Using a firewall filter as egress rewrite function

How to use a firewall filter as an egress direction rewrite function.

The rewrite rule is usually enabled by the class-of-service hierarchy; however, sometimes the firewall filter is used to enable the rewrite rule. This can lead to different behaviors on different platforms, as shown in the examples below.

The goal in the following example is to verify that the firewall filter can change the DSCP value from 2 to another value. In this example, the test is to change value 2 to 0 and 5. The result is that this works on some platforms but not on others.

We define a counter filter on counter_receiver to identify the DSCP value of the packets received. DUT-Devices are tested separately with T-series , MX-series Trio and MX-series DPC platforms. The different behaviors will be seen in the Solution section.

Topology :

1. Define a filter to collect corresponding ICMP packets in a trail for rewrite rule verification at the far-end interface.
   
   root@Counter_receiver-re0> show configuration firewall family inet filter counter-mc family inet { filter counter-mc { term 1 { from { dscp 0; } then { count DSCP-0; accept; } } term 2 { from { dscp 2; } then { count DSCP-2; accept; } } term 3 { from { dscp 5; } then { count DSCP-5; accept; } } term 4 { then accept; } } }

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35

   root@Counter_receiver-re0> show configuration firewall family inet filter counter-mc   family inet {     filter counter-mc {         term 1 {             from {                 dscp 0;             }             then {                 count DSCP-0;                 accept;             }         }         term 2 {             from {                 dscp 2;             }             then {                 count DSCP-2;                 accept;             }         }         term 3 {             from {                 dscp 5;             }             then {                 count DSCP-5;                 accept;             }         }         term 4 {             then accept;         }     } }

2. Enable the rewrite rule by the firewall filter on the device.
   
   root@T1600-re0> show configuration firewall family inet filter test interface-specific; term rewrite { then { count dscp_reset; dscp 0; <<<< To change DSCP value 2 into 0, also test to discover whether it can be changed into value 5. } } root@T1600-re0> show configuration interfaces xe-5/1/2 unit 0 { family inet { filter { output test; <<<< To apply the filter as output direction on DUT-Device. } address 10.1.1.1/24; } }

   1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

   root@T1600-re0> show configuration firewall family inet filter test interface-specific; term rewrite {     then {         count dscp_reset;         dscp 0;      <<<< To change DSCP value 2 into 0, also test to discover whether it can be changed into value 5.     } }   root@T1600-re0> show configuration interfaces xe-5/1/2     unit 0 {     family inet {         filter {             output test;   <<<< To apply the filter as output direction on DUT-Device.         }         address 10.1.1.1/24;     } }

3. Verify ICMP with a Type of Service (ToS) value for test.
   Note: The ToS is a bit different from DSCP on tail 2 bits. Here, 8 means DSCP 2
   
   root@ICMP_sender-re0> ping 10.1.1.2 logical-system test-src rapid count 100 size 1000 tos 8 PING 10.1.1.2 (10.1.1.2): 1000 data bytes !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! --- 10.1.1.2 ping statistics --- 100 packets transmitted, 100 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.876/1.681/52.649/5.193 ms

   1 2 3 4 5 6

   root@ICMP_sender-re0> ping 10.1.1.2 logical-system test-src rapid count 100 size 1000 tos 8 PING 10.1.1.2 (10.1.1.2): 1000 data bytes !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! --- 10.1.1.2 ping statistics --- 100 packets transmitted, 100 packets received, 0% packet loss round-trip min/avg/max/stddev = 0.876/1.681/52.649/5.193 ms

4. Collect the ICMP packet at the far-end router in the firewall filter defined in Step 1.
   Use the command show firewall filter to capture the ICMP packet.

T-Series Platform

• The firewall filter functions on the lookup engine can affect the egress rewrite rule, but the limit of that rewrite value is 0.

Dense Port Concentrator Expansion Module (DPCE) Platform

• This platform does not support using the firewall filter to enable the rewrite rule function, as per design.

Modular Processing Card (MPC) Platform

• The lookup engine can do multiple lookups repeatedly, so the DSCP value can be changed by firewall filter to any number.

