Knowledge Search


×
 

[SRX] How to forward traffic passing through IPsec VPN to one specific forwarding queue

  [KB35010] Show Article Properties


Summary:

Sometimes, customers may want to forward some source clear-text traffic to one specific forwarding queue of the external physical VPN interface and want to also have the decrypted traffic to be forwarded to one specific forwarding queue of the internal physical interface.

This article explains how to forward traffic passing through the IPsec VPN to one specific forwarding queue on SRX devices.

Solution:

An example of how this can be done is given here.

Topology

 
PC1---(ge-0/0/0)SRX1(ge-0/0/1)---IPsec---SRX2---PC2
 

Configuration on SRX1

set firewall filter test term 1 then forwarding-class expedited-forwarding

Note: You can add additional filter matching terms based on your requirement.

set interfaces ge-0/0/0 unit 0 family inet filter input test  <<<
set interfaces ge-0/0/0 unit 0 family inet address 192.168.4.254/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.8.1/24  <<No filter is used for physical interface ge-0/0/1.
set interfaces st0 unit 0 family inet filter input test <<<Set the filter under st0, not the external physical interface.

Now ping 10 packets from PC1:

# ping 192.168.7.1 -c 10

The result is:

root# run show interfaces ge-0/0/1 detail    
Physical interface: ge-0/0/1, Enabled, Physical link is Up
  Traffic statistics:
   Input  bytes  :                 1280                    0 bps
   Output bytes  :                 1280                    0 bps

  Queue counters:       Queued packets  Transmitted packets      Dropped packets
    0                                0                    0                    0
    1                               10                   10                    0  <<
    2                                0                    0                    0
    3                                0                    0                    0

  Queue number:         Mapped forwarding classes
    0                   best-effort
    1                   expedited-forwarding
    2                   assured-forwarding
    3                   network-control

root# run show interfaces ge-0/0/0 detail    
Physical interface: ge-0/0/0, Enabled, Physical link is Up
  Traffic statistics:
   Input  bytes  :                  840                    0 bps
   Output bytes  :                  840                    0 bps

  Queue counters:       Queued packets  Transmitted packets      Dropped packets
    0                                0                    0                    0
    1                               10                   10                    0 <<
    2                                0                    0                    0
    3                                0                    0                    0

  Queue number:         Mapped forwarding classes
    0                   best-effort
    1                   expedited-forwarding
    2                   assured-forwarding
    3                   network-control

Related Links: