Using a firewall filter as egress rewrite function

How to use a firewall filter as an egress direction rewrite function.

The rewrite rule is usually enabled by the class-of-service hierarchy; however, sometimes the firewall filter is used to enable the rewrite rule. This can lead to different behaviors on different platforms, as shown in the examples below.

The goal in the following example is to verify that the firewall filter can change the DSCP value from 2 to another value. In this example, the test is to change value 2 to 0 and 5. The result is that this works on some platforms but not on others.

We define a counter filter on counter_receiver to identify the DSCP value of the packets received. DUT-Devices are tested separately with T-series , MX-series Trio and MX-series DPC platforms. The different behaviors will be seen in the Solution section.

Topology :

  1. Define a filter to collect corresponding ICMP packets in a trail for rewrite rule verification at the far-end interface.

  2. Enable the rewrite rule by the firewall filter on the device.

  3. Verify ICMP with a Type of Service (ToS) value for test.
    Note: The ToS is a bit different from DSCP on tail 2 bits. Here, 8 means DSCP 2

  4. Collect the ICMP packet at the far-end router in the firewall filter defined in Step 1.
    Use the command show firewall filter to capture the ICMP packet.

T-Series Platform

  • The firewall filter functions on the lookup engine can affect the egress rewrite rule, but the limit of that rewrite value is 0.

Dense Port Concentrator Expansion Module (DPCE) Platform

  • This platform does not support using the firewall filter to enable the rewrite rule function, as per design.

Modular Processing Card (MPC) Platform

  • The lookup engine can do multiple lookups repeatedly, so the DSCP value can be changed by firewall filter to any number.

T-Series platform

  • Without filter collection on Counter_receiver router filter:
  • With filter collection on Counter_receiver router filter:

 

MX-DPCE platform

  • With filter collection on Counter_receiver router filter:

MX-MPC platform

  • Without filter collection on Counter_receiver router filter:
  • With filter collection on Counter_receiver router filter:

About the author

Prasanna

Leave a Comment