Policy Framework Configuration Guide - Juniper Networks

Chapter 9: Firewall Filter Configuration
Configuring Filter-Based Forwarding
}
You can configure filters to classify packets based on source address and specify the
forwarding path the packets take within the router by configuring a filter on the ingress
interface. For example, you can use this filter for applications to differentiate traffic from
two clients that have a common access layer (for example, a Layer 2 switch) but are
connected to different Internet service providers (ISPs). When the filter is applied, the
router can differentiate the two traffic streams and direct each to the appropriate network.
Depending on the media type the client is using, the filter can use the source IP address
to forward the traffic to the corresponding network through a tunnel. You can also
configure filters to classify packets based on IP protocol type or IP precedence bits.
NOTE: Source-class usage filter matching and unicast reverse-path
forwarding checks are not supported on an interface configured with
filter-based forwarding (FBF).
You can also forward packets based on output filters by configuring a filter on the egress
interfaces. In the case of port mirroring, it is useful for port-mirrored packets to be
distributed to multiple monitoring PICs and collection PICs based on patterns in packet
headers. FBF on the port-mirroring egress interface must be configured.
Packets forwarded to the output filter have been through at least one route lookup when
an FBF filter is configured on the egress interface. After the packet is classified at the
egress interface by the FBF filter, it is redirected to another routing table for further route
lookup.
Filter-based forwarding is supported for IPv4 and IPv6.
To direct traffic meeting defined match conditions to a specific routing instance, include
the routing-instance filter action:
routing-instance routing-instance;
For IPv4 traffic, include the action at the [edit firewall family inet filter filter-name term
term-name then] hierarchy level. For IPv6 traffic, include the action at the [edit firewall
family inet6 filter filter-name term term-name then] hierarchy level. For MPLS traffic,
configure the filter terms at the [edit firewall family mpls filter filter-name term term-name
then] hierarchy level.
The routing-instance filter action accepts the traffic meeting the match conditions and
directs it to the routing instance named in routing-instance. For information about
forwarding instances and routing instances, see the Junos OS Routing Protocols
Configuration Guide.
NOTE: In Junos OS Release 9.0 and later, you can no longer specify a
routing-instance name of default or include special characters within the
name of a routing instance.
Copyright © 2010, Juniper Networks, Inc.
269