Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Filtering Web Content on Multiple Service PICs Using an Aggregated Multiservices Interface

    This example shows how to configure a URL filter on multiple service PICs using an aggregated multiservices (ams) interfaces.

    Requirements

    This example uses the following hardware and software components:

    • An MX Series router running Junos OS Release 17.2R1 or later.

    Overview

    Suppose you needed to block certain Web content based on URLs. Place the URL filter database file on the router in the /var/db/url-filterd directory, and then, with this configuration, you can create a profile and template that will block user access to certain IPs resolved from that database file. In this case, users will simply not be able to find the blocked locations. This example shows the configuration for the ams interface throughout.

    URL Filtering Configuration

    CLI Quick Configuration

    To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set interfaces ams1 traceoptions flag all set interfaces ams1 load-balancing-options member-interface mams-2/0/0 set interfaces ams1 load-balancing-options member-interface mams-2/1/0 set interfaces ams1 load-balancing-options member-interface mams-2/2/0 set interfaces ams1 load-balancing-options member-interface mams-2/3/0 set interfaces ams1 load-balancing-options high-availability-options many-to-one preferred-backup mams-2/1/0 set interfaces ams1 services-options syslog host local services any set interfaces ams1 services-options syslog host local log-prefix ams1 set interfaces ams1 unit 1 family inet set interfaces ams1 unit 1 family inet6 set interfaces ams1 unit 1 service-domain inside set interfaces ams1 unit 1 load-balancing-options hash-keys ingress-key destination-ip set interfaces ams1 unit 1 load-balancing-options hash-keys ingress-key source-ip set interfaces ams1 unit 2 family inet set interfaces ams1 unit 2 family inet6 set interfaces ams1 unit 2 service-domain outside set interfaces ams1 unit 2 load-balancing-options hash-keys ingress-key source-ip set interfaces ams1 unit 2 load-balancing-options hash-keys ingress-key destination-ipset chassis fpc 2 pic 0 adaptive-services service-package extension-provider package jservices-urlf set chassis fpc 2 pic 0 adaptive-services service-package extension-provider syslog daemon any set chassis fpc 2 pic 0 adaptive-services service-package extension-provider syslog external any set chassis fpc 2 pic 1 adaptive-services service-package extension-provider package jservices-urlf set chassis fpc 2 pic 1 adaptive-services service-package extension-provider syslog daemon any set chassis fpc 2 pic 1 adaptive-services service-package extension-provider syslog external any set chassis fpc 2 pic 2 adaptive-services service-package extension-provider package jservices-urlf set chassis fpc 2 pic 2 adaptive-services service-package extension-provider syslog daemon any set chassis fpc 2 pic 2 adaptive-services service-package extension-provider syslog external any set chassis fpc 2 pic 3 adaptive-services service-package extension-provider package jservices-urlf set chassis fpc 2 pic 3 adaptive-services service-package extension-provider syslog daemon any set chassis fpc 2 pic 3 adaptive-services service-package extension-provider syslog external anyset services service-set URL_SSET_1 url-filter-profile profile1 set services service-set URL_SSET_1 next-hop-service inside-service-interface ams1.1 set services service-set URL_SSET_1 next-hop-service outside-service-interface ams1.2 set services url-filter profile profile1 url-filter-database url_db_global.txt set services url-filter profile profile1 template template1 client-interfaces ge-3/0/4.0 set services url-filter profile profile1 template template1 server-interfaces ge-3/0/8.0 set services url-filter profile profile1 template template1 dns-source-interface ge-3/0/8.0 set services url-filter profile profile1 template template1 dns-routing-instance data_vr set services url-filter profile profile1 template template1 routing-instance data_vr set services url-filter profile profile1 template template1 dns-server 50.50.50.50 set services url-filter profile profile1 template template1 dns-resolution-interval 300 set services url-filter profile profile1 template template1 dns-retries 3 set services url-filter profile profile1 template template1 dns-resolution-rate 50 set services url-filter profile profile1 template template1 url-filter-database url_db_local.txt set services url-filter profile profile1 template template1 term term1 from src-ip-prefix 40.0.0.0/8 set services url-filter profile profile1 template template1 term term1 from src-ip-prefix 39.0.0.0/8 set services url-filter profile profile1 template template1 term term1 from src-ip-prefix 120.0.0.0/8 set services url-filter profile profile1 template template1 term term1 from src-ip-prefix 400::0/34 set services url-filter profile profile1 template template1 term term1 from src-ip-prefix 401::0/34 set services url-filter profile profile1 template template1 term term1 from src-ip-prefix 402::0/34 set services url-filter profile profile1 template template1 term term1 then tcp-reset set services url-filter traceoptions file url_trace set services url-filter traceoptions file size 1g set services url-filter traceoptions level all set services url-filter traceoptions flag all

