Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Configuring Filter-Based Forwarding on the Source Address

This example shows how to configure filter-based forwarding (FBF), which is sometimes also called Policy Based Routing (PBR). The filter classifies packets to determine their forwarding path within the ingress routing device.

Filter-based forwarding is supported for IP version 4 (IPv4) and IP version 6 (IPv6).

Note:

QFX5110, QFX5120, QFX5130, QFX5200, QFX5210, QFX5220, QFX5230, QFX5240, and QFX5700 do not support instance-type forwarding; only instance-type virtual-router is supported.

Requirements

No special configuration beyond device initialization is required for this example.

Overview

In this example, we use FBF for service provider selection when customers have Internet connectivity provided by different ISPs yet share a common access layer. When a shared media (such as a cable modem) is used, a mechanism on the common access layer looks at Layer 2 or Layer 3 addresses and distinguishes between customers. You can use filter-based forwarding when the common access layer is implemented using a combination of Layer 2 switches and a single router.

With FBF, all packets received on an interface are considered. Each packet passes through a filter that has match conditions. If the match conditions are met for a filter and you have created a routing instance, FBF is applied to the packet. The packet is forwarded based on the next hop specified in the routing instance. For static routes, the next hop can be a specific LSP.

Note:

Source-class usage filter matching and unicast reverse-path forwarding checks are not supported on an interface configured for FBF.

To configure FBF, perform the following tasks:

  • Create a match filter on the ingress device. To specify a match filter, include the filter filter-name statement at the [edit firewall] hierarchy level. A packet that passes through the filter is compared against a set of rules to classify it and to determine its membership in a set. Once classified, the packet is forwarded to a routing table specified in the accept action in the filter description language. The routing table then forwards the packet to the next hop that corresponds to the destination address entry in the table.

  • Create routing instances that specify the routing table(s) to which a packet is forwarded, and the destination to which the packet is forwarded at the [edit routing-instances] hierarchy level. For example:

  • Create a RIB group to share interface routes with the forwarding routing instances used in filter-based forwarding (FBF). This part of the configuration resolves the routes installed in the routing instances to directly connected next hops on that interface. Create the routing table group at the [edit routing-options] hierarchy level.

This example shows a packet filter that directs customer traffic to a next-hop router in the domains, SP1 or SP2, based on the packet’s source address.

If the packet has a source address assigned to an SP1 customer, destination-based forwarding occurs using the sp1-route-table.inet.0 routing table. If the packet has a source address assigned to an SP2 customer, destination-based forwarding occurs using the sp2-route-table.inet.0 routing table. If a packet does not match either of these conditions, the filter accepts the packet, and destination-based forwarding occurs using the standard inet.0 routing table.

Topology

Figure 1 shows the topology used in this example.

On Device P1, an input filter classifies packets received from Device PE3 and Device PE4. The packets are routed based on the source addresses. Packets with source addresses in the 10.1.1.0/24 and 10.1.2.0/24 networks are routed to Device PE1. Packets with source addresses in the 10.2.1.0/24 and 10.2.2.0/24 networks are routed to Device PE2.

Figure 1: Filter-Based ForwardingFilter-Based Forwarding

To establish connectivity, OSPF is configured on all of the interfaces. For demonstration purposes, loopback interface addresses are configured on the routing devices to represent networks in the clouds.

The CLI Quick Configuration section shows the entire configuration for all of the devices in the topology. The Configuring Filter-Based Forwarding on Device P1 section shows the step-by-step configuration of the ingress routing device, Device P1.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Device P1

Device P2

Device PE1

Device PE2

Device PE3

Device PE4

Configuring the Firewall Filter on P1

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure the firewall filter on the main router or switch:

  1. Configure the source addresses for SP1 customers.

  2. Configure the actions that are taken when packets are received with the specified source addresses; they are logged, and they are passed to the sp1-route-table routing instance for routing via the sp1-route-table.inet.0 routing table.

  3. Configure the source addresses for SP2 customers.

  4. Configure the actions that are taken when packets are received with the specified source addresses; they are logged, and they are passed to the sp2-route-table routing instance for routing via the sp2-route-table.inet.0 routing table.

  5. Configure the action to take when packets are received from any other source address; they are accepted and routed using the default IPv4 unicast routing table, inet.0.

Configuring Filter-Based Forwarding on Device P1

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure the routing instances:

  1. Configure the interfaces.

  2. Assign the classify-customers firewall filter to router interface fe-1/2/0.0 as an input packet filter.

  3. Configure connectivity, using either a routing protocol or static routing.

    As a best practice, disable routing on the management interface.

  4. Create the routing instances that are referenced in the classify-customers firewall filter. The forwarding instance type provides support for filter-based forwarding, where interfaces are not associated with instances.

  5. For each routing instance, define a default route to forward traffic to the specified next hop (PE1 and PE2 in this example).

  6. Associate the routing tables to form a routing table group. The first routing table, inet.0, is the primary routing table, and the others are secondary routing tables. The primary routing table determines the address family of the routing table group, in this case IPv4.

  7. Specify the fbf-group routing table group within the OSPF configuration to install OSPF routes into the three routing tables.

  8. Commit the configuration when you are done.

Results

Confirm your configuration by issuing the show interfaces, show firewall, show protocols, show routing-instances, and show routing-options commands.

Verification

Confirm that the configuration is working properly.

Pinging with Specified Source Addresses

Purpose

Send some ICMP packets across the network to test the firewall filter.

Action

  1. Run the ping command, pinging the lo0.0 interface on Device PE1.

    The address configured on this interface is 172.16.1.1.

    Specify the source address 10.1.2.1, which is the address configured on the lo0.0 interface on Device PE3.

  2. Run the ping command, pinging the lo0.0 interface on Device PE2.

    The address configured on this interface is 172.16.2.2.

    Specify the source address 10.2.1.1, which is the address configured on the lo0.0 interface on Device PE4.

Meaning

Sending these pings activates the firewall filter actions.

Verifying the Firewall Filter

Purpose

Make sure the firewall filter actions take effect.

Action

  1. Run the show firewall log command on Device P1.