Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Firewall Filter Examples to verify Multicast traffic is reaching the Layer 3 Junos OS device

0

0

Article ID: KB28405 KB Last Updated: 04 May 2020Version: 2.0
Summary:

While troubleshooting a Multicast issue, you want to check if traffic from the Multicast source or client is being received by the Layer 3 Junos OS device. This article gives examples to show how this can be done.

For firewall filter examples on a Layer 2 EX device, refer to KB21589 - Firewall Filter Examples to verify Multicast traffic is reaching the EX switch.

 

Symptoms:

Apply a firewall filter to an L3 Junos OS device in order to confirm that Multicast traffic is reaching the L3 Junos OS device.

Two firewall filter examples related to the network diagram below are provided in this article:

  • Example 1: Firewall filter used to determine if the L3 Junos OS device is receiving Multicast traffic on the ge-0/0/20 interface from the Server (Source)

  • Example 2:  Firewall filter used to determine if the L3 Junos OS device is receiving IGMP Reports on the ge-0/0/15 interface from Client 1 (Receiver)

Note: Refer to KB21591 - Sample Multicast Network Topology with EX devices for definitions of the components.

 

Solution:

For detailed information on firewall filters, refer to the Technical Documentation: Firewall Filters Overview

Example 1 - Firewall Filter

This example shows you how to determine if the L3 Junos device is receiving Multicast traffic on the ge-0/0/20 interface from the Server (Source) address 192.168.200.10.

This firewall filter will accept and count the traffic for the Multicast group 224.100.100.100, from the server 192.168.200.10:

Config:

[edit]
root# set firewall family inet filter Monitor-Ingress-Traffic term One from destination-address 224.100.100.100
root# set firewall family inet filter Monitor-Ingress-Traffic term One from source-address 192.168.200.10
root# set firewall family inet filter Monitor-Ingress-Traffic term One then count Multicast-Source-Counter
root# set firewall family inet filter Monitor-Ingress-Traffic term One then accept
root# set firewall family inet filter Monitor-Ingress-Traffic term Default then count Default-Counter
root# set firewall family inet filter Monitor-Ingress-Traffic term Default then accept 

Note:  Firewall Filters have to be mapped to the Interfaces in order to activate.

This command maps the filter Monitor-Ingress-Traffic to the ge-0/0/20 interface (the interface connected to the Server):    

root# set interfaces ge-0/0/20 unit 0 family inet filter input Monitor-Ingress-Traffic 

Verifying the Counters:

The following command reports the packets that match the firewall filter. In this case, the Multicast-Counter has 0 matched packets. Therefore, it can be concluded that the Multicast stream is not reaching the L3 device.

root# run show firewall

Filter: Monitor-Ingress-Traffic
Counters:
Name                               Bytes         Packets
Default-Counter                     86              1
Multicast-Source-Counter            0               0

Example 2 - Firewall Filter

This example shows how to determine if the L3 device is receiving IGMP Reports on the ge-0/0/15 interface from Client 1 (Receiver).

This firewall filter will accept and count the traffic from Client1 to the Multicast Group address 224.100.100.100.

[edit]

root# set firewall family inet filter Monitor-ClientReports term Two from destination-address 224.100.100.100
root# set firewall family inet filter Monitor-ClientReports term Two from source-address 192.168.100.10
root# set firewall family inet filter Monitor-ClientReports term Two then count Multicast-Report-Counter
root# set firewall family inet filter Monitor-ClientReports term Two then accept
root# set firewall family inet filter Monitor-ClientReports term Default then count Default-Counter
root# set firewall family inet filter Monitor-ClientReports term Default then accept 

Note:  Firewall filters have to be mapped to the Interfaces in order to activate.

This command maps the filter Monitor-ClientReports to the ge-0/0/15 interface (the interface connected to the receiver):

root# set interfaces ge-0/0/15 unit 0 family inet filter input Monitor-ClientReports 

Verifying the Counters:

The following command reports the packets that match the firewall filter. In this case, the Multicast-Reports-Counter has 0 matched packets. Therefore, it can be concluded that the Multicast Client IGMP reports are not reaching the L3 device.

root# run show firewall

Filter: Monitor-ClientReports
Counters:
Name                               Bytes         Packets
Default-Counter                     64              1
Multicast-Report-Counter            0               0

 

Modification History:

2020-05-04: Corrected reference links, made minor changes to the configuration; article accurate and still valid

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search