Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[MX] Configuration example - Flex filter counting packets based on host IP within VXLAN tunnel

0

0

Article ID: KB36600 KB Last Updated: 20 Mar 2021Version: 1.0
Summary:

This article explains how to configure a flex filter on the MX router and apply it on a physical interface over which VXLAN tunnel is established to count the packets based on host IP (src and dst). This filer can be used for troubleshooting purposes in both counting packets coming in from the leaf to the MX or packets flowing between the two PE devices (across DCs) in type 5 scenario with VXLAN encapsulation.

Symptoms:

For host traffic that is encapsulated within the VXLAN we cannot apply filters on vtep interfaces to count packets from specific hosts. Flex filter on the physical interfaces can help in such cases.

Solution:

Topology:  

                          +----------VXLAN tunnel--------------+                                   +------+
+------+                  |                                    |                                   |      |
|      |          +-------|------+                     +-------|------+                            |remote|
| local|          |              |                     |              |                            |host  |
| host |          |              |     physical        |    MX        |--------............--------|      |
|      |----------|     Leaf     |-----interface-------|    Spine/GW  |          Remote DC         |      |
|      |          |              |   Underlay EBGP  ^  |              |           network          |      |
|      |          +--------------+                  |  +--------------+                            +------+
+------+                                            |                                                      
                                                    |                                                      
                                                    |                                                      
                                                    |                                                      
                                              Interface where is                                           
                                              flex-filter applied  

Flex filter example to match both SRC IP and DST IP in the innermost IP packet for a VXLAN tunneled traffic. This filter can be applied on the underlay interface (interface via which EBGP session is established with the Leaf/Spine) to count packets from host-host. A similar filter can also be used on the core-facing interface when using Type 5 with encapsulation VXLAN.

Packet format:

Ethernet--IPv4--UDP--VXLAN--Ethernet--IPv4--<.payload.>

Flow:

  • source IP is 0xac1205ef ie 172.18.5.239 and
  • destination IP is 0xac120901 ie 172.18.9.1
  • xe-0/1/0 is the interface facing the leaf on which VXLAN tunnel is established

Configuration:  

The configuration below provides an example in input direction. However, it can be applied in output direction as well and modify the source and destination IP.

[edit firewall]
family inet {
    filter flex_filter_vxlan {
        interface-specific;
        term 1 {
            from {
                flexible-match-mask {
                    mask-in-hex 0xffffffff;
                    prefix 0xac1205ef; <--- source IP
                    flexible-mask-name src_ip;
                }
                flexible-match-range {
                    range 0xac120901; <--- destination IP
                    flexible-range-name dest_ip;
                }
            }
            then {
                count count_pkts;
                accept;
            }
        }
        term 2 {
            then accept;
        }
    }
}
flexible-match src_ip {
    match-start layer-4;
    byte-offset 42;
    bit-offset 0;
    bit-length 32;                     
}
flexible-match dest_ip {
    match-start layer-4;
    byte-offset 46;
    bit-offset 0;
    bit-length 32;
}
 
[edit interfaces xe-0/1/0|
mtu 9192;
unit 0 {
    family inet {
        filter {
            input flex_filter_vxlan;
        }
        address 192.168.2.13/30;
    }
}

Verification commands:

labroot@mx-router> show firewall   
<..>
Filter: flex_filter_vxlan-xe-0/1/0.0-i  
Counters:
Name                      Bytes       Packets
count_pkts-xe-0/1/0.0-i   740         2

Actual Packet:

  • Frame 1: 180 bytes on wire (1440 bits)
  • Ethernet II
  • Internet Protocol Version 4
    • 0100 .... = Version: 4
    • .... 0101 = Header Length: 20 bytes (5)
    • Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    • Total Length: 370
    • Identification: 0x000a (10)
    • Flags: 0x0000
    • Fragment offset: 0
    • Time to live: 64
    • Protocol: UDP (17)
    • Header checksum: 0xf22c
    • Header checksum status: Unverified
    • Source: 192.168.2.249
    • Destination: 192.168.2.251
  • User Datagram Protocol
    • Source Port: 23157
    • Destination Port: 4789
    • Length: 350 (bogus, payload length 146)
    • Checksum: [missing]
    • Checksum Status: Not present
    • Stream index: 0
    • Timestamps
  • Virtual eXtensible Local Area Network
    • Flags: 0x0800, VXLAN Network ID (VNI)
    • Group Policy ID: 0
    • VXLAN Network Identifier (VNI): 65510
    • Reserved: 0
  • Ethernet II
  • Internet Protocol Version 4
    • 0100 .... = Version: 4
    • .... 0101 = Header Length: 20 bytes (5)
    • Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
    • Total Length: 320
    • Identification: 0x1081 (4225)
    • Flags: 0x0000
    • Fragment offset: 0
    • Time to live: 63
    • Protocol: UDP (17)
    • Header checksum: 0x0318
    • Header checksum status: Unverified
    • Source: 172.18.5.239    <--- matching here
    • Destination: 172.18.9.1 <--- matching here
  • User Datagram Protocol
  • Dynamic Host Configuration Protocol
  • [Malformed Packet: DHCP/BOOTP]

EVPN Type 5 topology: 

                               +--------------------------------|                                               
                               |        VXLAN Tunnel            |                                               
+-----+                        |                                |                      +-----+
|lcl  |                   +-------+                         +-------+                  | rmt |
|host |                   |       |                         |       |                  | host|
|     |     +--------+    |  DC1  |                         |  DC2  |    +--------+    |     |
|     |-----|  Leaf  |----|  GW   |------------------------ |  GW   |----|  Leaf  |----|     |
|     |     |        |    |       |  |  core interface   |  |       |    |        |    |     |
+-----+     +--------+    |       |  |                   |  |       |    +--------+    +-----+
                          +-------+  |                   |  +-------+                                   
                                     |                   |                                                      
                                     |                   |                                                      
                                     |                   |                                                      
                                      interface where    |                                                      
                                      flex-filter can be                                                        
                                      applied

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search