Technical Documentation

Option: Using Filter-Based Forwarding to Select Traffic to Be Secured

Instead of using a firewall filter, you can also forward traffic into an IPSec security association by using a filter-based forwarding instance. First, configure the filter-based forwarding instance. Then, configure a routing table group to advertise the routes from the filter-based forwarding instance. Next, create a firewall filter for the ES PIC and reference the filter-based forwarding instance. Lastly, apply the filter and IPSec security association to the ES PIC.

[edit]routing-instances {forwarding {instance-type forwarding;routing-options {static {route 10.10.10.0/24 next-hop 192.168.0.5;}}}}routing-options {rib-groups { group-name {import-rib [ inet.0 forwarding.inet.0 ];}}}firewall {family inet {filter filter-name {term term-name {then routing-instance instance-name;}}}}[edit]interfaces {es-0/0/0 {unit 0 {tunnel {source source-ip-address;destination destination-ip-address;}family inet {ipsec-sa sa-name;filter {input filter-name;}address ip-address;}}}}

Published: 2010-04-15