ON THIS PAGE
Example: Configuring and Applying Service Filters
This example shows how to configure and apply service filters.
Requirements
This example use the logical interface xe-0/1/0.0 on any of the following
hardware components:
Adaptive Services (AS) PIC on an M Series or T Series router
Multiservices (MS) PIC on an M Series or T Series router
Multiservices (MS) DPC on an MX Series router
EX Series switch
Before you begin, make sure that you have:
Installed your supported router (or switch) and PICs or DPCs and performed the initial router (or switch) configuration.
Configured basic Ethernet in the topology, and verified that traffic is flowing in the topology and that IPv4 traffic is flowing through logical interface
xe-0/1/0.0.Configured the service set
vrf_svcswith service input and output rules and default settings for services at a service interface.
For guidelines for configuring service sets, see Configuring Service Sets to be Applied to Services Interfaces.
Overview
In this example, you create three types of service filters for IPv4 traffic: one input service filter, one postservice input filter, and one output service filter. Different service-filters can be applied to the same service-set. See also: Configuring Service Sets to be Applied to Services Interfaces
Topology
You apply the input service filter and postservice input filter to input traffic
at logical interface xe-0/1/0.0, and you apply the output service filter to the
output traffic at the same logical interface.
Filtering IPv4 traffic before it is accepted for input service processing—At logical interface
xe-0/1/0.0, you use the service filterin_filter_presvcto filter IPv4 input traffic before the traffic can be accepted for processing by services associated with service setvrf_svcs. Thein_filter_presvcservice filter counts packets sent from ICMP port 179, directs these packets to the input services associated with the service setvrf_svcs, and discards all other packets.Filtering IPv4 traffic after it has completed input service processing—At logical interface
xe-0/1/0.0, you use the service filterin_filter_postsvcto filter traffic that is returning to the services interface after the input service setin_filter_presvcis executed. Thein_filter_postsvcservice filter counts packets sent from ICMP port 179 and then discards them.Filtering IPv4 traffic before it is accepted for output service processing—At logical interface
xe-0/1/0.0, you use the service-filterout_filter_presvcto filter IPv4 output traffic before the traffic can be accepted for processing by the services associated with service setvrf_svcs. Theout_filter_presvcservice filter counts packets destined for TCP port 179 and then directs the packets to the output services associated with the service setvrf_svcs.
Configuration
The following example requires you to navigate various levels in the configuration hierarchy. For information about navigating the CLI, see Use the CLI Editor in Configuration Mode.
To configure this example, perform the following tasks:
CLI Quick Configuration
To quickly configure this example, copy the following commands into
a text file, remove any line breaks, and then paste the commands into the CLI at the [edit] hierarchy level.
set firewall family inet service-filter in_filter_presvc term t1 from protocol tcp set firewall family inet service-filter in_filter_presvc term t1 from source-port bgp set firewall family inet service-filter in_filter_presvc term t1 then count svc_in_pkts set firewall family inet service-filter in_filter_presvc term t1 then service set firewall family inet service-filter in_filter_postsvc term t2 from protocol tcp set firewall family inet service-filter in_filter_postsvc term t2 from source-port bgp set firewall family inet service-filter in_filter_postsvc term t2 then count svc_in_pkts_rtn set firewall family inet service-filter in_filter_postsvc term t2 then skip set firewall family inet service-filter out_filter_presvc term t3 from protocol icmp set firewall family inet service-filter out_filter_presvc term t3 from destination-port bgp set firewall family inet service-filter out_filter_presvc term t3 then count svc_out_pkts set firewall family inet service-filter out_filter_presvc term t3 then service set interfaces xe-0/1/0 unit 0 family inet service input service-set vrf_svcs service-filter in_filter_presvc set interfaces xe-0/1/0 unit 0 family inet service input post-service-filter in_filter_postsvc set interfaces xe-0/1/0 unit 0 family inet service output service-set vrf_svcs service-filter out_filter_presvc
Configuring the Three Service Filters
Step-by-Step Procedure
To configure the three service filters:
Configure the input service filter.
