Applying Forwarding Table Filters
A forwarding table filter allows you to filter data packets based on their components and perform an action on packets that match the filter. You can apply a filter on the ingress or egress packets of a forwarding table. You configure the filter at the [edit firewall family family-name] hierarchy level; for more information, see Configuring Forwarding Table Filters.
To apply a forwarding table filter on ingress packets of a forwarding table, include the filter and input statements at the [edit forwarding-options family family-name] hierarchy level:
[edit forwarding-options family family-name] filter { input filter-name; }
You can filter based upon destination-class information by applying a firewall filter on the egress packets of the forwarding table. By applying firewall filters to packets that have been forwarded by a routing table, you can match based on certain parameters that are decided by the route lookup. For example, routes can be classified into specific destination and source classes. Firewall filters used for policing and mirroring are able to match based upon these classes.
To apply a firewall filter on egress packets of a forwarding table, include the filter and output statements at the [edit forwarding-options family family-name] hierarchy level:
[edit forwarding-options family family-name] filter { output filter-name; }
You cannot have a firewall filter that includes an interface-group match condition if you are also using an egress forwarding table filter. This is because the interface-group match condition uses the logical interface on which the packet was received to match the interface group (or set of interface groups), while the forwarding table filters apply only to local host traffic and transit packets.
To apply a forwarding table filter to a flood table, include the flood and input statements at the [edit forwarding-options family family-name] hierarchy level as shown below. The flood statement is valid for the vpls protocol family only.
[edit forwarding-options family vpls] flood { input filter-name; }
On the MX Series router only, to apply a forwarding table filter for a virtual switch, include the filter and input statements at the [edit routing-instances routing-instance-name bridge-domains bridge-domain-name forwarding-options] hierarchy level:
[edit routing-instances routing-instance-name bridge-domains bridge-domain-name forwarding-options]
filter {
input filter-name;
}
For more information about how to configure a virtual switch, see the Junos OS Layer 2 Switching and Bridging Library for Routing Devices.
On MX Series 3D Universal Edge Routers, you can apply a forwarding table filter by using the soure-checking statement at the [edit forwarding-options family inet6] hierarchy level:
[edit forwarding-options family inet6]
family inet6 {
source-checking;
}
}
This discards IPv6 packets when the source address type is unspecified, loopback, multicast or link-local.
RFC 4291, IP Version 6 Addressing Architecture, refers to four address types that require special treatment when they are used as source addresses. The four address types are:
Unspecified
Loopack
Multicast
Link-Local Unicast
The loopback and multicast addresses must never be used as a source address in IPv6 packets. The unspecified and link-local addresses can be used as source addresses but routers must never forward packets that have these addresses as source addresses. Typically, packets that contain unspecified or link-local addresses as source addresses are delivered to the local host. If the destination is not the local host, then the packet must not be forwarded. Configuring this statement filters or discards IPv6 packets of these four address types.
The egress forwarding table filter is applied on the ingress interface of the FPC. If different packets to the same destination arrive on different FPCs, they might encounter different policers.
You cannot configure this output statement for VPLS. You can continue to configure ingress
forwarding table filters with the input statement at the [edit
forwarding-options family vpls filter] hierarchy level.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.