Junos
Junos

How to test filter based forwarding

12.21.11   |  
‎12-21-2011 12:25 AM

Hi,

 

i have configure a FBF inside EX4200 lab, here is the configuration

 

version 10.4R6.5;
system {
    root-authentication {
        encrypted-password "$1$DeEH2TM2$LaHnzxIJHDSCgJdBpSo220"; ## SECRET-DATA
    }
}
interfaces {
    interface-range BC_IN_Interfaces {
        member-range ge-0/0/0 to ge-0/0/11;
        unit 0 {
            family ethernet-switching;
        }
    }
    interface-range BC_OUT_Interfaces {
        member-range ge-0/0/12 to ge-0/0/17;
        unit 0 {
            family ethernet-switching;
        }
    }
    interface-range LB_OUT_Interfaces {
        member-range ge-0/0/18 to ge-0/0/23;
        unit 0 {
            family ethernet-switching;  
        }
    }
    vlan {
        unit 0 {
            family inet {
                filter {
                    input test_filter;
                }
                address 192.168.1.254/24;
            }
        }
        unit 2 {
            family inet {
                address 192.168.10.254/24;
            }
        }
        unit 3 {
            family inet {
                address 192.168.100.254/24;
            }
        }
    }
}                                       
firewall {
    family inet {
        filter test_filter {
            term 1 {
                from {
                    protocol tcp;
                    source-port [ https http 554 ];
                }
                then {
                    routing-instance test_routing;
                }
            }
            term 2 {
                then accept;
            }
        }
    }
}
routing-instances {
    test_routing {
        instance-type forwarding;
        routing-options {
            static {                    
                route 0.0.0.0/0 next-hop 192.168.100.254;
            }
        }
    }
}
vlans {
    BC_IN {
        vlan-id 100;
        interface {
            BC_IN_Interfaces;
        }
        l3-interface vlan.0;
    }
    BC_OUT {
        vlan-id 200;
        interface {
            BC_OUT_Interfaces;
        }
        l3-interface vlan.2;
    }
    LB_OUT {
        vlan-id 300;
        interface {                     
            LB_OUT_Interfaces;
        }
        l3-interface vlan.3;
    }
}

 

any one have idea how to test it, whether can work or not?

 

regards,

Tony

2 REPLIES
Highlighted
Junos

Re: How to test filter based forwarding

12.21.11   |  
‎12-21-2011 02:20 PM

H'mm  start a ping and look with monitor interface on wich interface outbound packets counter is increasing?

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Junos

Re: How to test filter based forwarding

[ Edited ]
12.21.11   |  
‎12-21-2011 02:36 PM

 

Hi,

 

 If you're expecting traffic to be redirected so that the egress interface is going to be vlan.3, you can use a firewall filter with a counter to check the amount of packets:

 

 

filter Check-FBF {

    term t1 {

       from {
          source-address {
             172.16.1.1/32;   #### Imagine this is a source that would otherwise (without FBF) would use another ifl for egress
                }
                protocol tcp;
                source-port [ https http 554 ];
            }
            then {
                count ct_redirected;
                accept;
            }

        term 2 {
            then accept;
        }
      }
    }

 

 

 Then you go ahead and do:

 

 

set interfaces vlan.3 family inet filter output Check-FBF

 

 Hope this helps,

 

____________________________________________
If you think your question's answered, please
mark the respective post as "Accepted Solution".

Kudos are an excellent way of showing appreciation, too.