Junos
Showing results for 
Search instead for 
Do you mean 
Reply
Contributor
Posts: 19
Registered: ‎06-12-2017
0 Kudos

Filter packets.

What happens when ping packets are sent to management interface address of the local router?

 

[edit firewall family inet]

user@routers# show

filter protect-RE-1 {

     term 1 {

          from {

               protocol igmp;

          }

          then accept;

     }

}

filter protect-RE-2 {

     term 1 {

          from {

               protocol icmp;

          }

          then accept;

     }

}

 

[edit interface lo0]

user@routers# show

unit 0 {

     family inet {

          filter {

               input-list { protect-RE-1 protect-RE-2};

          }

          address 192.168.2.1/32;

     }

}

 

[edit interface ge-0/0/0]

user@routers# show

description "Management Interface";

unit 0 {

     family inet {

          address 172.25.11.2/24;

     }

}

Distinguished Expert
Posts: 575
Registered: ‎08-15-2012
0 Kudos

Re: Filter packets.

Hi, 

 

Traffic destined to the router/interfaces on the router are processed by the RE and filters applied on lo0 protect the control plane, i.e RE. Filters applied on lo0 will thus be processed in the order they are applied.

In this case, ICMP packet will be processed by protect-RE-1 filter and if matched, accepted and no further filter processing [exit firewall filter evaluation].

If no match, next-filter will be evaluated.

 

Cheers,

Ashvin

Contributor
Posts: 19
Registered: ‎06-12-2017
0 Kudos

Re: Filter packets.

Hope so u will understand me I want to know about result bro. when ping packet are sent to the management interface address of the local router. What will be happen? 

 

1- ICMP error message is returned ?

2- Ping packets are silently discarded?

3- ICMP redirect message is returned?

 

 

Highlighted
Distinguished Expert
Posts: 575
Registered: ‎08-15-2012
0 Kudos

Re: Filter packets.

Hi, 

 

For ping packets [ICMP Echo request], filter protect-RE1 is evaluated first and there is no match since condition is igmp, then filter protect-RE-2 is evaluated and packet is accepted by filter. This allows processing by the RE which normally generates an ICMP Echo reply , i.e ping reply back to the source.

 

Result = Ping successful.

 

Cheers,

Ashvin