Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Configuring Filter-Based Forwarding

 

Filter-based forwarding (FBF), which is also called Policy Based Routing (PBR), provides a a simple but powerful way to route IP traffic to different interfaces on the basis of Layer-3 or Layer-4 parameters.

FBF works by using match conditions in a firewall filter to select certain traffic and then direct it to a given routing instance that points to the desired next hop. To ensure the next hop is resolvable, interface routes from the main routing table are shared via RIB group with the routing table(s) specified in the routing instance(s).

Match conditions can include the source or destination IP address, source or destination port, IP protocol, DSCP value, TCP flag, ICMP type, and packet length.

Requirements

This example has the following hardware and software requirements:

  • MX Series 5G Universal Routing Platform as the routing device with the firewall filter configured.

  • Junos OS Release 13.3 or later running on the routing device with the firewall filter configured.

Overview

This example shows the configuration settings you need to set up filter-based forwarding on a single device. Figure 1 shows the ingress and egress interfaces on an MX Series router and illustrates the logical flow of events as packets traverse the device.

Figure 1: Filter-Based Forwarding to Specified Interfaces
 Filter-Based
Forwarding to Specified Interfaces

A firewall filter called webFilter is attached to the ingress interface, fe-0/0/0. Packets arriving over the interface are evaluated against the match conditions specified in the filter, the logic of which directs HTTP and HTTPS traffic to a routing instance called webtraffic. This routing instance accomplishes three things: first, it establishes a routing table called webtraffic.inet.0; second, it lets you define a static route and next hop; and third, lets you configure the instance for forwarding traffic to the next hop (here, 192.0.2.2 on interface fe-0/0/1).

Term 2 in the firewall filter, then accept, specifies that all non-matching traffic take a different path. We define a static route with next hop of 203.0.113.2 to have this traffic egress the device via fe-0/0/2. The route is automatically installed in the master routing table, inet.0.

The last (logical) step in setting up FBF is to ensure that both routes are resolvable. The RIB group (FBF-rib in this example) makes it so interface-routes from inet.0 can be shared with webtraffic.inet.0.

For examples that focus on a specific use case or multi-device topologies, see the Related Topics.

Configuration

CLI Quick Configuration

Both copy-paste and step-by-step instructions for creating filter-based forwarding on a single device are provided.

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Configure a device for filter-based forwarding

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure the device:

  1. Configure the inbound interface and attach the webFilter firewall filter to it.
  2. Configure the outbound interfaces, one for Web traffic and the other for all other traffic.
  3. Configure the firewall filter to pass Web traffic to the webtraffic routing instance and all other traffic to 203.0.113.1.
  4. Optional: Monitor traffic handling of the firewall filter by adding a counter>
  5. Create the webtraffic routing instance and configure it to forward Web traffic to fe-0/0/1.
  6. Create a route for non-Web traffic (the route is automatically installed in the inet.0 routing table).
  7. Create a RIB group called FBF-rib, and configure it so inet.0 shares interface routes with webtraffic.inet.0, and then associate a routing table group with the routing device’s interfaces, and specify routing table groups into which interface routes are imported..
  8. Associate a routing table group with the routing device’s interfaces, and specify routing table groups into which interface routes are imported.

Results

From configuration mode, confirm your configuration by entering the show firewall, show routing-instances, show routing-options, and show interfaces, commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.