ON THIS PAGE
Example: Configuring Filter-Based Forwarding
Filter-based forwarding (FBF), which is also called Policy Based Routing (PBR), provides a a simple but powerful way to route IP traffic to different interfaces on the basis of Layer-3 or Layer-4 parameters.
FBF works by using match conditions in a firewall filter to select certain traffic and then direct it to a given routing instance that points to the desired next hop. To ensure the next hop is resolvable, interface routes from the main routing table are shared via RIB group with the routing table(s) specified in the routing instance(s).
Match conditions can include the source or destination IP address, source or destination port, IP protocol, DSCP value, TCP flag, ICMP type, and packet length.
Requirements
This example has the following hardware and software requirements:
MX Series 5G Universal Routing Platform as the routing device with the firewall filter configured.
Junos OS Release 13.3 or later running on the routing device with the firewall filter configured.
Overview
This example shows the configuration settings you need to set up filter-based forwarding on a single device. Figure 1 shows the ingress and egress interfaces on an MX Series router and illustrates the logical flow of events as packets traverse the device.
A firewall filter called webFilter is attached to the ingress interface, fe-0/0/0. Packets arriving over the interface are evaluated against the match conditions specified in the filter, the logic of which directs HTTP and HTTPS traffic to a routing instance called webtraffic. This routing instance accomplishes three things: first, it establishes a routing table called webtraffic.inet.0; second, it lets you define a static route and next hop; and third, lets you configure the instance for forwarding traffic to the next hop (here, 192.0.2.2 on interface fe-0/0/1).
Term 2 in the firewall filter, then accept, specifies that all non-matching traffic take a different path. We define a static route with next hop of 203.0.113.2 to have this traffic egress the device via fe-0/0/2. The route is automatically installed in the master routing table, inet.0.
The last (logical) step in setting up FBF is to ensure that both routes are resolvable. The RIB group (FBF-rib in this example) makes it so interface-routes from inet.0 can be shared with webtraffic.inet.0.
For examples that focus on a specific use case or multi-device topologies, see the Related Topics.
Configuration
CLI Quick Configuration
Both copy-paste and step-by-step instructions for creating filter-based forwarding on a single device are provided.
To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.
Configure a device for filter-based forwarding
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.
To configure the device:
- Configure the inbound interface and attach the webFilter firewall filter to it. [edit interfaces fe-0/0/0 unit 0 family inet]user@device# set filter input webFilteruser@device# set address 198.51.100.1/24
- Configure the outbound interfaces, one for Web traffic
and the other for all other traffic. [edit interfaces]user@device# set fe-0/0/1 unit 0 family inet address 192.0.2.1/24user@device# set fe-0/0/2 unit 0 family inet address 203.0.113.1/24
- Configure the firewall filter to pass Web traffic to the webtraffic routing instance and all other traffic to 203.0.113.1. [edit firewall family inet filter webFilter]user@device# set term 1 from destination-port httpuser@device# set term 1 from destination-port httpsuser@device# set term 1 then routing-instance webtrafficuser@device# set term 2 then accept
- Optional: Monitor traffic handling of the firewall filter
by adding a counter>[edit interfaces fe-0/0/0 unit 0 family inet]user@device# set firewall family inet filter webFilter term 1 then count webtraffic-count
- Create the webtraffic routing
instance and configure it to forward Web traffic to fe-0/0/1.[edit routing-instances webtraffic]user@device# set routing-options static route 0.0.0.0/0 next-hop 192.0.2.2user@device# set instance-type forwarding
- Create a route for non-Web traffic (the route is automatically
installed in the inet.0 routing table).[edit routing-options]user@device# set static route 0.0.0.0/0 next-hop 203.0.113.2
- Create a RIB group called FBF-rib, and configure
it so inet.0 shares interface routes with webtraffic.inet.0, and then associate a routing table group with the routing device’s
interfaces, and specify routing table groups into which interface
routes are imported.. [edit routing-options]user@device# set rib-groups FBF-rib import-rib inet.0user@device# set rib-groups FBF-rib import-rib webtraffic.inet.0
- Associate a routing table group with the routing device’s
interfaces, and specify routing table groups into which interface
routes are imported.[edit routing-options]user@device# set interface-routes rib-group inet FBF-rib
Results
From configuration mode, confirm your configuration by entering the show firewall, show routing-instances, show routing-options, and show interfaces, commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit from configuration mode.