Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device

    You can configure filter-based forwarding by using a firewall filter to forward matched traffic to a specific virtual routing instance.

    This example describes how to set up filter-based forwarding:

    Requirements

    This example requires Junos OS Release 12.2X50-D20 or later.

    Overview and Topology

    In this example, traffic from one application server that is destined for a different application server is matched by a firewall filter based on the IP address of the source application server. Any matching packets are routed to a virtual routing instance that sends the traffic to a security device. In this case, the security device must be able to forward the traffic to the destination application server. For this example, assume that the address of the destination application server is 192.168.0.1.

    Warning: Filter-based forwarding does not work with IPv6 interfaces on some Juniper switches.

    Configuration

    To configure filter-based forwarding:

    CLI Quick Configuration

    To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste them into the CLI at the [edit] hierarchy level.

    [edit]

    set interfaces xe-0/0/0 unit 0 family inet address 10.1.0.1/24

    set interfaces xe-0/0/3 unit 0 family inet address 10.1.3.1/24

    set firewall family inet filter f1 term t1 from source-address 10.1.0.50/32

    set firewall family inet filter f1 term t1 from protocol tcp

    set interfaces xe-0/0/0 unit 0 family inet filter input f1

    set routing-instances vrf01 instance-type virtual-router

    set routing-instances vrf01 interface xe-0/0/3.0

    set routing-instances vrf01 routing-options static route 192.168.0.1/24 next-hop 10.1.3.254

    set firewall family inet filter f1 term t1 then routing-instance vrf01

    Step-by-Step Procedure

    The following example requires that you navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.To configure filter-based forwarding:

    1. Configure an interface to connect to the application server:
      [edit interfaces]
      user@switch# set xe-0/0/0 unit 0 family inet address 10.1.0.1/24
    2. Configure an interface to connect to the security device:
      [edit interfaces]
      user@switch# set xe-0/0/3 unit 0 family inet address 10.1.3.1/24
    3. Create a firewall filter that matches packets based on the address of the application server that the traffic will be sent from. Also configure the filter so that it matches only TCP packets:
      [edit firewall]
      user@switch# set family inet filter f1 term t1 from source-address 10.1.0.50/32
      user@switch# set firewall family inet filter f1 term t1 from protocol tcp
    4. Apply the filter to the interface that connects to the source application server and configure it to match incoming packets:
      [edit interfaces]
      user@switch# set xe-0/0/0 unit 0 family inet filter input f1
    5. Create a virtual router:
      [edit]
      user@switch# set routing-instances vrf01 instance-type virtual-router
    6. Associate the virtual router with the interface that connects to the security device:
      [edit routing-instances]
      user@switch# set vrf01 interface xe-0/0/3.0
    7. Configure the routing information for the virtual routing instance:
      [edit routing-instances]
      user@switch# set vrf01 routing-options static route 192.168.0.1/24 next-hop 10.1.3.254
    8. Set the filter to forward packets to the virtual router:
      [edit firewall]
      user@switch# set family inet filter f1 term t1 then routing-instance vrf01

    Results

    Check the results of the configuration:

    user@switch> show configuration
    interfaces {xe-0/0/0 {unit 0 {family inet {filter {input f1;}address 10.1.0.1/24;}}}xe-0/0/3 {unit 0 {family inet {address 10.1.3.1/24;}}}}
    firewall {family inet {filter f1 {term t1 {from {source-address {10.1.0.50/32;}protocol tcp;}then {routing-instance vrf01;}}}}}routing-instances {vrf01 {instance-type virtual-router;interface xe-0/0/1.0;routing-options {static {route 12.34.56.0/24 next-hop 10.1.3.254;}}}}

    Verification

    To confirm that the configuration is working properly, perform these tasks:

    Verifying That Filter-Based Forwarding Was Configured

    Purpose

    Verify that filter-based forwarding was properly enabled on the switch.

    Action

    1. Use the show interfaces filters command:
      user@switch> show interfaces filters xe-0/0/0.0
      Interface        Admin Link Proto Input Filter         Output Filter
xe-0/0/0.0       up    down inet f1
    2. Use the show route forwarding-table command:
       
Routing table: default.inet
Internet:
Destination        Type RtRef Next hop           Type Index NhRef Netif
default            user     1 0:12:f2:21:cf:0    ucst   331     4 me0.0
default            perm     0                    rjct    36     3
0.0.0.0/32         perm     0                    dscd    34     1
10.1.0.0/24        ifdn     0                    rslv   613     1 xe-0/0/0.0
10.1.0.0/32        iddn     0 10.1.0.0           recv   611     1 xe-0/0/0.0
10.1.0.1/32        user     0                    rjct    36     3
10.1.0.1/32        intf     0 10.1.0.1           locl   612     2
10.1.0.1/32        iddn     0 10.1.0.1           locl   612     2
10.1.0.255/32      iddn     0 10.1.0.255         bcst   610     1 xe-0/0/0.0
10.1.1.0/26        ifdn     0                    rslv   583     1 vlan.0
10.1.1.0/32        iddn     0 10.1.1.0           recv   581     1 vlan.0
10.1.1.1/32        user     0                    rjct    36     3
10.1.1.1/32        intf     0 10.1.1.1           locl   582     2
10.1.1.1/32        iddn     0 10.1.1.1           locl   582     2
10.1.1.63/32       iddn     0 10.1.1.63          bcst   580     1 vlan.0
255.255.255.255/32 perm     0                    bcst    32     1

Routing table: vrf01.inet
Internet:
Destination        Type RtRef Next hop           Type Index NhRef Netif
default            perm     0                    rjct   559     2
0.0.0.0/32         perm     0                    dscd   545     1
10.1.3.0/24        ifdn     0                    rslv   617     1 xe-0/0/3.0
10.1.3.0/32        iddn     0 10.1.3.0           recv   615     1 xe-0/0/3.0
10.1.3.1/32        user     0                    rjct   559     2
192.168.0.1/24     user     0 10.1.3.254         ucst   616     2 xe-0/0/3.0
192.168.0.1/24     user     0 10.1.3.254         ucst   616     2 xe-0/0/3.0
10.1.3.255/32      iddn     0 10.1.3.255         bcst   614     1 xe-0/0/3.0
224.0.0.0/4        perm     0                    mdsc   546     1
224.0.0.1/32       perm     0 224.0.0.1          mcst   529     1
255.255.255.255/32 perm     0                    bcst   543     1

Routing table: default.iso
ISO:
Destination        Type RtRef Next hop           Type Index NhRef Netif
default            perm     0                    rjct    60     1

Routing table: vrf01.iso
ISO:
Destination        Type RtRef Next hop           Type Index NhRef Netif
default            perm     0                    rjct   600     1

    Meaning

    The output indicates that the filter was created on the interface and that the virtual routing instance is forwarding matching traffic to the correct IP address.

     

    Related Documentation

     

    Modified: 2015-12-17

    Previous Page Next Page