ON THIS PAGE
Example: Configuring a Filter to Count and Sample Accepted Packets
This example shows how to configure a standard stateless firewall filter to count and sample accepted packets.
Requirements
No special configuration beyond device initialization is required before configuring this example.
Before you begin, configure traffic sampling
by including the sampling statement at the [edit forwarding-options] hierarchy level.
Overview
In this example, you use a standard stateless firewall filter to count and sample all packets received on a logical interface.
When you enable reverse path forwarding (RPF) on an interface with an input filter for firewall log and count, the input firewall filter does not log the packets rejected by RPF, although the rejected packets are counted. To log the rejected packets, use an RPF check fail filter.
On MX Series routers with MPC3 or MPC4, if firewall filters are configured to count Two-Way Active Measurement Protocol (TWAMP) packets then the count is doubled for all TWAMP packets. There may also be a small increase in round trip time (RTT) when the TWAMP server is hosted on MPC3 or MPC4. This warning does not apply for routers with MPC1 or MPC2 cards.
On QFX5130 and QFX5700 when a packet hits multiple firewall filters which has counter action, only the highest priority group counter will increment. For example, assume the packet has hit a IPACL (Port ACL) filter and a IRACL (Routed ACL) filter, both having counter action. According to priority, IRACL has high priority over IPACL. Hence only IRACL counter will increment. If there is no hit in IRACL, then IPACL counter will increment.
Below is the order of priority of user configured ACLs (from highest to lowest),
-
Loopback
-
IRACL
-
IPACL
-
IVACL
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.
To configure this example, perform the following tasks:
- CLI Quick Configuration
- Configure the Stateless Firewall Filter
- Apply the Stateless Firewall Filter to a Logical Interface
- Confirm and Commit Your Candidate Configuration
CLI Quick Configuration
To quickly configure this example, copy the following
configuration commands into a text file, remove any line breaks, and
then paste the commands into the CLI at the [edit] hierarchy
level.
set firewall family inet filter sam term all then count count_sam set firewall family inet filter sam term all then sample set interfaces at-2/0/0 unit 301 family inet address 10.1.2.3/30 set interfaces at-2/0/0 unit 301 family inet filter input sam
Configure the Stateless Firewall Filter
Step-by-Step Procedure
To configure the stateless firewall filter sam:
Create the stateless firewall filter
sam.[edit] user@host# edit firewall family inet filter sam
Configure the term to count and sample all packets.
[edit firewall family inet filter sam] user@host# set term all then count count_sam user@host# set term all then sample
Apply the Stateless Firewall Filter to a Logical Interface
Step-by-Step Procedure
To apply the stateless firewall filter to a logical interface:
Configure the logical interface to which you will apply the stateless firewall filter.
[edit] user@host# edit interfaces ge-0/0/1 unit 0 family inet
Configure the interface address for the logical interface.
[edit interfaces ge-0/0/1 unit 0 family inet] user@host# set address 10.1.2.3/30
Apply the stateless firewall filter to the logical interface.
[edit interfaces ge-0/0/1 unit 0 family inet] user@host# set filter input sam
Note:The Junos OS does not sample packets originating from the router or switch. If you configure a filter and apply it to the output side of an interface, then only the transit packets going through that interface are sampled. Packets that are sent from the Routing Engine to the Packet Forwarding Engine are not sampled.
Confirm and Commit Your Candidate Configuration
Step-by-Step Procedure
To confirm and then commit your candidate configuration:
Confirm the configuration of the stateless firewall filter by entering the
show firewallconfiguration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.[edit] user@host# show firewall family inet { filter sam { term all { then { count count_sam; sample; # default action is accept } } } }Confirm the configuration of the interface by entering the
show interfacesconfiguration mode command. If the command output does not display the intended configuration, repeat the instructions in this example to correct the configuration.[edit] user@host# show interfaces interfaces { at-2/0/0 { unit 301 { family inet { filter { input sam; } address 10.1.2.3/30; } } } }If you are done configuring the device, commit your candidate configuration.
[edit] user@host# commit
Verification
Confirm that the configuration is working properly.
- Displaying the Packet Counter
- Displaying the Firewall Filter Log Output
- Displaying the Sampling Output
Displaying the Packet Counter
Purpose
Verify that the firewall filter is evaluating packets.
Action
user@host> show firewall filter sam Filter: Counters: Name Bytes Packets sam sam-1 98 8028
Displaying the Firewall Filter Log Output
Purpose
Display the packet header information for all packets evaluated by the firewall filter.
Action
user@host> show firewall log Time Filter A Interface Pro Source address Destination address 23:09:09 - A at-2/0/0.301 TCP 10.2.0.25 10.211.211.1:80 23:09:07 - A at-2/0/0.301 TCP 10.2.0.25 10.211.211.1:56 23:09:07 - A at-2/0/0.301 ICM 10.2.0.25 10.211.211.1:49552 23:02:27 - A at-2/0/0.301 TCP 10.2.0.25 10.211.211.1:56 23:02:25 - A at-2/0/0.301 TCP 10.2.0.25 10.211.211.1:80 23:01:22 - A at-2/0/0.301 ICM 10.2.2.101 10.211.211.1:23251 23:01:21 - A at-2/0/0.301 ICM 10.2.2.101 10.211.211.1:16557 23:01:20 - A at-2/0/0.301 ICM 10.2.2.101 10.211.211.1:29471 23:01:19 - A at-2/0/0.301 ICM 10.2.2.101 10.211.211.1:26873
Meaning
This output file contains the following fields:
Time—Time at which the packet was received (not shown in the default).Filter—Name of a filter that has been configured with thefilterstatement at the[edit firewall]hierarchy level. A hyphen (-) or the abbreviationpfeindicates that the packet was handled by the Packet Forwarding Engine. A space (no hyphen) indicates that the packet was handled by the Routing Engine.A—Filter action:A—Accept (or next term)D—DiscardR—Reject
Interface—Interface on which the filter is configured.Note:We strongly recommend that you always explicitly configure an action in the
thenstatement.Pro—Packet’s protocol name or number.Source address—Source IP address in the packet.Destination address—Destination IP address in the packet.
Displaying the Sampling Output
Purpose
Verify that the sampling output contains appropriate data.
Action
wtmp.0.gz Size: 15017, Last changed: Dec 19 13:15:54 wtmp.1.gz Size: 493, Last changed: Nov 19 13:47:29 wtmp.2.gz Size: 57, Last changed: Oct 20 15:24:34 | Pipe through a command
user@host> show log /var/tmp/sam
# Apr 7 15:48:50
Time Dest Src Dest Src Proto TOS Pkt Intf IP TCP
addr addr port port len num frag flags
Apr 7 15:48:54 192.168.9.194 192.168.9.195 0 0 1 0x0 84 8 0x0 0x0
Apr 7 15:48:55 192.168.9.194 192.168.9.195 0 0 1 0x0 84 8 0x0 0x0
Apr 7 15:48:56 192.168.9.194 192.168.9.195 0 0 1 0x0 84 8 0x0 0x0