Filter-Based Forwarding Overview
Firewall filters can be used to block specific packets. They can also be used to affect how specific packets are forwarded.
Filters That Classify Packets or Direct Them to Routing Instances
For IPv4 or IPv6 traffic only, you can use stateless firewall filters in conjunction with forwarding classes and routing instances to control how packets travel in a network. This is called filter-based forwarding (FBF).
You can define a filtering term that matches incoming packets based on source address
and then classifies matching packets to a specified forwarding class. This type of
filtering can be configured to grant certain types of traffic preferential treatment
or to improve load balancing. To configure a stateless firewall filter
to classify packets to a forwarding class, configure a term with the
nonterminating action
forwarding-class class-name
.
You can also define a filtering term that directs matching packets to a specified
routing instance. This type of filtering can be configured to route specific types
of traffic through a firewall or other security device before the traffic continues
on its path. To configure a stateless firewall filter to direct traffic to a routing
instance, configure a term with the terminating action
routing-instance routing-instance-name <topology
topology-name>
to specify the routing
instance to which matching packets will be forwarded.
Unicast Reverse Path Forwarding (uRPF) check is compatible with FBF actions. uRPF check is processed for source address checking before any FBF actions are enabled for static and dynamic interfaces. This applies to both IPv4 and IPv6 families.
Services Offload (SOF) and Power Mode Ipsec (PMI) path will not be followed by the packets which are forwarded with FBF.
-
SOF - Even if SOF is enabled , the packets will not go through SOF if they are forwarded with FBF.
-
PMI - If PMI is configured, the direction to which the filter is configured, the packets in that direction will not go through the PMI. The returning packets will go through the PMI, provided the returning packets are not forwarded with FBF.
To forward traffic to the master routing instance, reference routing-instance
default
in the firewall configuration, as shown here:
[edit firewall] family inet { filter test { term 1 { then { routing-instance default; } } } }
Do not reference routing-instance master
. This does not
work.
Input Filtering to Classify and Forward Packets Within the Router or Switch
You can configure filters to classify packets based on source address and specify the forwarding path the packets take within the router or switch by configuring a filter on the ingress interface.
For example, you can use this filter for applications to differentiate traffic from two clients that have a common access layer (for example, a Layer 2 switch) but are connected to different Internet service providers (ISPs). When the filter is applied, the router or switch can differentiate the two traffic streams and direct each to the appropriate network. Depending on the media type the client is using, the filter can use the source IP address to forward the traffic to the corresponding network through a tunnel. You can also configure filters to classify packets based on IP protocol type or IP precedence bits.
Output Filtering to Forward Packets to Another Routing Table
You can also forward packets based on output filters by configuring a filter on the egress interfaces. In the case of port mirroring, it is useful for port-mirrored packets to be distributed to multiple monitoring PICs and collection PICs based on patterns in packet headers. FBF on the port-mirroring egress interface must be configured.
Packets forwarded to the output filter have been through at least one route lookup when an FBF filter is configured on the egress interface. After the packet is classified at the egress interface by the FBF filter, it is redirected to another routing table for further route lookup.
Restrictions for Applying Filter-Based Forwarding
An interface configured with filter-based forwarding does not support source-class usage (SCU) filter matching or source-class and destination-class usage (SCU/DCU) accounting.
If filter-based forwarding is directly attached to an interface or through forwarding table filter, then the DCU on that interface will not work.