input service processing—At logical interface xe-0/1/0.0, you use the service filter in_filter_presvc to filter IPv4 input traffic before the traffic can be accepted for processing by services associated with service set vrf_svcs. The in_filter_presvc service filter counts packets sent from ICMP port 179, directs these packets to the input services associated with the service set vrf_svcs, and discards all other packets.
• Filtering IPv4 traffic after it has completed input service processing—At logical interface xe-0/1/0.0, you use the service filter in_filter_postsvc to filter traffic that is returning to the services interface after the input service set in_filter_presvc is executed. The in_filter_postsvc service filter counts packets sent from ICMP port 179 and then discards them.
• Filtering IPv4 traffic before it is accepted for output service processing—At logical interface xe-0/1/0.0, you use the service-filter out_filter_presvc to filter IPv4 output traffic before the traffic can be accepted for processing by the services associated with service set vrf_svcs. The out_filter_presvc service filter counts packets destined for TCP port 179 and then directs the packets to the output services associated with the service set vrf_svcs.

Configuration

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode.

To configure this example, perform the following tasks:

• Configuring the Three Service Filters
• Applying the Three Service Filters

CLI Quick Configuration

To quickly configure this example, copy the following commands into a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.

Configuring the Three Service Filters

Step-by-Step Procedure

1. Configure the input service filter.

   [edit]user@host# edit firewall family inet service-filter in_filter_presvc [edit firewall family inet service-filter in_filter_presvc]user@host# set term t1 from protocol tcpuser@host# set term t1 from source-port bgpuser@host# set term t1 then count svc_in_pktsuser@host# set term t1 then service

2. Configure the postservice input filter.

   [edit]user@host# edit firewall family inet service-filter in_filter_postsvc [edit firewall family inet service-filter in_filter_postsvc]user@host# set term t2 from protocol tcpuser@host# set term t2 from source-port bgpuser@host# set term t2 then count svc_in_pkts_rtnuser@host# set term t2 then skip

3. Configure the output service filter.

   [edit]user@host# edit firewall family inet service-filter out_filter_presvc [edit firewall family inet service-filter out_filter_presvc]user@host# set term t3 from protocol icmpuser@host# set term t3 from destination-port bgpuser@host# set term t3 then count svc_out_pktsuser@host# set term t3 then service

Results

Applying the Three Service Filters

Step-by-Step Procedure

1. Access the IPv4 protocol on the input interface xe-0/1/0.0.

   [edit]user@host# edit interfaces xe-0/1/0 unit 0 family inet

2. Apply the input service filter and the postservice input filter.

   [edit interfaces xe-0/1/0 unit 0 family inet]user@host# set service input service-set vrf_svcs service-filter in_filter_presvcuser@host# set service input post-service-filter in_filter_postsvcuser@host# set service output service-set vrf_svcs service-filter out_filter_presvc

Results

When you are done configuring the device, commit your candidate configuration.

Verification

Confirm that the configuration is working properly.

• Verifying That Inbound Traffic Is Filtered Before Input Service
• Verifying That Inbound Traffic Is Filtered After Input Service Processing
• Verifying That Outbound Traffic Is Filtered Before Output Service Processing

Verifying That Inbound Traffic Is Filtered Before Input Service

Purpose

Verify that inbound packets sent from TCP port 179 are sent for processing by the input services associated with the service set vrf_svcs.

Action

Verifying That Inbound Traffic Is Filtered After Input Service Processing

Purpose

Verify that inbound packets sent from TCP port 179 are returned from processing by the input services associated with the service set vrf_svcs.

Action

Verifying That Outbound Traffic Is Filtered Before Output Service Processing

Purpose

Verify that outbound packets sent to ICMP port 179 are sent for processing by the output services associated with the service set vrf_svcs.

Action