Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Firewall Filter Examples to verify Multicast traffic is reaching the EX switch

0

0
Article ID: KB21589 KB Last Updated: 30 Apr 2020Version: 4.0 Summary:

While troubleshooting a Multicast issue, you want to check if traffic from the Multicast source or client is being received by the EX switch.

For firewall filter examples on a Junos Layer 3 device, refer to KB28405 - Firewall Filter Examples to verify Multicast traffic is reaching the Layer 3 Junos OS device.
Symptoms:

Apply Firewall Filter to EX switch in order to confirm that Multicast traffic is reaching the EX switch

Two Firewall Filter examples related to the network diagram below are provided in this article:

  • Example 1:  Firewall Filter used to determine if the L2 EX is receiving Multicast traffic on the ge-0/0/15 interface from the Server (Source)

  • Example 2:  Firewall Filter used to determine if the L2 EX is receiving IGMP Reports on the ge-0/0/10 interface from Client 1 (Receiver)

Note: Refer to KB21591 - Sample Multicast Network Topology with EX devices for definitions of the components.
Solution:

For detailed information on Firewall Filters for EX Series switches, refer to the Technical Documentation: Firewall Filters for EX Series Switches Overview

Example 1 - Firewall Filter:

This example shows you how determine if the L2 EX is receiving Multicast traffic on the ge-0/0/15 interface from the Server (Source) address 192.168.200.10.

This Firewall Filter will accept and count the traffic for the Multicast group 224.100.100.100, from the server 192.168.200.10:

Config:
 
[edit]
root@Juniper-L2_EX# set firewall family ethernet-switching filter Monitor-Ingress-Traffic term One from destination-address 224.100.100.100
root@Juniper-L2_EX# set firewall family ethernet-switching filter Monitor-Ingress-Traffic term One from source-address 192.168.200.10
root@Juniper-L2_EX# set firewall family ethernet-switching filter Monitor-Ingress-Traffic term One then count Multicast-Source-Counter
root@Juniper-L2_EX# set firewall family ethernet-switching filter Monitor-Ingress-Traffic term One then accept
root@Juniper-L2_EX# set firewall family ethernet-switching filter Monitor-Ingress-Traffic term Default then count Default-Counter
root@Juniper-L2_EX# set firewall family ethernet-switching filter Monitor-Ingress-Traffic term Default then accept

Note:  Firewall Filters have to be mapped to the Interfaces in order to activate.

This command maps the filter Monitor-Ingress-Traffic to the ge-0/0/15 interface (the interface connected to the Server):
 
root@Juniper-L2_EX# set interfaces ge-0/0/15 unit 0 family ethernet-switching filter input Monitor-Ingress-Traffic

Verifying the Counters:

The following command reports the packets that match the Firewall Filter.  In this case, the Multicast-Counter has 0 matched packets.  Therefore, it can be concluded that the Multicast stream is not reaching the EX switch.
 
root@Juniper-EX# run show firewall

Filter: Monitor-Ingress-Traffic
Counters:
Name                               Bytes         Packets
Default-Counter                     86              1
Multicast-Source-Counter            0               0

Example 2 - Firewall Filter

This example shows determine if the L2 EX is receiving IGMP Reports on the ge-0/0/10 interface from Client 1 (Receiver).

This Firewall Filter will accept and count the traffic from the Client1 to the Multicast Group address 224.100.100.100.

Config:

[edit]
root@Juniper-L2_EX# set firewall family ethernet-switching filter Monitor-ClientReports term Two from destination-address 224.100.100.100
root@Juniper-L2_EX# set firewall family ethernet-switching filter Monitor-ClientReports term Two from source-address 192.168.100.10
root@Juniper-L2_EX# set firewall family ethernet-switching filter Monitor-ClientReports term Two then count Multicast-Report-Counter
root@Juniper-L2_EX# set firewall family ethernet-switching filter Monitor-ClientReports term Two then accept
root@Juniper-L2_EX# set firewall family ethernet-switching filter Monitor-ClientReports term Default then count Default-Counter
root@Juniper-L2_EX# set firewall family ethernet-switching filter Monitor-ClientReports term Default then accept

Note:  Firewall Filters have to be mapped to the Interfaces in order to activate.

This command maps the filter Monitor-ClientReports to the ge-0/0/10 interface (the interface connected to the receiver):

root@Juniper-L2_EX# set interfaces ge-0/0/10 unit 0 family ethernet-switching filter input Monitor-ClientReports

Verifying the Counters:

The following command reports the packets that match the Firewall Filter.  In this case, the Multicast-Reports-Counter has 0 matched packets.  Therefore, it can be concluded that the Multicast Client IGMP reports are not reaching the EX switch.

[edit]
root@Juniper-EX# run show firewall

Filter: Monitor-ClientReports
Counters:
Name                               Bytes         Packets
Default-Counter                     64              1
Multicast-Report-Counter            0               0
Modification History:

2020-04-30: Updated links and minor changes to the config.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search