Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] How to forward traffic passing through IPsec VPN to one specific forwarding queue

0

0

Article ID: KB35010 KB Last Updated: 13 Sep 2019Version: 1.0
Summary:

Sometimes, customers may want to forward some source clear-text traffic to one specific forwarding queue of the external physical VPN interface and want to also have the decrypted traffic to be forwarded to one specific forwarding queue of the internal physical interface.

This article explains how to forward traffic passing through the IPsec VPN to one specific forwarding queue on SRX devices.

Solution:

An example of how this can be done is given here.

Topology

 
PC1---(ge-0/0/0)SRX1(ge-0/0/1)---IPsec---SRX2---PC2
 

Configuration on SRX1

set firewall filter test term 1 then forwarding-class expedited-forwarding

Note: You can add additional filter matching terms based on your requirement.

set interfaces ge-0/0/0 unit 0 family inet filter input test  <<<
set interfaces ge-0/0/0 unit 0 family inet address 192.168.4.254/24
set interfaces ge-0/0/1 unit 0 family inet address 192.168.8.1/24  <<No filter is used for physical interface ge-0/0/1.
set interfaces st0 unit 0 family inet filter input test <<<Set the filter under st0, not the external physical interface.

Now ping 10 packets from PC1:

# ping 192.168.7.1 -c 10

The result is:

root# run show interfaces ge-0/0/1 detail    
Physical interface: ge-0/0/1, Enabled, Physical link is Up
  Traffic statistics:
   Input  bytes  :                 1280                    0 bps
   Output bytes  :                 1280                    0 bps

  Queue counters:       Queued packets  Transmitted packets      Dropped packets
    0                                0                    0                    0
    1                               10                   10                    0  <<
    2                                0                    0                    0
    3                                0                    0                    0

  Queue number:         Mapped forwarding classes
    0                   best-effort
    1                   expedited-forwarding
    2                   assured-forwarding
    3                   network-control

root# run show interfaces ge-0/0/0 detail    
Physical interface: ge-0/0/0, Enabled, Physical link is Up
  Traffic statistics:
   Input  bytes  :                  840                    0 bps
   Output bytes  :                  840                    0 bps

  Queue counters:       Queued packets  Transmitted packets      Dropped packets
    0                                0                    0                    0
    1                               10                   10                    0 <<
    2                                0                    0                    0
    3                                0                    0                    0

  Queue number:         Mapped forwarding classes
    0                   best-effort
    1                   expedited-forwarding
    2                   assured-forwarding
    3                   network-control

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search