Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device

 

This example describes how to set up filter-based forwarding on EX Series switches or a QFX10000. You can configure filter-based forwarding by using a firewall filter to forward matched traffic to a specific virtual routing instance.

Requirements

This example applies to both EX Series switches running Junos OS Release 9.4 or later, and QFX10000 switches running Junos OS Release 15.1X53-D10 or later.

Overview and Topology

In this example, we create a firewall filter to match traffic being sent from one application server to another according to the destination address (192.168.0.1) of packets egressing the source application server. Matching packets are routed to a virtual routing instance which forwards the traffic to a security device, which then forwards the traffic on to the destination application server.

Note

Filter-based forwarding does not work with IPv6 interfaces on some Juniper switches.

Configuration

To configure filter-based forwarding:

CLI Quick Configuration

To use this example on your own device, copy the following commands into a text file, remove the line breaks, and change the necessary details to fit your configuration. Then copy and paste the commands into your CLI at the [edit] hierarchy level.

[edit]


set interfaces xe-0/0/0 unit 0 family inet address 10.1.0.1/24


set interfaces xe-0/0/3 unit 0 family inet address 10.1.3.1/24


set firewall family inet filter f1 term t1 from source-address 10.1.0.50/32


set firewall family inet filter f1 term t1 from protocol tcp


set interfaces xe-0/0/0 unit 0 family inet filter input f1


set routing-instances vrf01 instance-type virtual-router


set routing-instances vrf01 interface xe-0/0/3.0


set routing-instances vrf01 routing-options static route 192.168.0.1/24 next-hop 10.1.3.254


set firewall family inet filter f1 term t1 then routing-instance vrf01


Step-by-Step Procedure

To configure filter-based forwarding:

  1. Configure an interface to connect to the application server:
    [edit interfaces]

    user@switch# set xe-0/0/0 unit 0 family inet address 10.1.0.1/24
  2. Configure an interface to connect to the security device:
    [edit interfaces]

    user@switch# set xe-0/0/3 unit 0 family inet address 10.1.3.1/24
  3. Create a firewall filter that matches packets based on the address of the application server that the traffic will be sent from. Also configure the filter so that it matches only TCP packets:
    [edit firewall]

    user@switch# set family inet filter f1 term t1 from source-address 10.1.0.50/32

    user@switch# set firewall family inet filter f1 term t1 from protocol tcp
  4. Apply the filter to the interface that connects to the source application server and configure it to match incoming packets:
    [edit interfaces]

    user@switch# set xe-0/0/0 unit 0 family inet filter input f1
  5. Create a virtual router:
    [edit]

    user@switch# set routing-instances vrf01 instance-type virtual-router
  6. Associate the virtual router with the interface that connects to the security device:
    [edit routing-instances]

    user@switch# set vrf01 interface xe-0/0/3.0
  7. Configure the routing information for the virtual routing instance:
    [edit routing-instances]

    user@switch# set vrf01 routing-options static route 192.168.0.1/24 next-hop 10.1.3.254
  8. Set the filter to forward packets to the virtual router:
    [edit firewall]

    user@switch# set family inet filter f1 term t1 then routing-instance vrf01

Results

Check the results of the configuration:

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying That Filter-Based Forwarding Was Configured

Purpose

Verify that filter-based forwarding was properly enabled on the switch.

Action

  1. Use the show interfaces filters command:
    user@switch> show interfaces filters xe-0/0/0.0
  2. Use the show route forwarding-table command:

Meaning

The output indicates that the filter was created on the interface and that the virtual routing instance is forwarding matching traffic to the correct IP address.