Example: Using Filter-Based Forwarding to Route Application Traffic to a Security Device
This example describes how to set up filter-based forwarding on EX Series switches or a QFX10000. You can configure filter-based forwarding by using a firewall filter to forward matched traffic to a specific virtual routing instance.
Requirements
This example applies to both EX Series switches running Junos OS Release 9.4 or later, and QFX10000 switches running Junos OS Release 15.1X53-D10 or later.
Overview and Topology
In this example, we create a firewall filter to match traffic being sent from one application server to another according to the destination address (192.168.0.1) of packets egressing the source application server. Matching packets are routed to a virtual routing instance which forwards the traffic to a security device, which then forwards the traffic on to the destination application server.
Filter-based forwarding does not work with IPv6 interfaces on some Juniper switches.
Configuration
To configure filter-based forwarding:
CLI Quick Configuration
To use this example on your own device, copy the following commands
into a text file, remove the line breaks, and change the necessary details to fit your configuration.
Then copy and paste the commands into your CLI at the [edit]
hierarchy level.
[edit] set interfaces xe-0/0/0 unit 0 family inet address 10.1.0.1/24 set interfaces xe-0/0/3 unit 0 family inet address 10.1.3.1/24 set firewall family inet filter f1 term t1 from source-address 10.1.0.50/32 set firewall family inet filter f1 term t1 from protocol tcp set interfaces xe-0/0/0 unit 0 family inet filter input f1 set routing-instances vrf01 instance-type virtual-router set routing-instances vrf01 interface xe-0/0/3.0 set routing-instances vrf01 routing-options static route 192.168.0.1/24 next-hop 10.1.3.254 set firewall family inet filter f1 term t1 then routing-instance vrf01
Procedure
Step-by-Step Procedure
To configure filter-based forwarding:
Configure an interface to connect to the application server:
[edit interfaces] user@switch# set xe-0/0/0 unit 0 family inet address 10.1.0.1/24
Configure an interface to connect to the security device:
[edit interfaces] user@switch# set xe-0/0/3 unit 0 family inet address 10.1.3.1/24
Create a firewall filter that matches packets based on the address of the application server that the traffic will be sent from. Also configure the filter so that it matches only TCP packets:
[edit firewall] user@switch# set family inet filter f1 term t1 from source-address 10.1.0.50/32 user@switch# set firewall family inet filter f1 term t1 from protocol tcp
Apply the filter to the interface that connects to the source application server and configure it to match incoming packets:
[edit interfaces] user@switch# set xe-0/0/0 unit 0 family inet filter input f1
Create a virtual router:
[edit] user@switch# set routing-instances vrf01 instance-type virtual-router
Associate the virtual router with the interface that connects to the security device:
[edit routing-instances] user@switch# set vrf01 interface xe-0/0/3.0
Configure the routing information for the virtual routing instance:
[edit routing-instances] user@switch# set vrf01 routing-options static route 192.168.0.1/24 next-hop 10.1.3.254
Set the filter to forward packets to the virtual router:
[edit firewall] user@switch# set family inet filter f1 term t1 then routing-instance vrf01
Results
Check the results of the configuration:
user@switch> show configuration interfaces { xe-0/0/0 { unit 0 { family inet { filter { input f1; } address 10.1.0.1/24; } } } xe-0/0/3 { unit 0 { family inet { address 10.1.3.1/24; } } } } firewall { family inet { filter f1 { term t1 { from { source-address { 10.1.0.50/32; } protocol tcp; } then { routing-instance vrf01; } } } } } routing-instances { vrf01 { instance-type virtual-router; interface xe-0/0/3.0; routing-options { static { route 192.168.0.1/24 next-hop 10.1.3.254; } } } }
Verification
To confirm that the configuration is working properly, perform these tasks:
Verifying That Filter-Based Forwarding Was Configured
Purpose
Verify that filter-based forwarding was properly enabled on the switch.
Action
Use the
show interfaces filters
command:user@switch> show interfaces filters xe-0/0/0.0 Interface Admin Link Proto Input Filter Output Filter xe-0/0/0.0 up down inet fil
Use the
show route forwarding-table
command:user@switch> show route forwarding-table Routing table: default.inet Internet: Destination Type RtRef Next hop Type Index NhRef Netif default user 1 0:12:f2:21:cf:0 ucst 331 4 me0.0 default perm 0 rjct 36 3 0.0.0.0/32 perm 0 dscd 34 1 10.1.0.0/24 ifdn 0 rslv 613 1 xe-0/0/0.0 10.1.0.0/32 iddn 0 10.1.0.0 recv 611 1 xe-0/0/0.0 10.1.0.1/32 user 0 rjct 36 3 10.1.0.1/32 intf 0 10.1.0.1 locl 612 2 10.1.0.1/32 iddn 0 10.1.0.1 locl 612 2 10.1.0.255/32 iddn 0 10.1.0.255 bcst 610 1 xe-0/0/0.0 10.1.1.0/26 ifdn 0 rslv 583 1 vlan.0 10.1.1.0/32 iddn 0 10.1.1.0 recv 581 1 vlan.0 10.1.1.1/32 user 0 rjct 36 3 10.1.1.1/32 intf 0 10.1.1.1 locl 582 2 10.1.1.1/32 iddn 0 10.1.1.1 locl 582 2 10.1.1.63/32 iddn 0 10.1.1.63 bcst 580 1 vlan.0 255.255.255.255/32 perm 0 bcst 32 1 Routing table: vrf01.inet Internet: Destination Type RtRef Next hop Type Index NhRef Netif default perm 0 rjct 559 2 0.0.0.0/32 perm 0 dscd 545 1 10.1.3.0/24 ifdn 0 rslv 617 1 xe-0/0/3.0 10.1.3.0/32 iddn 0 10.1.3.0 recv 615 1 xe-0/0/3.0 10.1.3.1/32 user 0 rjct 559 2 192.168.0.1/24 user 0 10.1.3.254 ucst 616 2 xe-0/0/3.0 192.168.0.1/24 user 0 10.1.3.254 ucst 616 2 xe-0/0/3.0 10.1.3.255/32 iddn 0 10.1.3.255 bcst 614 1 xe-0/0/3.0 224.0.0.0/4 perm 0 mdsc 546 1 224.0.0.1/32 perm 0 224.0.0.1 mcst 529 1 255.255.255.255/32 perm 0 bcst 543 1 Routing table: default.iso ISO: Destination Type RtRef Next hop Type Index NhRef Netif default perm 0 rjct 60 1 Routing table: vrf01.iso ISO: Destination Type RtRef Next hop Type Index NhRef Netif default perm 0 rjct 600 1
Meaning
The output indicates that the filter was created on the interface and that the virtual routing instance is forwarding matching traffic to the correct IP address.