[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
Option: Using Filter-Based Forwarding to Select Traffic to
Be Secured
Instead of using a firewall filter, you can also
forward traffic into an IPSec security association by using a filter-based
forwarding instance. First, configure the filter-based forwarding
instance. Then, configure a routing table group to advertise the routes
from the filter-based forwarding instance. Next, create a firewall
filter for the ES PIC and reference the filter-based forwarding instance.
Lastly, apply the filter and IPSec security association to the ES
PIC.
- [edit]
- routing-instances {
-
- forwarding {
- instance-type forwarding;
-
- routing-options {
-
- static {
- route 10.10.10.0/24 next-hop 192.168.0.5;
- }
- }
- }
- }
- routing-options {
-
- rib-groups {
-
-
group-name {
- import-rib [ inet.0 forwarding.inet.0 ];
- }
- }
- }
- firewall {
-
- family inet {
-
- filter filter-name {
-
- term term-name {
- then routing-instance instance-name;
- }
- }
- }
- }
- [edit]
- interfaces {
-
- es-0/0/0 {
-
- unit 0 {
-
- tunnel {
- source source-ip-address;
- destination destination-ip-address;
- }
-
- family inet {
- ipsec-sa sa-name;
-
- filter {
- input filter-name;
- }
- address ip-address;
- }
- }
- }
- }
[Contents]
[Prev]
[Next]
[Index]
[Report an Error]
