ON THIS PAGE
Example: Configuring Filter-Based Forwarding
Filter-based forwarding (FBF), which is also called Policy Based Routing (PBR), provides a a simple but powerful way to route IP traffic to different interfaces on the basis of Layer-3 or Layer-4 parameters.
FBF works by using match conditions in a firewall filter to select certain traffic and then direct it to a given routing instance that points to the desired next hop. To ensure the next hop is resolvable, interface routes from the main routing table are shared via RIB group with the routing table(s) specified in the routing instance(s).
Match conditions can include the source or destination IP address, source or destination port, IP protocol, DSCP value, TCP flag, ICMP type, and packet length.
Requirements
This example has the following hardware and software requirements:
MX Series 5G Universal Routing Platform as the routing device with the firewall filter configured.
Junos OS Release 13.3 or later running on the routing device with the firewall filter configured.
Overview
This example shows the configuration settings you need to set up filter-based forwarding on a single device. Figure 1 shows the ingress and egress interfaces on an MX Series router and illustrates the logical flow of events as packets traverse the device.
A firewall filter called webFilter is attached to the ingress interface, fe-0/0/0. Packets arriving over the interface are evaluated against the match conditions specified in the filter, the logic of which directs HTTP and HTTPS traffic to a routing instance called webtraffic. This routing instance accomplishes three things: first, it establishes a routing table called webtraffic.inet.0; second, it lets you define a static route and next hop; and third, lets you configure the instance for forwarding traffic to the next hop (here, 192.0.2.2 on interface fe-0/0/1).
Term 2 in the firewall filter, then accept, specifies that all non-matching traffic take a different path. We define a static route with next hop of 203.0.113.2 to have this traffic egress the device via fe-0/0/2. The route is automatically installed in the master routing table, inet.0.
The last (logical) step in setting up FBF is to ensure that both routes are resolvable. The RIB group (FBF-rib in this example) makes it so interface-routes from inet.0 can be shared with webtraffic.inet.0.
For examples that focus on a specific use case or multi-device topologies, see the Related Topics.
Configuration
Procedure
CLI Quick Configuration
Both copy-paste and step-by-step instructions for creating filter-based forwarding on a single device are provided.
To quickly configure this example, copy the following commands,
paste them into a text file, remove any line breaks, change any details
necessary to match your network configuration, and then copy and paste
the commands into the CLI at the [edit]
hierarchy level.
Configure a device for filter-based forwarding
set interfaces fe-0/0/0 unit 0 family inet address 198.51.100.1/24 set interfaces fe-0/0/0 unit 0 family inet filter input webFilter set interfaces fe-0/0/1 unit 0 family inet address 192.0.2.1/24 set interfaces fe-0/0/2 unit 0 family inet address 203.0.113.1/24 set firewall family inet filter webFilter term 1 from destination-port http set firewall family inet filter webFilter term 1 from destination-port https set firewall family inet filter webFilter term 1 then routing-instance webtraffic set firewall family inet filter webFilter term 2 then accept set routing-instances webtraffic routing-options static route 0.0.0.0/0 next-hop 192.0.2.2 set routing-instances webtraffic instance-type forwarding set routing-options static route 0.0.0.0/0 next-hop 203.0.113.2 set routing-options rib-groups FBF-rib import-rib inet.0 set routing-options rib-groups FBF-rib import-rib webtraffic.inet.0 set routing-options interface-routes rib-group inet FBF-rib
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure the device:
Configure the inbound interface and attach the webFilter firewall filter to it.
[edit interfaces fe-0/0/0 unit 0 family inet] user@device# set filter input webFilter user@device# set address 198.51.100.1/24
Configure the outbound interfaces, one for Web traffic and the other for all other traffic.
[edit interfaces] user@device# set fe-0/0/1 unit 0 family inet address 192.0.2.1/24 user@device# set fe-0/0/2 unit 0 family inet address 203.0.113.1/24
Configure the firewall filter to pass Web traffic to the webtraffic routing instance and all other traffic to 203.0.113.1.
[edit firewall family inet filter webFilter] user@device# set term 1 from destination-port http user@device# set term 1 from destination-port https user@device# set term 1 then routing-instance webtraffic user@device# set term 2 then accept
Optional: Monitor traffic handling of the firewall filter by adding a counter>
[edit interfaces fe-0/0/0 unit 0 family inet] user@device# set firewall family inet filter webFilter term 1 then count webtraffic-count
Create the webtraffic routing instance and configure it to forward Web traffic to fe-0/0/1.
[edit routing-instances webtraffic] user@device# set routing-options static route 0.0.0.0/0 next-hop 192.0.2.2 user@device# set instance-type forwarding
Create a route for non-Web traffic (the route is automatically installed in the inet.0 routing table).
[edit routing-options] user@device# set static route 0.0.0.0/0 next-hop 203.0.113.2
Create a RIB group called FBF-rib, and configure it so inet.0 shares interface routes with webtraffic.inet.0, and then associate a routing table group with the routing device’s interfaces, and specify routing table groups into which interface routes are imported..
[edit routing-options] user@device# set rib-groups FBF-rib import-rib inet.0 user@device# set rib-groups FBF-rib import-rib webtraffic.inet.0
Associate a routing table group with the routing device’s interfaces, and specify routing table groups into which interface routes are imported.
[edit routing-options] user@device# set interface-routes rib-group inet FBF-rib
Results
From configuration mode, confirm your configuration
by entering the show firewall
, show routing-instances
, show routing-options
, and show interfaces
, commands. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
If you are done configuring the device, enter commit
from configuration mode.
user@device#show interfaces fe-0/0/0
unit 0 { family inet { filter { input webFilter; } address 198.51.100.1/24; } } user@device#show interfaces fe-0/0/1
unit 0 { family inet { address 192.0.2.1/24; } } user@device#show interfaces fe-0/0/2
unit 0 { family inet { address 203.0.113.1/24; } } user@device#show firewall
family inet { filter webFilter { term 1 { from { destination-port [ http https ]; } then { routing-instance webtraffic; } } term 2 { then accept; } } }
user@device# show routing-options
interface-routes {
rib-group inet FBF-rib;
}
static {
route 0.0.0.0/0 next-hop 203.0.113.2;
}
rib-groups {
FBF-rib {
import-rib [ inet.0 webtraffic.inet.0 ];
}
}
user@device# show routing-instances
webtraffic {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 192.0.2.2;
}
}
}