Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Junos Platform] Input firewall filter on the core-facing interface does not work when vrf-table-label is configured

0

0

Article ID: KB28158 KB Last Updated: 24 Sep 2013Version: 1.0
Summary:

This article explains why the input firewall filter on the core-facing interface does not work when vrf-table-label is configured. This is functioning as designed. Two workarounds are suggested.

Symptoms:

Customer configures an input firewall filter on the core-facing interface for troubleshooting on egress PE for VPN application, but the the following firewall filter does not catch any incoming MPLS traffic by EXP value.

Lab@Router> show configuration firewall family mpls filter test-exp 
interface-specific;
term 1 {
    from {
        exp 0;
    }
    then {
        count count-0;
        accept;
    }
}
term 2 {
    from {
        exp 1;
    }
    then {
        count count-1;
        accept;
    }
}
term 3 {
    from {
        exp 2;
    }
    then {
        count count-2;
        accept;
    }
}
term 4 {
    from {
        exp 3;
    }
    then {
        count count-3;
        accept;
    }
}
term 5 {
    from {
        exp 4;
    }
    then {
        count count-4;
        accept;
    }
}
term 6 {
    from {
        exp 5;
    }
    then {
        count count-5;
        accept;
    }
}
term 7 {
    from {
        exp 6;
    }
    then {
        count count-6;
        accept;
    }
}
term 8 {                                
    from {
        exp 7;
    }
    then {
        count count-7;
        accept;
    }
}
Lab@Router> show firewall filter test-exp-xe-1/2/0.0-i  

Filter: test-exp-xe-1/2/0.0-i                                  
Counters:
Name                                                Bytes              Packets
count-0-xe-1/2/0.0-i                                    0                    0
count-1-xe-1/2/0.0-i                                    0                    0
count-2-xe-1/2/0.0-i                                    0                    0
count-3-xe-1/2/0.0-i                                    0                    0
count-4-xe-1/2/0.0-i                                    0                    0
count-5-xe-1/2/0.0-i                                    0                    0
count-6-xe-1/2/0.0-i                                    0                    0
count-7-xe-1/2/0.0-i                                    0                    0

tomyang@mx480-a-re0> 

After deactivating vrf-table-label, the input firewall filter works:

Lab@Router> show system rollback compare 1 0 
[edit routing-instances ABC]
!     inactive: vrf-table-label { ... }

Lab@Router> show firewall filter test-exp-xe-1/2/0.0-i

Filter: test-exp-xe-1/2/0.0-i                                  
Counters:
Name                                                Bytes              Packets
count-0-xe-1/2/0.0-i                                    0                    0
count-1-xe-1/2/0.0-i                          15886379028             10719554 count-2-xe-1/2/0.0-i                                    0                    0
count-3-xe-1/2/0.0-i                                    0                    0
count-4-xe-1/2/0.0-i                                    0                    0
count-5-xe-1/2/0.0-i                                    0                    0
count-6-xe-1/2/0.0-i                                    0                    0
count-7-xe-1/2/0.0-i                                    0                    0

Lab@Router> 
Cause:
As per vrf-table-label implementation, when vrf-table-label is configured for a VRF instance, a LSI interface will be created and associated with  all core-facing interfaces which support vrf-table-label.

When the incoming MPLS packets for this VPN arrive at a core facing interface, they are automatically treated as if the enclosed IP packet has arrived at the LSI interface for this VRF, the physical core-facing interface is bypassed from the forwarding plane's perspective. Therefore, the input firewall filter configured on the core-facing interface does not work.

It is functioning by design. 

Note:  The trinity platform like MPC on MX- series, however,  has a different implementation on vrf-table-label feature!   It supports multiple-time-lookup itself due to its NP-based chipset, the features like firewall, classifier and accounting, etc on the physical core-facing interface  are always executed as configured.
Solution:

The system is functioning as designed. There are two options for a workaround:

Option 1:   To configure VT-interface instead of vrf-table-label; or
Option 2:   To delete or deactivate vrf-table-label if possible.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search