Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device on EX Series Switches
Administrators can configure filter-based forwarding on an EX Series switch by using a firewall filter to forward matched traffic to a specific virtual routing instance.
This example describes how to set up filter-based forwarding:
Requirements
This example uses the following software and hardware components:
- One EX Series switch
- Junos OS Release 9.4 or later for EX Series switches
Overview and Topology
In this example, traffic from one application server that is destined for a different application server is matched by a firewall filter based on the IP address. Any matching packets are routed to a particular virtual routing instance that first sends all traffic to a security device, then forwards it to the designated destination address.
Configuration
To configure filter-based forwarding:
CLI Quick Configuration
To quickly create and configure filter-based forwarding, copy the following commands and paste them into the switch terminal window:
[edit] set interfaces ge-0/0/0
unit 0 family inet address 10.1.0.1/24
set interfaces ge-0/0/3
unit 0 family inet address 10.1.3.1/24
set firewall family inet
filter fil term t1 from source-address 1.1.1.1/32
set firewall family inet
filter fil term t1 from protocol tcp
set interfaces ge-0/0/0
unit 0 family inet filter input fil set routing-instances vrf01
instance-type virtual-router set routing-instances vrf01
interface ge-0/0/1.0 set routing-instances vrf01
interface ge-0/0/3.0 set routing-instances vrf01
routing-options static route 12.34.56.0/24 next-hop 10.1.3.254 set firewall family inet
filter fil term t1 then routing-instance vrf01
Step-by-Step Procedure
To configure filter-based forwarding:
- Create interfaces to the application servers:
[edit]
user@switch# set interfaces ge-0/0/0 unit 0 family inet address 10.1.0.1/24
user@switch# set interfaces ge-0/0/3 unit 0 family inet address 10.1.3.1/24 - Create a firewall filter that matches the correct source
address:
[edit]
user@switch# set firewall family inet filter fil term t1 from source-address 1.1.1.1/32
user@switch# set firewall family inet filter fil term t1 from protocol tcp - Associate the filter with the source application server’s
interface:
[edit]
user@switch# set interfaces ge-0/0/0 unit 0 family inet filter input fil - Create a virtual router:
[edit]
user@switch# set routing-instances vrf01 instance-type virtual-router - Associate the interfaces with the virtual router:
[edit]
user@switch# set routing-instances vrf01 interface ge-0/0/1.0
user@switch# set routing-instances vrf01 interface ge-0/0/3.0 - Configure the routing information for the virtual routing
instance:
[edit]
user@switch# set routing-instances vrf01 routing-options static route 12.34.56.0/24 next-hop 10.1.3.254 - Set the filter to forward packets to the virtual router
you created:
[edit]
user@switch# set firewall family inet filter fil term t1 then routing-instance vrf01
Results
Check the results of the configuration:
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying That Filter-Based Forwarding Was Configured
Purpose
Verify that filter-based forwarding was properly enabled on the switch.
Action
- Use the show interfaces filters command:
user@switch> show interfaces filters ge-0/0/0.0Interface Admin Link Proto Input Filter Output Filter ge-0/0/0.0 up down inet fil
- Use the show route forwarding-table command:
user@switch> show route forwarding-tableRouting table: default.inet Internet: Destination Type RtRef Next hop Type Index NhRef Netif default user 1 0:12:f2:21:cf:0 ucst 331 4 me0.0 default perm 0 rjct 36 3 0.0.0.0/32 perm 0 dscd 34 1 10.1.0.0/24 ifdn 0 rslv 613 1 ge-0/0/0.0 10.1.0.0/32 iddn 0 10.1.0.0 recv 611 1 ge-0/0/0.0 10.1.0.1/32 user 0 rjct 36 3 10.1.0.1/32 intf 0 10.1.0.1 locl 612 2 10.1.0.1/32 iddn 0 10.1.0.1 locl 612 2 10.1.0.255/32 iddn 0 10.1.0.255 bcst 610 1 ge-0/0/0.0 10.1.1.0/26 ifdn 0 rslv 583 1 vlan.0 10.1.1.0/32 iddn 0 10.1.1.0 recv 581 1 vlan.0 10.1.1.1/32 user 0 rjct 36 3 10.1.1.1/32 intf 0 10.1.1.1 locl 582 2 10.1.1.1/32 iddn 0 10.1.1.1 locl 582 2 10.1.1.63/32 iddn 0 10.1.1.63 bcst 580 1 vlan.0 255.255.255.255/32 perm 0 bcst 32 1 Routing table: vrf01.inet Internet: Destination Type RtRef Next hop Type Index NhRef Netif default perm 0 rjct 559 2 0.0.0.0/32 perm 0 dscd 545 1 10.1.3.0/24 ifdn 0 rslv 617 1 ge-0/0/3.0 10.1.3.0/32 iddn 0 10.1.3.0 recv 615 1 ge-0/0/3.0 10.1.3.1/32 user 0 rjct 559 2 10.1.3.1/32 intf 0 10.1.3.1 locl 616 2 10.1.3.1/32 iddn 0 10.1.3.1 locl 616 2 10.1.3.255/32 iddn 0 10.1.3.255 bcst 614 1 ge-0/0/3.0 224.0.0.0/4 perm 0 mdsc 546 1 224.0.0.1/32 perm 0 224.0.0.1 mcst 529 1 255.255.255.255/32 perm 0 bcst 543 1 Routing table: default.iso ISO: Destination Type RtRef Next hop Type Index NhRef Netif default perm 0 rjct 60 1 Routing table: vrf01.iso ISO: Destination Type RtRef Next hop Type Index NhRef Netif default perm 0 rjct 600 1
Meaning
The output indicates that the filter was created on the interface and that the virtual routing instance is forwarding matching traffic to the correct IP address.