T-Series platform

• Without filter collection on Counter_receiver router filter:
  
  root@Counter_receiver-re0> show firewall filter counter-mc Filter: counter-mc Counters: Name Bytes Packets DSCP-0 0 0 DSCP-2 102800 100 DSCP-5 0 0

  1 2 3 4 5 6 7 8

  root@Counter_receiver-re0> show firewall filter counter-mc       Filter: counter-mc                                             Counters: Name                                                Bytes              Packets DSCP-0                                                  0                    0 DSCP-2                                             102800                  100 DSCP-5                                                  0                    0

• With filter collection on Counter_receiver router filter:
  
  root@Counter_receiver-re0> show firewall filter counter-mc Filter: counter-mc Counters: Name Bytes Packets DSCP-0 102800 100 DSCP-2 0 0 DSCP-5 0 0

  1 2 3 4 5 6 7 8

  root@Counter_receiver-re0> show firewall filter counter-mc       Filter: counter-mc                                             Counters: Name                                                Bytes              Packets DSCP-0                                             102800                  100   DSCP-2                                                  0                    0 DSCP-5                                                  0                    0

MX-DPCE platform

• With filter collection on Counter_receiver router filter:
  
  root@mx480-a-re0# commit and-quit [edit interfaces ge-0/1/0 unit 0 family inet] 'filter' Referenced filter 'test' cannot be used because "then dscp" is not supported on ge-0/1/0. Filter will not be applied. commit complete Exiting configuration mode root@Counter_receiver-re0> show firewall filter counter-mc Filter: counter-mc Counters: Name Bytes Packets DSCP-0 0 0 DSCP-2 102800 100 DSCP-5 0 0

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

  root@mx480-a-re0# commit and-quit [edit interfaces ge-0/1/0 unit 0 family inet]   'filter'     Referenced filter 'test' cannot be used because "then dscp" is not supported on ge-0/1/0. Filter will not be applied.   commit complete Exiting configuration mode   root@Counter_receiver-re0> show firewall filter counter-mc       Filter: counter-mc                                             Counters: Name                                                Bytes              Packets DSCP-0                                                  0                    0 DSCP-2                                             102800                  100 DSCP-5                                                  0                    0

MX-MPC platform

• Without filter collection on Counter_receiver router filter:
  
  root@Counter_receiver-re0> show firewall filter counter-mc Filter: counter-mc Counters: Name Bytes Packets DSCP-0 0 0 DSCP-2 102800 100 DSCP-5 0 0

  1 2 3 4 5 6 7 8

  root@Counter_receiver-re0> show firewall filter counter-mc       Filter: counter-mc                                             Counters: Name                                                Bytes              Packets DSCP-0                                                  0                    0 DSCP-2                                             102800                  100 DSCP-5                                                  0                    0

• With filter collection on Counter_receiver router filter:
  
  root@Counter_receiver-re0> show firewall filter counter-mc Filter: counter-mc Counters: Name Bytes Packets DSCP-0 102800 100 DSCP-2 0 0 DSCP-5 0 0 [edit firewall family inet filter test] root@mx480-a-re0# show interface-specific; term rewrite { then { count dscp_reset; dscp 5; } } root@T1600-re0> show firewall filter counter-mc Filter: counter-mc Counters: Name Bytes Packets DSCP-0 102800 100 DSCP-2 0 0 DSCP-5 102800 100

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27

  root@Counter_receiver-re0> show firewall filter counter-mc       Filter: counter-mc                                             Counters: Name                                                Bytes              Packets DSCP-0                                             102800                  100   DSCP-2                                                  0                    0 DSCP-5                                                  0                    0   [edit firewall family inet filter test] root@mx480-a-re0# show interface-specific; term rewrite {     then {         count dscp_reset;         dscp 5;     } }   root@T1600-re0> show firewall filter counter-mc       Filter: counter-mc                                             Counters: Name                                                Bytes              Packets DSCP-0                                             102800                  100 DSCP-2                                                  0                    0 DSCP-5                                             102800                  100