    Step-by-Step Procedure

    Here’s the step-by-step breakdown of the URL filtering configuration example.

    To configure the URL filter:

    1. Configure the ams interface. For more information, see Example: Configuring Next-Hop Style Services on an Aggregated Multiservices Interface.
      set interfaces ams1 load-balancing-options member-interface mams-2/0/0 set interfaces ams1 load-balancing-options member-interface mams-2/1/0 set interfaces ams1 load-balancing-options member-interface mams-2/2/0 set interfaces ams1 load-balancing-options member-interface mams-2/3/0 set interfaces ams1 load-balancing-options high-availability-options many-to-one preferred-backup mams-2/1/0 set interfaces ams1 services-options syslog host local services any set interfaces ams1 services-options syslog host local log-prefix ams1 set interfaces ams1 unit 1 family inet set interfaces ams1 unit 1 family inet6 set interfaces ams1 unit 1 service-domain inside set interfaces ams1 unit 1 load-balancing-options hash-keys ingress-key destination-ip set interfaces ams1 unit 1 load-balancing-options hash-keys ingress-key source-ip set interfaces ams1 unit 2 family inet set interfaces ams1 unit 2 family inet6 set interfaces ams1 unit 2 service-domain outside set interfaces ams1 unit 2 load-balancing-options hash-keys ingress-key source-ip set interfaces ams1 unit 2 load-balancing-options hash-keys ingress-key destination-ip

      Member interfaces of the AMS interface are denoted by the prefix mams.

      When you configure services-options at the AMS interface level, the options apply to all member interfaces for the AMS interface.

      The next-hop style services configuration on AMS interfaces require that the load-balancing hash keys are defined as part of the logical unit configuration of the AMS interface.

    2. Configure the jservices-urlf package.
      set chassis fpc 2 pic 0 adaptive-services service-package extension-provider package jservices-urlf

      Repeat this step for each PIC.

    3. (Optional) You can also configure the syslog statement at the same hierarchy level as the package statement to enable system logging to log messages on the service PIC.
      set chassis fpc 2 pic 0 adaptive-services service-package extension-provider syslog daemon any

      The system log information is passed to the kernel for logging in the /var/log directory.

      Repeat this step for each PIC.

    4. Create a service set and a URL filtering profile.
      set services service-set URL_SSET_1 url-filter-profile profile1 set services service-set URL_SSET_1 next-hop-service inside-service-interface ams1.1 set services service-set URL_SSET_1 next-hop-service outside-service-interface ams1.2
    5. Configure the URL filter database for the profile.
      set services url-filter profile profile1 url-filter-database url_db_global.txt
    6. Configure a template.
      set services url-filter profile profile1 template template1 client-interfaces ge-3/0/4.0 set services url-filter profile profile1 template template1 server-interfaces ge-3/0/8.0 set services url-filter profile profile1 template template1 dns-source-interface ge-3/0/8.0 set services url-filter profile profile1 template template1 dns-routing-instance data_vr set services url-filter profile profile1 template template1 routing-instance data_vr set services url-filter profile profile1 template template1 dns-server 50.50.50.50 set services url-filter profile profile1 template template1 dns-resolution-interval 300 set services url-filter profile profile1 template template1 dns-retries 3 set services url-filter profile profile1 template template1 dns-resolution-rate 50 set services url-filter profile profile1 template template1 url-filter-database url_db_local.txt set services url-filter profile profile1 template template1 term term1 from src-ip-prefix 40.0.0.0/8 set services url-filter profile profile1 template template1 term term1 from src-ip-prefix 39.0.0.0/8 set services url-filter profile profile1 template template1 term term1 from src-ip-prefix 120.0.0.0/8 set services url-filter profile profile1 template template1 term term1 from src-ip-prefix 400::0/34 set services url-filter profile profile1 template template1 term term1 from src-ip-prefix 401::0/34 set services url-filter profile profile1 template template1 term term1 from src-ip-prefix 402::0/34 set services url-filter profile profile1 template template1 term term1 then tcp-reset

