One of the limitations when trying to confirm whether packets are being received or forwarded through an l2 circuit or a VPN interface is that filters with specific matching conditions for IPv4 packets cannot be used. This is due to the limited matching options for the family CCC.
This article shows how flexible filters can be configured for the family CCC to match specific values (unicast or multicast IP traffic) in the different layers of a packet or even in the payload of a packet by using an example.
In this example, a filter is created to match a source or destination address.
To create a specific filter, a prefix must be created, which is the source or destination address of the packet converted into hex value. This is because term 1 (which is the one that does specific filtering) uses a “prefix.”
For instance, the IP address used in this example is 192.168.100.2. When this is translated to a hex value, the translation will be c0.a8.64.02. Because filters require a pattern, the dots are removed and the prefix “0x” is added before the pattern, which results in “0xc0a86402.”
set firewall family ccc filter flexible-filter-match-ip interface-specific
set firewall family ccc filter flexible-filter-match-ip term 1 from flexible-match-mask match-start layer-3 <<< This will start the scan in the IPv4 header.
set firewall family ccc filter flexible-filter-match-ip term 1 from flexible-match-mask byte-offset 12 <<< Offset for source-address; change it to 16 if you want to match the destination address.
set firewall family ccc filter flexible-filter-match-ip term 1 from flexible-match-mask bit-length 32 <<< bit length for ipv4 addresses
set firewall family ccc filter flexible-filter-match-ip term 1 from flexible-match-mask mask-in-hex 0xffffffff <<< This mask will allow matching of the 32 bits of the packet in hex format.
set firewall family ccc filter flexible-filter-match-ip term 1 from flexible-match-mask prefix 0xc0a86402 <<< The prefix is the IP address that you are trying to match, translated to hex format (more details can be found below).
set firewall family ccc filter flexible-filter-match-ip term 1 then count interesting-traffic <<< This counter will increase if packets with the matching condition are received.
set firewall family ccc filter flexible-filter-match-ip term 1 then accept
set firewall family ccc filter flexible-filter-match-ip term 2 then count nomatch <<< Last term to avoid blackholing non-matching traffic
set firewall family ccc filter flexible-filter-match-ip term 2 then accept
To check the results, use the command show firewall
:
lab@R1# run show firewall
Filter: __default_bpdu_filter__
Filter: flexible-filter-match-ip-ge-0/0/6.500-i
Counters:
Name Bytes Packets
nomatch-ge-0/0/6.500-i 60 1
interesting-traffic-ge-0/0/6.500-i 3483 39
The same filter can be used to match multicast traffic. Use the multicast-group address as the pattern and multicast packets for that specific group can be matched.