Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Filter-Based Forwarding for Routing Instances

You can use stateless firewall filters in routing instances to control how packets travel in a network for IPv4 and IPv6 traffic. This is called filter-based forwarding.

You can define a firewall filtering term that directs matching packets to a specified routing instance. This type of filtering can be configured to route specific types of traffic through a firewall or other security device before the traffic continues on its path. To configure a stateless firewall filter to direct traffic to a routing instance, configure a term with the routing-instance routing-instance-name terminating action at the [edit firewall family <inet | inet6>] hierarchy level to specify the routing instance to which matching packets will be forwarded. You can apply a forwarding table filter to a routing instance of type forwarding and also to the default routing instance inet.0. To configure the filter to direct traffic to the master routing instance, use the routing-instance default statement at the [edit firewall family <inet | inet6>] hierarchy level.

The following limitations apply to filter-based forwarding table configured on routing instances:

  • You cannot configure any of the following actions in a firewall filtering term when the filtering term contains the routing-instance routing-instance-name terminating action:

    • count counter-name

    • discard

    • forwarding-class class-name

    • log

    • loss-priority (high | medium-high | low)

    • policer policer-name

    • port-mirror

    • reject message-type

    • syslog

    • three-color-policer (single-rate | two-rate) policer-name

  • You cannot configure the fragment-flags number match condition in the filter term.

  • You cannot attach a filter that is either default or physical interface-specific.

  • You cannot attach a filter to the egress direction of routing instances.

  • IPv6 filter-based forwarding does not support the following L4 matches:

    • source-port

    • destination-port

    • icmp-type

    • icmp-code

Although you can configure forwarding of packets from one VRF to another VRF, you cannot configure forwarding from a VRF to the global routing instance.

The maximum number of routing instances supported is 64, which is the same as the maximum number of virtual routers supported. Forwarding packets to the global table (default VRF) is not supported for filter-based forwarding.

Note:

Filter-based forwarding on the interface will not work when source MAC address filter is configured because the source MAC address filter takes higher precedence over filter-based forwarding.

Related Documentation