Junos
Reply
Visitor
atom2ueki
Posts: 9
Registered: ‎01-20-2011
0

How to test filter based forwarding

Hi,

 

i have configure a FBF inside EX4200 lab, here is the configuration

 

version 10.4R6.5;
system {
    root-authentication {
        encrypted-password "$1$DeEH2TM2$LaHnzxIJHDSCgJdBpSo220"; ## SECRET-DATA
    }
}
interfaces {
    interface-range BC_IN_Interfaces {
        member-range ge-0/0/0 to ge-0/0/11;
        unit 0 {
            family ethernet-switching;
        }
    }
    interface-range BC_OUT_Interfaces {
        member-range ge-0/0/12 to ge-0/0/17;
        unit 0 {
            family ethernet-switching;
        }
    }
    interface-range LB_OUT_Interfaces {
        member-range ge-0/0/18 to ge-0/0/23;
        unit 0 {
            family ethernet-switching;  
        }
    }
    vlan {
        unit 0 {
            family inet {
                filter {
                    input test_filter;
                }
                address 192.168.1.254/24;
            }
        }
        unit 2 {
            family inet {
                address 192.168.10.254/24;
            }
        }
        unit 3 {
            family inet {
                address 192.168.100.254/24;
            }
        }
    }
}                                       
firewall {
    family inet {
        filter test_filter {
            term 1 {
                from {
                    protocol tcp;
                    source-port [ https http 554 ];
                }
                then {
                    routing-instance test_routing;
                }
            }
            term 2 {
                then accept;
            }
        }
    }
}
routing-instances {
    test_routing {
        instance-type forwarding;
        routing-options {
            static {                    
                route 0.0.0.0/0 next-hop 192.168.100.254;
            }
        }
    }
}
vlans {
    BC_IN {
        vlan-id 100;
        interface {
            BC_IN_Interfaces;
        }
        l3-interface vlan.0;
    }
    BC_OUT {
        vlan-id 200;
        interface {
            BC_OUT_Interfaces;
        }
        l3-interface vlan.2;
    }
    LB_OUT {
        vlan-id 300;
        interface {                     
            LB_OUT_Interfaces;
        }
        l3-interface vlan.3;
    }
}

 

any one have idea how to test it, whether can work or not?

 

regards,

Tony

Distinguished Expert
Screenie
Posts: 1,083
Registered: ‎01-10-2008
0

Re: How to test filter based forwarding

H'mm  start a ping and look with monitor interface on wich interface outbound packets counter is increasing?

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Recognized Expert
erdems
Posts: 191
Registered: ‎12-30-2008
0

Re: How to test filter based forwarding

[ Edited ]

 

Hi,

 

 If you're expecting traffic to be redirected so that the egress interface is going to be vlan.3, you can use a firewall filter with a counter to check the amount of packets:

 

 

filter Check-FBF {

    term t1 {

       from {
          source-address {
             172.16.1.1/32;   #### Imagine this is a source that would otherwise (without FBF) would use another ifl for egress
                }
                protocol tcp;
                source-port [ https http 554 ];
            }
            then {
                count ct_redirected;
                accept;
            }

        term 2 {
            then accept;
        }
      }
    }

 

 

 Then you go ahead and do:

 

 

set interfaces vlan.3 family inet filter output Check-FBF

 

 Hope this helps,

 

____________________________________________
If you think your question's answered, please
mark the respective post as "Accepted Solution".

Kudos are an excellent way of showing appreciation, too.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.