      You can configure other templates as needed.

    7. Set traceoptions if you wish.
      set interfaces ams1 traceoptions flag all set services url-filter traceoptions file url_trace set services url-filter traceoptions file size 1g set services url-filter traceoptions level all set services url-filter traceoptions flag allset chassis fpc 2 pic 0 adaptive-services service-package extension-provider syslog daemon any

      You need to repeat the last command for each PIC.

    Verification

    Confirm that the configuration is working properly.

    Verifying Domain Name System Resolution

    Purpose

    Display URL filter domain name system (DNS) resolution information.

    Action

    Use the show services url-filter dns-resolution command.

    user@host> show services url-filter dns-resolution profile profile1 template template1
    URL filtering DNS resolution:
    Profile: profile1
    Template: template1
    
     1). Filter Term: URLF_template1_0001
     
          IPv4 Address Count: 4 
          IPv6 Address Count: 4 
    
        1 ). Domain Name: www.facebook.com
     
               IPv4 Records:
                   50.0.0.7
    
               IPv6 Records:
                  500::5
    
        2 ). Domain Name: www.google.com
     
               IPv4 Records:
                  50.0.0.5
    
               IPv6 Records:
                  500::7
    
        3 ). Domain Name: www.twitter.com
     
               IPv4 Records:
                  50.0.0.5
    
               IPv6 Records:
                  500::6
                                            
        4 ). Domain Name: www.malayalam.com
     
               IPv4 Records:
                  50.0.0.9
    
               IPv6 Records:
                  500::7
    

    Verifying URL Filtering Statistics

    Purpose

    Display URL filter statistics.

    Action

    Use the show services url-filter dns-resolution-statistics command.

    user@host> show services url-filter dns-resolution-statistics profile profile1 template template1 summary
     URL filtering DNS resolution statistics:
    Profile: profile1
    Template: template1
    
         DNS start time                      : May 09 01:55:07 PDT
         Next DNS start time                 : May 09 06:55:07 PDT 
         Number of resolved A domains        : 4
         Number of resolved AAAA domains     : 4
         Number of unresolved A domains      : 24
         Number of unresolved AAAA domains   : 24
         Number of requests sent             : 200
         Number of responses received        : 8
    

    Use the show services url-filter statistics command.

    user@host> show services url-filter statistics profile profile1 template template1
    URL filtering action counters:
    
    
    Accept session count                : 0
    Accept uplink packet count          : 0
    Accept uplink bytes                 : 0
    Accept downlink packet count        : 0
    Accept downlink bytes               : 0
    
    Custom page session count           : 0
    Custom page uplink packet count     : 0
    Custom page uplink bytes            : 0
    Custom page downlink packet count   : 0
    Custom page downlink bytes          : 0
    
    Http scode session count            : 0
    Http scode uplink packet count      : 0
    Http scode uplink bytes             : 0
    Http scode dowlink packet count     : 0
    Http scode downlink bytes           : 0
    
    Redirect url session count          : 0
    Redirect url uplink packet count    : 0
    Redirect url uplink bytes           : 0
    Redirect url downlink packet count  : 0
    Redirect url downlink bytes         : 0
    
    Tcp reset session count             : 312217
    Tcp reset uplink packet count       : 936651
    Tcp reset uplink bytes              : 157975653
    Tcp reset downlink packet count     : 624434
    Tcp reset downlink bytes            : 29972832
    

    Modified: 2017-05-18