Junos
Junos

Filter packets.

08.10.17   |  
‎08-10-2017 08:33 AM

What happens when ping packets are sent to management interface address of the local router?

 

[edit firewall family inet]

user@routers# show

filter protect-RE-1 {

     term 1 {

          from {

               protocol igmp;

          }

          then accept;

     }

}

filter protect-RE-2 {

     term 1 {

          from {

               protocol icmp;

          }

          then accept;

     }

}

 

[edit interface lo0]

user@routers# show

unit 0 {

     family inet {

          filter {

               input-list { protect-RE-1 protect-RE-2};

          }

          address 192.168.2.1/32;

     }

}

 

[edit interface ge-0/0/0]

user@routers# show

description "Management Interface";

unit 0 {

     family inet {

          address 172.25.11.2/24;

     }

}

3 REPLIES
Junos

Re: Filter packets.

08.10.17   |  
‎08-10-2017 09:57 PM

Hi, 

 

Traffic destined to the router/interfaces on the router are processed by the RE and filters applied on lo0 protect the control plane, i.e RE. Filters applied on lo0 will thus be processed in the order they are applied.

In this case, ICMP packet will be processed by protect-RE-1 filter and if matched, accepted and no further filter processing [exit firewall filter evaluation].

If no match, next-filter will be evaluated.

 

Cheers,

Ashvin

Junos

Re: Filter packets.

08.11.17   |  
‎08-11-2017 05:18 AM

Hope so u will understand me I want to know about result bro. when ping packet are sent to the management interface address of the local router. What will be happen? 

 

1- ICMP error message is returned ?

2- Ping packets are silently discarded?

3- ICMP redirect message is returned?

 

 

Highlighted
Junos

Re: Filter packets.

08.11.17   |  
‎08-11-2017 06:03 AM

Hi, 

 

For ping packets [ICMP Echo request], filter protect-RE1 is evaluated first and there is no match since condition is igmp, then filter protect-RE-2 is evaluated and packet is accepted by filter. This allows processing by the RE which normally generates an ICMP Echo reply , i.e ping reply back to the source.

 

Result = Ping successful.

 

Cheers,

Ashvin