Configuring Forwarding Table Filters
The following sections describe the following topics:
Overview of Forwarding Table Filters
Forwarding table filters are defined the same as other firewall filters, but you apply them differently:
- Instead of applying forwarding table filters to interfaces, you apply them to forwarding tables, each of which is associated with a routing instance and a virtual private network (VPN).
- Instead of applying input and output filters by default, you can apply an input forwarding table filter only.
All packets are subjected to the input forwarding table filter that applies to the forwarding table. A forwarding table filter controls which packets the router accepts and then performs a lookup for the forwarding table, thereby controlling which packets the router forwards on the interfaces.
When the router receives a packet, it determines the best route to the ultimate destination by looking in a forwarding table, which is associated with the VPN on which the packet is to be sent. The router then forwards the packet toward its destination through the appropriate interface.
 | Note: For transit packets exiting the router through the tunnel, forwarding table filtering is not supported on the interfaces you configure as the output interface for tunnel traffic. |
Configuring a Forwarding Table Filter
A forwarding table filter allows you to filter data packets based on their components and to perform an action on packets that match the filter; it essentially controls which bearer packets the router accepts and forwards. To configure a forwarding table filter, include the firewall statement at the [edit] hierarchy level:
family-name is the family address type: IPv4 (inet), IPv6 (inet6), Layer 2 traffic (bridge), or MPLS (mpls).
term-name is a named structure in which match conditions and actions are defined.
match-conditions are the criteria against which a bearer packet is compared; for example, the IP address of a source device or a destination device. You can specify multiple criteria in a match condition.
action specifies what happens if a packet matches all criteria; for example, the gateway GPRS support node (GGSN) accepting the bearer packet, performing a lookup in the forwarding table, and forwarding the packet to its destination; discarding the packet; and discarding the packet and returning a rejection message.
action-modifiers are actions that are taken in addition to the GGSN accepting or discarding a packet when all criteria match; for example, counting the packets and logging a packet.
For more detailed information about configuring filters, see Configuring Standard Firewall Filters.
To create a forwarding table, include the instance-type statement with the forwarding option at the [edit routing-instances instance-name] hierarchy level:
To apply a forwarding table filter to a VPN routing and forwarding (VRF) table, include the filter and input statements at the [edit routing-instance instance-name forwarding-options family family-name] hierarchy level:
To apply a forwarding table filter to a forwarding table, include the filter and input statements at the [edit forwarding-options family family-name] hierarchy level:
To apply a forwarding table filter to the default forwarding table inet.0, which is not associated with a specific routing instance, include the filter and input statements at the [edit forwarding-options family inet] hierarchy level:
For more information about applying forwarding table filters, see Applying Filters to Forwarding Tables. For information about routing instances, see the JUNOS Routing Protocols Configuration Guide.
