Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Applying Forwarding Table Filters

 

A forwarding table filter allows you to filter data packets based on their components and perform an action on packets that match the filter. You can apply a filter on the ingress or egress packets of a forwarding table. You configure the filter at the [edit firewall family family-name] hierarchy level; for more information, see Configuring Forwarding Table Filters.

To apply a forwarding table filter on ingress packets of a forwarding table, include the filter and input statements at the [edit forwarding-options family family-name] hierarchy level:

You can filter based upon destination-class information by applying a firewall filter on the egress packets of the forwarding table. By applying firewall filters to packets that have been forwarded by a routing table, you can match based on certain parameters that are decided by the route lookup. For example, routes can be classified into specific destination and source classes. Firewall filters used for policing and mirroring are able to match based upon these classes.

To apply a firewall filter on egress packets of a forwarding table, include the filter and output statements at the [edit forwarding-options family family-name] hierarchy level:

Note

You cannot have a firewall filter that includes an interface-group match condition if you are also using an egress forwarding table filter. This is because the interface-group match condition uses the logical interface on which the packet was received to match the interface group (or set of interface groups), while the forwarding table filters apply only to local host traffic and transit packets.

To apply a forwarding table filter to a flood table, include the flood and input statements at the [edit forwarding-options family family-name] hierarchy level as shown below. The flood statement is valid for the vpls protocol family only.

On the MX Series router only, to apply a forwarding table filter for a virtual switch, include the filter and input statements at the [edit routing-instances routing-instance-name bridge-domains bridge-domain-name forwarding-options] hierarchy level:

For more information about how to configure a virtual switch, see the Junos OS Layer 2 Switching and Bridging Library .

On MX Series 3D Universal Edge Routers, you can apply a forwarding table filter by using the soure-checking statement at the [edit forwarding-options family inet6] hierarchy level:

This discards IPv6 packets when the source address type is unspecified, loopback, multicast or link-local.

RFC 4291, IP Version 6 Addressing Architecture, refers to four address types that require special treatment when they are used as source addresses. The four address types are:

  • Unspecified

  • Loopack

  • Multicast

  • Link-Local Unicast

The loopback and multicast addresses must never be used as a source address in IPv6 packets. The unspecified and link-local addresses can be used as source addresses but routers must never forward packets that have these addresses as source addresses. Typically, packets that contain unspecified or link-local addresses as source addresses are delivered to the local host. If the destination is not the local host, then the packet must not be forwarded. Configuring this statement filters or discards IPv6 packets of these four address types.

Note

For T Series routers other than T4000, a packet forwarded by the forwarding table reaches the egress forwarding table filter irrespective of whether the packet is actually forwarded by the forwarding table or not. The packet reaches the egress filter even if the route points to reject or discard next hops.

On T4000 Type 5 Flexible PIC Concentrator (FPC), the packet reaches the egress filter only if it is forwarded by the forwarding table.

Note

The egress forwarding table filter is applied on the ingress interface of the FPC. If different packets to the same destination arrive on different FPCs, they might encounter different policers.

Note

In versions 14.2 and prior, the egress forwarding table filter is not supported for the J Series Service Routers.

Note

In Junos OS Release 8.4 and later, you can no longer configure this output statement for VPLS. You can continue to configure ingress forwarding table filters with the input statement at the [edit forwarding-options family vpls filter] hierarchy level.

Release History Table
Release
Description
In versions 14.2 and prior, the egress forwarding table filter is not supported for the J Series Service Routers.
In Junos OS Release 8.4 and later, you can no longer configure this output statement for VPLS.