Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Configuration Example - ethernet-switching filter on ACX5048/ACX5096 for troubleshooting

0

0

Article ID: KB35059 KB Last Updated: 21 Dec 2019Version: 2.0
Summary:

On ACX5048 and ACX5096, family ethernet-switching filter can be used for troubleshooting purposes to understand incoming and outgoing traffic based on source MAC, destination MAC, outer VLAN tag attributes, inner VLAN tag attributes, source IP, destination IP and other fields of a packet.

Any form of firewall filter with multiple matching condition/terms can easily exhaust ACX PFE memory. We suggest to using firewall filter as specific as possible. Avoid "or" in matching conditions and a large prefix list. Be sure to remove them after troubleshooting is complete.

This article provides an example for configuring an ethernet-switching filter to match incoming and outgoing DHCPv4 packets.
 

Solution:

Interface Configuration 

lab@lab#show interfaces ae0
flexible-vlan-tagging;
encapsulation flexible-ethernet-services;
unit 1000 {
    encapsulation vlan-bridge;
    vlan-id 1000;
    family ethernet-switching {
        filter {
            input test;
            output test;
        }
    }
}

VLAN Configuration

lab@lab#show vlans
S1000 {
    vlan-id 1000;
    interface ae0.1000;
}


Filter Configuration 

lab@lab# show firewall 
family ethernet-switching {
    filter test {
        interface-specific; ##This is a MUST for egress filter  
        term 1 {
            from {
                source-port [ 67 68 ];
                ip-protocol udp;
            }
            then {
                accept;
                count packet;
            }
        }
        term 2 {
            then accept;
        }
    }
}

Filter counter 

lab@lab>show firewall    

Filter: test-ae0.1000-o                                        
Counters:
Name                              Bytes      Packets
packet-ae0.1000-o                  1966            6

Filter: test-ae0.1000-i                                        
Counters:
Name                              Bytes      Packets
packet-ae0.1000-i                  1268            4
Note: Action of log/syslog of packets are not supported.

All possible matching conditions 

lab@lab#set firewall family ethernet-switching filter test term 1 from ?

Possible completions:

> destination-mac-address  Match MAC destination address
+ destination-port     Match TCP/UDP destination port
> destination-prefix-list  Match IP destination prefixes in named list
+ dscp                 Match Differentiated Services (DiffServ) code point
+ ether-type           Match Ethernet Type
+ icmp-code            Match ICMP message code
+ icmp-type            Match ICMP message type
+ interface-group      Match interface group
> ip-destination-address  Match IP destination address
+ ip-precedence        Match IP precedence value
+ ip-protocol          Match IP protocol type
> ip-source-address    Match IP source address
+ learn-vlan-1p-priority  Match Learned 802.1p VLAN priority
+ learn-vlan-dei       Match Learnt VLAN ID DEI bit
+ learn-vlan-id        Match Learnt VLAN ID
> source-mac-address   Match MAC source address
+ source-port          Match TCP/UDP source port
> source-prefix-list   Match IP source prefixes in named list
+ user-vlan-1p-priority  Match User 802.1p VLAN priority
+ user-vlan-id         Match User VLAN ID
+ vlan-ether-type      Match VLAN Ethernet type
Modification History:
2019-12-21: Minor, non-technical edit.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search