[edit] user@host# edit firewall family inet service-filter in_filter_presvc [edit firewall family inet service-filter in_filter_presvc] user@host# set term t1 from protocol tcp user@host# set term t1 from source-port bgp user@host# set term t1 then count svc_in_pkts user@host# set term t1 then service
Configure the postservice input filter.
[edit] user@host# edit firewall family inet service-filter in_filter_postsvc [edit firewall family inet service-filter in_filter_postsvc] user@host# set term t2 from protocol tcp user@host# set term t2 from source-port bgp user@host# set term t2 then count svc_in_pkts_rtn user@host# set term t2 then skip
Configure the output service filter.
[edit] user@host# edit firewall family inet service-filter out_filter_presvc [edit firewall family inet service-filter out_filter_presvc] user@host# set term t3 from protocol icmp user@host# set term t3 from destination-port bgp user@host# set term t3 then count svc_out_pkts user@host# set term t3 then service
Results
Confirm the configuration of the input and output service filters and the postservice
input filter by entering the show firewall configuration mode command. If the command
output does not display the intended configuration, repeat the instructions in this procedure
to correct the configuration.
[edit]
user@host# show firewall
family inet {
service-filter in_filter_presvc {
term t1 {
from {
protocol tcp;
source-port bgp;
}
then {
count svc_in_pkts;
service;
}
}
}
service-filter in_filter_postsvc {
term t2 {
from {
protocol tcp;
source-port bgp;
}
then {
count svc_in_pkts_rtn;
skip;
}
}
}
service-filter out_filter_presvc {
term t3 {
from {
protocol icmp;
destination-port bgp;
}
then {
count svc_out_pkts;
service;
}
}
}
}
Applying the Three Service Filters
Step-by-Step Procedure
To apply the three service filters:
Access the IPv4 protocol on the input interface
xe-0/1/0.0.[edit] user@host# edit interfaces xe-0/1/0 unit 0 family inet
Apply the input service filter and the postservice input filter.
[edit interfaces xe-0/1/0 unit 0 family inet] user@host# set service input service-set vrf_svcs service-filter in_filter_presvc user@host# set service input post-service-filter in_filter_postsvc user@host# set service output service-set vrf_svcs service-filter out_filter_presvc
Results
Confirm the configuration of the interfaces by entering the show interfaces configuration mode command. If the command output does not display the intended configuration,
repeat the instructions in this example to correct the configuration.
[edit]
user@host# show interfaces
xe-0/1/0 {
unit 0 {
family inet {
service {
input {
service-set vrf_svcs service-filter in_filter_presvc;
post-service-filter in_filter_postsvc;
}
output {
service-set vrf_svcs service-filter out_filter_presvc;
}
}
}
}
}
When you are done configuring the device, commit your candidate configuration.
Verification
Confirm that the configuration is working properly.
- Verifying That Inbound Traffic Is Filtered Before Input Service
- Verifying That Inbound Traffic Is Filtered After Input Service Processing
- Verifying That Outbound Traffic Is Filtered Before Output Service Processing
Verifying That Inbound Traffic Is Filtered Before Input Service
Purpose
Verify that inbound packets sent from TCP port 179 are sent for processing
by the input services associated with the service set vrf_svcs.
Action
Display the count of packets sent for processing by the input services associated with the service set vrf_svcs.
[edit] user@host> show firewall filter in_filter_presvc-vrf_svcs counter svc_in_pkts
Verifying That Inbound Traffic Is Filtered After Input Service Processing
Purpose
Verify that inbound packets sent from TCP port 179 are returned from processing
by the input services associated with the service set vrf_svcs.
Action
Display the count of packets returned from processing by the input services associated with the service set vrf_svcs.
[edit] user@host> show firewall filter in_filter_postsvc-vrf_svcs counter svc_in_pkts_rtn
Verifying That Outbound Traffic Is Filtered Before Output Service Processing
Purpose
Verify that outbound packets sent to ICMP port 179 are sent for processing
by the output services associated with the service set vrf_svcs.
Action
Display the count of packets sent for processing by the output services associated with the service set vrf_svcs.
[edit] user@host> show firewall filter out_filter_presvc-vrf_svcs counter svc_out_pkts