Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Example: Configuring a Stateless Firewall Filter on an Interface Group

Firewall filters are essential for securing a network and simplifying network management. In Junos OS, you can configure a stateless firewall filters to control the transit of data packets through the system and to manipulate packets as necessary. Applying a stateless firewall filter to an interface group helps to filter packets transiting through each interface in the interface group. This example shows how to configure a standard stateless firewall filter to match packets tagged for a particular interface group.

Requirements

This example uses the following hardware and software components:

  • Any two Juniper Networks routers or switches that are physically or logically connected to each other through interfaces belonging to a routing instance

  • Junos OS Release 7.4 or later

Overview

You can apply a stateless firewall filter to an interface group to apply it across all the interfaces in the interface group. This helps you to manage the packet filtering on various interfaces simultaneously.

In this example, you configure two router or switch interfaces to belong to the interface group. You also configure a stateless firewall filter with three terms. In term term1, the filter matches packets that have been tagged as received on that interface group and contain an ICMP protocol tag. The filter counts, logs, and rejects packets that match the conditions. In term term2, the filter matches packets that contain the ICMP protocol tag. The filter counts, logs, and accepts all packets that match the condition. In term term3, the filter counts all the transit packets.

By applying the firewall filter to the routing instance, you can simultaneously apply the filtering mechanism on all the interfaces in the interface group. For this to happen, all the interfaces in the interface group must belong to a single routing instance.

Note:

When you apply a firewall filter to a loopback interface, the interface filters all the packets destined to the Routing Engine.

Figure 1: Configuring a Stateless Firewall Filter on an Interface GroupConfiguring a Stateless Firewall Filter on an Interface Group

CLI Quick Configuration shows the configuration for all of the devices in Figure 1. The section Step-by-Step Procedure describes the steps on Device R1.

Configuration

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Device R0

Device R1

Configure and Apply the Stateless Firewall Filter on an Interface Group

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration Mode in the CLI User Guide.

To configure the stateless firewall filter filter_if_group on an interface group:

  1. Create the stateless firewall filter filter_if_group.

  2. Configure the interfaces and assign two interfaces to interface group 1.

  3. Configure term term1 to match packets received on interface group 1 and with the ICMP protocol.

  4. Configure term term1 to count, log, and reject all the matching packets.

  5. Configure term term2 to match packets with the ICMP protocol.

  6. Configure term term2 to count, log, and accept all the matching packets.

  7. Configure term term3 to count all the transit packets.

  8. Apply the firewall filter to the router’s (or switch’s) interface group by applying it to the routing instance.

  9. If you are done configuring the device, commit your candidate configuration.

Results

From configuration mode, confirm your configuration by issuing the show interfaces, show firewall, and show forwarding-options commands. If the output does not display the intended configuration, repeat the instructions in this example to correct the configuration.

Verification

Confirm that the configuration is working properly.

Verifying the Configuration of the Interfaces

Purpose

Verify that the interfaces are properly configured.

Action

To display the state of the interfaces, use the show interfaces terse operational mode command.

Device R0

Device R1

Meaning

All the interfaces on Devices R0 and R1 are physically connected and up. The interface group 1 on Device R1 consists of two interfaces, namely ge-0/0/0.0 and ge-0/0/2.0.

Verifying Stateless Firewall Filter Configuration

Purpose

Verify that the firewall filter match conditions are configured properly.

Action

  • To display the firewall filter counters, enter the show firewall filter filter_if_group operational mode command.

  • To display the local log of packet headers for packets evaluated by the firewall filter, enter the show firewall log operational mode command.

  • To make sure that the firewall filters are active on interface group 1 on Device R1, use the ping <address> operational mode command on the CLI of Device R0.

  • To make sure that the firewall filter is not applied on an interface that is not in interface group 1, use the ping <address> operational mode command on the CLI of Device R0.

Meaning

The stateless firewall filter is applied to all interfaces in interface group 1. The term term1 match condition in the stateless firewall filter counts, logs, and rejects packets that are received on or sent from the interfaces in interface group 1 and with a source ICMP protocol. The term term2 match condition matches packets tagged with the ICMP protocol and counts, logs, and accepts those packets. The term term3 match condition counts all the transit packets.