Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] Configuration Example - Matching IP traffic with a firewall filter for family CCC

1

0

Article ID: KB33034 KB Last Updated: 10 Sep 2018Version: 1.0
Summary:

One of the limitations when trying to confirm whether packets are being received or forwarded through an l2 circuit or a VPN interface is that filters with specific matching conditions for IPv4 packets cannot be used. This is due to the limited matching options for the family CCC.

This article shows how flexible filters can be configured for the family CCC to match specific values (unicast or multicast IP traffic) in the different layers of a packet or even in the payload of a packet by using an example.

 

Solution:

In this example, a filter is created to match a source or destination address.

To create a specific filter, a prefix must be created, which is the source or destination address of the packet converted into hex value. This is because term 1 (which is the one that does specific filtering) uses a “prefix.”

For instance, the IP address used in this example is 192.168.100.2. When this is translated to a hex value, the translation will be c0.a8.64.02. Because filters require a pattern, the dots are removed and the prefix “0x” is added before the pattern, which results in “0xc0a86402.”

 
set firewall family ccc filter flexible-filter-match-ip interface-specific
set firewall family ccc filter flexible-filter-match-ip term 1 from flexible-match-mask match-start layer-3 <<< This will start the scan in the IPv4 header.
set firewall family ccc filter flexible-filter-match-ip term 1 from flexible-match-mask byte-offset 12 <<< Offset for source-address; change it to 16 if you want to match the destination address.
set firewall family ccc filter flexible-filter-match-ip term 1 from flexible-match-mask bit-length 32 <<< bit length for ipv4 addresses
set firewall family ccc filter flexible-filter-match-ip term 1 from flexible-match-mask mask-in-hex 0xffffffff <<< This mask will allow matching of the 32 bits of the packet in hex format.
set firewall family ccc filter flexible-filter-match-ip term 1 from flexible-match-mask prefix 0xc0a86402 <<< The prefix is the IP address that you are trying to match, translated to hex format (more details can be found below).
set firewall family ccc filter flexible-filter-match-ip term 1 then count interesting-traffic  <<< This counter will increase if packets with the matching condition are received.
set firewall family ccc filter flexible-filter-match-ip term 1 then accept
set firewall family ccc filter flexible-filter-match-ip term 2 then count nomatch <<< Last term to avoid blackholing non-matching traffic
set firewall family ccc filter flexible-filter-match-ip term 2 then accept​
 

To check the results, use the command show firewall:

 
lab@R1# run show firewall

Filter: __default_bpdu_filter__
Filter: flexible-filter-match-ip​-ge-0/0/6.500-i
Counters:
Name                                                Bytes              Packets
nomatch-ge-0/0/6.500-i                                 60                    1
interesting-traffic​-ge-0/0/6.500-i                   3483                   39
 

The same filter can be used to match multicast traffic. Use the multicast-group address as the pattern and multicast packets for that specific group can be matched.

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search