Routing

Expand all | Collapse all

Filter allow traffic or routes into router?

Jump to Best Answer
  • 1.  Filter allow traffic or routes into router?

    Posted 04-06-2017 10:22

    Hi Anyone can explain the below? the config allows traffic go into router or allow routes go into router if they attach interfac ge-1/1/5 in MX960? 

     

    set firewall family inet filter Vendor4 term Evc from destination-address 6.17.18.247/32
    set firewall family inet filter Vendor4 term Evc from destination-address 6.17.18.247/32
    set firewall family inet filter Vendor4 term Evc from protocol esp
    set firewall family inet filter Vendor4 term Evc then count Evc
    set firewall family inet filter Vendor4 term Evc then accept

     

    set interfaces ge-1/1/5 unit 4 family inet filter input Evc



  • 2.  RE: Filter allow traffic or routes into router?

     
    Posted 04-06-2017 11:18

     

     

    "

    set firewall family inet filter Vendor4 term Evc from destination-address 6.17.18.247/32
    set firewall family inet filter Vendor4 term Evc from destination-address 6.17.18.247/32
    set firewall family inet filter Vendor4 term Evc from protocol esp
    set firewall family inet filter Vendor4 term Evc then count Evc
    set firewall family inet filter Vendor4 term Evc then accept

     

    set interfaces ge-1/1/5 unit 4 family inet filter input Evc"

     

    "

     

    The mentioned config allow/filters only data plane/traffic as the config is applied to a physical interface(ge)

     

    To Filter routers/control plane , please apply the config on looback interface(RE based filter):

     

    Sample config for the same:

     

     

    set firewall family inet filter OSPF_FILTER term OSPF_NEIGHBOR from source-address 172.16.1.2/32

    set firewall family inet filter OSPF_FILTER term OSPF_NEIGHBOR from protocol ospf

    set firewall family inet filter OSPF_FILTER term OSPF_NEIGHBOR then log

    set firewall family inet filter OSPF_FILTER term OSPF_NEIGHBOR then accept

    set firewall family inet filter OSPF_FILTER term DENY_ANY then count DENIED_TRAFFIC

    set firewall family inet filter OSPF_FILTER term DENY_ANY then discard

     

     

    set interfaces lo0 unit 0 family inet filter input OSPF_FILTER

     

    Please mark this as accepted solution, if it solves your issue

     

     

     



  • 3.  RE: Filter allow traffic or routes into router?

    Posted 04-06-2017 13:46

    Thank you for your reply.

     

    I know routes, instead of data traffic, will be sent out/in if we use bgp policy like the below:

     

    set routing-instances WWA protocols bgp group VV6 import RV6

    set policy-options policy-statement RV6 term 10 from prefix-list NV6
    set policy-options policy-statement RV6 term 10 then accept

     

    So, can we say data traffic would be sent out/in only when the prefix is attahced in physical interface? and route would be sent/in out only when the prefix is attached in loopback interface or bgp policy, right? 



  • 4.  RE: Filter allow traffic or routes into router?
    Best Answer

     
    Posted 04-06-2017 18:47

     

    Please find answers inline:

     

     

     

    /So, can we say data traffic would be sent out/in only when the prefix is attahced in physical interface?/

     

    -Yes you are correct, by attaching to physical interface  we can filter (allow/deny)  the traffic sent to/from prefix (soure/destination) to be filter.

     

    Since firewall filters works/applied directly on IP packet , w.r.t trafffic prefixes will be either of source or destination in IP packet

     

     

     

    /and route would be sent/in out only when the prefix is attached in loopback interface or bgp policy, right? /

     

    - Again here we got to remember firewall filter works /applied on IP packet , so we can control/deny(allow/deny) control plane packets for a protocol as a whole, not for a set of prefixes. 

     

    For example , we can control(allow/deny) updates from a neighbor as whole , but we cant control filter more specific updates from a neighbor(which update to receive and which update not to receive),  something we can do via policy option ( prefix-list,route-filter).

     

    For example below example, if applied to loopback interface will accept all ospf route-updates from ospf neighbor 172.16.1.2

    .But if we want to allow only 10/8 network prefixes from a specific neighbor  say 172.16.1.2 , we cant do this via firewall filter.

    Remember here 172.16.1.2 is the source address field of  IP packet

     

    set firewall family inet filter OSPF_FILTER term OSPF_NEIGHBOR from source-address 172.16.1.2/32

    set firewall family inet filter OSPF_FILTER term OSPF_NEIGHBOR from protocol ospf

     

    set firewall family inet filter OSPF_FILTER term OSPF_NEIGHBOR then accept

     

    Hope this clarifies.

     

    Please mark this as accepted solution , if it answers your query

     



  • 5.  RE: Filter allow traffic or routes into router?

    Posted 04-07-2017 11:38

    "For example , we can control(allow/deny) updates from a neighbor as whole"

    I think the "updates" you mentioned above should be route, or prefix, right?

     



  • 6.  RE: Filter allow traffic or routes into router?

     
    Posted 04-08-2017 06:30

    Yes it is control plane route/prefix updates .

     

    Please mark this as accepted solution , if it answers your query



  • 7.  RE: Filter allow traffic or routes into router?

    Posted 04-10-2017 06:57

    Thank you!