Configuring Filter-Based Forwarding for Multitopology Routing

Each routing instance (master or virtual-router) supports one default topology to which all forwarding classes are forwarded. For Multitopology Routing, you can configure a firewall filter on the ingress interface to match a specific forwarding class, such as expedited forwarding, with a specific topology. The traffic that matches the specified forwarding class is then added to the routing table for that topology.

To configure filter-based forwarding for Multitopology Routing, include the following statements at the [edit firewall] hierarchy level:

[edit firewall]family (inet | inet6) {filter filter-name {term term-name {from {forwarding-class (assured-forwarding | best-effort | expedited-forwarding | network-control)}then {(topology topology-name | routing-instance routing-instance-name topology topology-name | logical-system logical-system-name topology topology-name | logical-system logical-system-name routing-instance routing-instance-name topology topology-name);}}}}

To configure the family address type, specify family inet to filter IPv4 packets or family inet6 to filter IPv6 packets.

To configure the filter name, include the filter filter-name statement. The filter name can contain letters, numbers, and hyphens (-) and can be up to 64 characters long. To include spaces in the name, enclose the entire name in quotation marks (“ ”).

Each filter consists of one or more terms. To configure a term, include the term term-name statement. The term name can contain letters, numbers, and hyphens (-) and can be up to 255 characters long. To include spaces in the name, enclose the entire name in quotation marks (“ ”). Each term name must be unique within a filter.

Include the forwarding-class class statement to define the forwarding class against which to match the incoming packets. You can configure the following types of forwarding classes: assured-forwarding, expedited-forwarding, best-effort, and network-control.

You can specify multiple terms in a filter, effectively chaining together a series of match-action operations to apply to the packets on an interface. Firewall filter terms are evaluated in the order in which you specify them in the configuration. To reorder terms, use the configuration mode insert command. For example, the command insert term up before term start places the term up before the term start.

Use the topology statement to specify that packets that match the specified forwarding class be directed to the specified topology.

For a topology in the master instance, include the topology name statement, where name is the name of the topology.

For a topology in a nonmaster instance, include the routing-instance routing-instance-name topology topology-name statement, where routing-instance-name is the name of the routing instance and topology-name is the name of the topology.

For a topology in a nonmaster logical system, include the logical-system logical-system-name topology topology-name statement, where logical-system-name is the name of the logical system and topology-name is the name of the topology.

For a topology in a nonmaster instance within a nonmaster logical system, include the logical-system logical-system-name routing-instance routing-instance-name topology topology-name statement, where logical-system-name is the name of the logical system, routing-instance-name is the name of the routing instance configured within the logical system, and topology-name is the name of the topology.

You must apply the filter to an ingress interface. Include the following statements to apply the filter to an interface:

[edit interfaces interface-name]unit number {family (inet | inet6) {filter {input filter-name {}}}

For more detailed information about how to configure firewall filters, see the Junos Policy Framework Configuration Guide.