Juniper policy based filter based forwarding

6,236 views

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
6,236
On SlideShare
0
From Embeds
0
Number of Embeds
19
Actions
Shares
0
Downloads
151
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Juniper policy based filter based forwarding

  1. 1. Juniper Policy based Filter based ForwardingJuniper’s FBF implementation breaks into 2 parts1. Firewall filter – direct filtered packets to specific routing instance – Applying filter with interface input/output direction2. Construction of routing instance – using import policy to choose specific routes into specific routing instances 1 2Firewall filter – direct filtered packets to specific routing instance – Applying filter with interface input/output direction--- Config Filter Match condition Action
  2. 2. --- Applying filter to interface ( input/output direction) Filter match condition> address Match IP source or destination address+ ah-spi Match IPSec AH SPI value+ ah-spi-except Do not match IPSec AH SPI value+ apply-groups Groups from which to inherit configuration data+ apply-groups-except Dont inherit configuration data from these groups> destination-address Match IP destination address+ destination-class Match destination class+ destination-class-except Do not match destination class+ destination-port Match TCP/UDP destination port+ destination-port-except Do not match TCP/UDP destination port> destination-prefix-list Match IP destination prefixes in named list+ dscp Match Differentiated Services (DiffServ) code point (DSCP)+ dscp-except Do not match Differentiated Services (DiffServ) code point (DSCP)+ esp-spi Match IPSec ESP SPI value+ esp-spi-except Do not match IPSec ESP SPI value first-fragment Match if packet is the first fragment+ forwarding-class Match forwarding class+ forwarding-class-except Do not match forwarding class fragment-flags Match fragment flags+ fragment-offset Match fragment offset+ fragment-offset-except Do not match fragment offset+ icmp-code Match ICMP message code+ icmp-code-except Do not match ICMP message code+ icmp-type Match ICMP message type+ icmp-type-except Do not match ICMP message type
  3. 3. + interface-group Match interface group+ interface-group-except Do not match interface group+ ip-options Match IP options+ ip-options-except Do not match IP options is-fragment Match if packet is a fragment+ packet-length Match packet length+ packet-length-except Do not match packet length+ port Match TCP/UDP source or destination port+ port-except Do not match TCP/UDP source or destination port+ precedence Match IP precedence value+ precedence-except Do not match IP precedence value> prefix-list Match IP source or destination prefixes in named list+ protocol Match IP protocol type+ protocol-except Do not match IP protocol type> source-address Match IP source address+ source-class Match source class+ source-class-except Do not match source class+ source-port Match TCP/UDP source port+ source-port-except Do not match TCP/UDP source port> source-prefix-list Match IP source prefixes in named list tcp-established Match packet of an established TCP connection tcp-flags Match TCP flags tcp-initial Match initial packet of a TCP connection Filter action accept Accept the packet+ apply-groups Groups from which to inherit configuration data+ apply-groups-except Dont inherit configuration data from these groups count Count the packet in the named counter> discard Discard the packet forwarding-class Classify packet to forwarding class ipsec-sa Use specified IPSec security association load-balance Use specified load balancing group log Log the packet> logical-router Use specified logical router loss-priority Packets loss priority next Continue to next term in a filter
  4. 4. next-hop-group Use specified next-hop group policer Police the packet using the named policer port-mirror Port-mirror the packet prefix-action Police or count packets using named prefix action> reject Reject the packet routing-instance Use specified routing instance sample Sample the packet syslog System log (syslog) information about the packet2. Construction of routing instance – using import policy to choose specific routesinto specific routing instances
  5. 5. 1 21. import all bgp routes into rib-group peerprotocols { bgp { family inet { unicast { 1. importALL BGP ( Adj- rib-group peer; RIB-in) } note : Adj-RIB-in is unlike } local-RIB group ibgp { local-RIB is BEST routes, adj- type internal; RIB-in does not process by family inet { routes selection rule unicast; } family inet-vpn { unicast; } neighbor 1.1.1.1; } }2. choose specific routes into specific routing-instanceinterface-routes { -- (1) put direct routes into rib-group peer
  6. 6. rib-group inet peer;}rib-groups { -- (2) put rib-peer routes into inet.0, p1.inet.0, p2.inet.0 peer { import-rib [ inet.0 p1.inet.0 p2.inet.0 ]; import-policy peer; -- (3)filter specific routes into routing instances }}term p1 { from { protocol bgp; community r5; } to rib p1.inet.0; then { local-preference 110; accept; }}term p2 { from { protocol bgp; community r6; } to rib p2.inet.0; then { local-preference 120; accept; }} Routing Policy match condition ( from) aggregate-contributor Match more specifics of an aggregate
  7. 7. + apply-groups Groups from which to inherit configuration data+ apply-groups-except Dont inherit configuration data from these groups area OSPF area identifier+ as-path Name of AS path regular expression (BGP only)+ as-path-group Name of AS path group (BGP only) color Color (preference) value color2 Color (preference) value 2+ community BGP community> external External route family instance Routing protocol instance+ interface Interface name or address level IS-IS level local-preference Local preference associated with a route metric Metric value metric2 Metric value 2 metric3 Metric value 3 metric4 Metric value 4+ neighbor Neighboring router+ next-hop Next-hop router origin BGP origin attribute+ policy Name of policy to evaluate preference Preference value preference2 Preference value 2> prefix-list List of prefix-lists of routes to match+ protocol Protocol from which route was learned rib Routing table> route-filter List of routes to match route-type Route type> source-address-filter List of source addresses to match tag Tag string tag2 Tag string 2 Routing Policy match condition ( to)+ apply-groups Groups from which to inherit configuration data
  8. 8. + apply-groups-except Dont inherit configuration data from these groups area OSPF area identifier+ as-path Name of AS path regular expression (BGP only)+ as-path-group Name of AS path group (BGP only) color Color (preference) value color2 Color (preference) value 2+ community BGP community> external External route family instance Routing protocol instance+ interface Interface name or address level IS-IS level local-preference Local preference associated with a route metric Metric value metric2 Metric value 2 metric3 Metric value 3 metric4 Metric value 4+ neighbor Neighboring router+ next-hop Next-hop router origin BGP origin attribute+ policy Name of policy to evaluate preference Preference value preference2 Preference value 2+ protocol Protocol from which route was learned rib Routing table tag Tag string tag2 Tag string 2 Routing Policy action accept Accept a route+ apply-groups Groups from which to inherit configuration data+ apply-groups-except Dont inherit configuration data from these groups> as-path-expand Prepend AS numbers prior to adding local-as (BGP only) as-path-prepend Prepend AS numbers to an AS path (BGP only) class Set class-of-service parameters> color Color (preference) value
  9. 9. > color2 Color (preference) value 2> community BGP community properties associated with a route cos-next-hop-map Set CoS-based next-hop map in forwarding table damping Define BGP route flap damping parameters default-action Set default policy action destination-class Set destination class in forwarding table> external External route forwarding-class Set source or destination class in forwarding table> install-nexthop Choose the next hop to be used for forwarding> load-balance Type of load balancing in forwarding table> local-preference Local preference associated with a route> metric Metric value> metric2 Metric value 2> metric3 Metric value 3> metric4 Metric value 4 next Skip to next policy or term> next-hop Set the address of the next-hop router origin BGP path origin> preference Preference value> preference2 Preference value 2 reject Reject a route source-class Set source class in forwarding table> tag Tag string> tag2 Tag string 2 trace Log matches to a trace file

×