Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] Using loopback input filter for filtering transit ip-option packets on TRIO

0

0

Article ID: KB30719 KB Last Updated: 30 May 2016Version: 2.0
Summary:

An IP packet that has ip-options enabled and is not destined to the router itself cannot be filtered with an ip-option input filter term at the loopback interface on chipsets such as ABC, LMNR, STOLI, and ICHIP. On these chipsets, you can filter on ip-options via interface filters or FTF filters. The drawback is that all transit packets that are not destined to the host are forced to go through filter instructions which might have performance penalties, depending on the overall filter instruction budget used. However, on TRIO, you can resolve this by using input filters in the loopback interface. This article provides a working configuration for using a loopback input filter for filtering transit ip-option packets on TRIO.

Symptoms:

Topology:

2602:306:bcbb:8b90::48----- ge-1/3/0 MX ge-1/3/1 2001:418:3801:19d::2768

DUT:
Model: MX80
Junos OS Release: 13.3R6.5

Unidirectional IPv6 traffic with the 'router-alert' option set is sending from source address 2602:306:bcbb:8b90::48 to destination address 2001:418:3801:19d::2768. We need to filter this transient traffic with ip-options in the lo0 input filter.

Solution:
root@MX # show interfaces
ge-1/3/0 {
        unit 0 {
              family inet6 {
                          address 2602:306:bcbb:8b90::1/64;
                           }
              }
}
ge-1/3/1 {
        unit 0 {
            family inet6 {
                         address 2001:418:3801:19d::1/64;
                         }
         }
}
lo0 {
       unit 0 {
           family inet6 {
                   filter {
                       input IP-OPTIONS;
                   }
                  address 2001:418:0:1000::1c/128 {
                         primary;
                 }
         }
    }
}

root@ MX # show firewall
family inet6 {
      filter IP-OPTIONS {
          term 1 {
                from {
                     next-header hop-by-hop;        #ipv6 ip-option field is in hop-by-hop header
                }
                then {
                     count ip-options;
                     log;
                     discard;
               }
        }
        term 2 {
               then {
                   count host;
              }
       }
    }
}

Step-by-step configuration:

  1. Configure the interface:

    set interfaces ge-1/3/0 unit 0 family inet6 address 2602:306:bcbb:8b90::1/64
    set interfaces ge-1/3/1 unit 0 family inet6 address 2001:418:3801:19d::1/64
    set interfaces lo0 unit 0 family inet6 filter input IP-OPTIONS
    set interfaces lo0 unit 0 family inet6 address 2001:418:0:1000::1c/128 primary
  2. Configure the firewall filter:

    set firewall family inet6 filter IP-OPTIONS term 1 from next-header hop-by-hop
    set firewall family inet6 filter IP-OPTIONS term 1 then count ip-options
    set firewall family inet6 filter IP-OPTIONS term 1 then log
    set firewall family inet6 filter IP-OPTIONS term 1 then discard
    set firewall family inet6 filter IP-OPTIONS term 2 then count host
    set firewall family inet6 filter IP-OPTIONS term 2 then accept

Verification:

Use the following commands to verify filter function:

  • show firewall filter <filter name> detail
  • show firewall filter <filter name> counter <counter name>
  • show firewall log

root@MX> show firewall filter IP-OPTIONS detail

Filter: IP-OPTIONS
Counters:
Name Bytes Packets
host 144 2
ip-options 52770410 479731


root@MX> show firewall filter IP-OPTIONS detail

Filter: IP-OPTIONS
Counters:
Name Bytes Packets
host 144 2
ip-options 52879750 480725

root@MX> show firewall filter IP-OPTIONS counter ip-options

Filter: IP-OPTIONS
Counters:
Name Bytes Packets
ip-options 54192160 492656

root@MX> show firewall filter IP-OPTIONS counter ip-options

Filter: IP-OPTIONS
Counters:
Name Bytes Packets
ip-options 54629520 496632

root@MX> show firewall log
Log :
Time Filter Action Interface Protocol Src Addr Dest Addr
14:59:08 pfe D ge-1/3/0.0 0 2602:306:bcbb:8b90::48 2001:418:3801:19d::2768
14:59:08 pfe D ge-1/3/0.0 0 2602:306:bcbb:8b90::48 2001:418:3801:19d::2768
14:59:08 pfe D ge-1/3/0.0 0 2602:306:bcbb:8b90::48 2001:418:3801:19d::2768
14:59:08 pfe D ge-1/3/0.0 0 2602:306:bcbb:8b90::48 2001:418:3801:19d::2768
---(more)---

We can see that the transient traffic with ip-options set is filtered by lo0 input filters.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search