Config Router

  • Google Sheets
  • CCNA Online training
    • CCNA
  • CISCO Lab Guides
    • CCNA Security Lab Manual With Solutions
    • CCNP Route Lab Manual with Solutions
    • CCNP Switch Lab Manual with Solutions
  • Juniper
  • Linux
  • DevOps Tutorials
  • Python Array
You are here: Home / Juniper / Using a firewall filter as egress rewrite function

Using a firewall filter as egress rewrite function

June 28, 2016 by Marques Brownlee

How to use a firewall filter as an egress direction rewrite function.

The rewrite rule is usually enabled by the class-of-service hierarchy; however, sometimes the firewall filter is used to enable the rewrite rule. This can lead to different behaviors on different platforms, as shown in the examples below.

The goal in the following example is to verify that the firewall filter can change the DSCP value from 2 to another value. In this example, the test is to change value 2 to 0 and 5. The result is that this works on some platforms but not on others.

We define a counter filter on counter_receiver to identify the DSCP value of the packets received. DUT-Devices are tested separately with T-series , MX-series Trio and MX-series DPC platforms. The different behaviors will be seen in the Solution section.

Topology :

+-------------+            +------------+              +------------------+
| ICMP-sender +------------+ DUT-Device +--------------+ Counter_receiver |
+-------------+            +------------+              +------------------+
  1. Define a filter to collect corresponding ICMP packets in a trail for rewrite rule verification at the far-end interface.
    root@Counter_receiver-re0> show configuration firewall family inet filter counter-mc  
    family inet {
        filter counter-mc {
            term 1 {
                from {
                    dscp 0;
                }
                then {
                    count DSCP-0;
                    accept;
                }
            }
            term 2 {
                from {
                    dscp 2;
                }
                then {
                    count DSCP-2;
                    accept;
                }
            }
            term 3 {
                from {
                    dscp 5;
                }
                then {
                    count DSCP-5;
                    accept;
                }
            }
            term 4 {
                then accept;
            }
        }
    }
  2. Enable the rewrite rule by the firewall filter on the device.
    root@T1600-re0> show configuration firewall family inet filter test 
    interface-specific;
    term rewrite {
        then {
            count dscp_reset;
            dscp 0;      <<<< To change DSCP value 2 into 0, also test to discover whether it can be changed into value 5.     }
    }
    
    root@T1600-re0> show configuration interfaces xe-5/1/2    
    unit 0 {
        family inet {
            filter {
                output test;   <<<< To apply the filter as output direction on DUT-Device.         }
            address 10.1.1.1/24;
        }
    }
  3. Verify ICMP with a Type of Service (ToS) value for test.
    Note: The ToS is a bit different from DSCP on tail 2 bits. Here, 8 means DSCP 2

    root@ICMP_sender-re0> ping 10.1.1.2 logical-system test-src rapid count 100 size 1000 tos 8 
    PING 10.1.1.2 (10.1.1.2): 1000 data bytes
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    --- 10.1.1.2 ping statistics ---
    100 packets transmitted, 100 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 0.876/1.681/52.649/5.193 ms
  4. Collect the ICMP packet at the far-end router in the firewall filter defined in Step 1.
    Use the command show firewall filter to capture the ICMP packet.

T-Series Platform

  • The firewall filter functions on the lookup engine can affect the egress rewrite rule, but the limit of that rewrite value is 0.

Dense Port Concentrator Expansion Module (DPCE) Platform

  • This platform does not support using the firewall filter to enable the rewrite rule function, as per design.

Modular Processing Card (MPC) Platform

  • The lookup engine can do multiple lookups repeatedly, so the DSCP value can be changed by firewall filter to any number.

T-Series platform

  • Without filter collection on Counter_receiver router filter:
    root@Counter_receiver-re0> show firewall filter counter-mc    
    
    Filter: counter-mc                                             
    Counters:
    Name                                                Bytes              Packets
    DSCP-0                                                  0                    0
    DSCP-2                                             102800                  100
    DSCP-5                                                  0                    0
  • With filter collection on Counter_receiver router filter:
    root@Counter_receiver-re0> show firewall filter counter-mc    
    
    Filter: counter-mc                                             
    Counters:
    Name                                                Bytes              Packets
    DSCP-0                                             102800                  100  
    DSCP-2                                                  0                    0
    DSCP-5                                                  0                    0
    

 

MX-DPCE platform

  • With filter collection on Counter_receiver router filter:
    root@mx480-a-re0# commit and-quit 
    [edit interfaces ge-0/1/0 unit 0 family inet]
      'filter'
        Referenced filter 'test' cannot be used because "then dscp" is not supported on ge-0/1/0. Filter will not be applied.  
    commit complete
    Exiting configuration mode
    
    root@Counter_receiver-re0> show firewall filter counter-mc    
    
    Filter: counter-mc                                             
    Counters:
    Name                                                Bytes              Packets
    DSCP-0                                                  0                    0
    DSCP-2                                             102800                  100
    DSCP-5                                                  0                    0

MX-MPC platform

  • Without filter collection on Counter_receiver router filter:
    root@Counter_receiver-re0> show firewall filter counter-mc     
    
    Filter: counter-mc                                             
    Counters:
    Name                                                Bytes              Packets
    DSCP-0                                                  0                    0
    DSCP-2                                             102800                  100
    DSCP-5                                                  0                    0
  • With filter collection on Counter_receiver router filter:
    root@Counter_receiver-re0> show firewall filter counter-mc    
    
    Filter: counter-mc                                             
    Counters:
    Name                                                Bytes              Packets
    DSCP-0                                             102800                  100  
    DSCP-2                                                  0                    0
    DSCP-5                                                  0                    0
    
    [edit firewall family inet filter test]
    root@mx480-a-re0# show 
    interface-specific;
    term rewrite {
        then {
            count dscp_reset;
            dscp 5;
        }
    }
    
    root@T1600-re0> show firewall filter counter-mc    
    
    Filter: counter-mc                                             
    Counters:
    Name                                                Bytes              Packets
    DSCP-0                                             102800                  100
    DSCP-2                                                  0                    0
    DSCP-5                                             102800                  100

Related

Filed Under: Juniper

Recent Posts

  • How do I give user access to Jenkins?
  • What is docker volume command?
  • What is the date format in Unix?
  • What is the difference between ARG and ENV Docker?
  • What is rsync command Linux?
  • How to Add Music to Snapchat 2021 Android? | How to Search, Add, Share Songs on Snapchat Story?
  • How to Enable Snapchat Notifications for Android & iPhone? | Steps to Turn on Snapchat Bitmoji Notification
  • Easy Methods to Fix Snapchat Camera Not Working Black Screen Issue | Reasons & Troubleshooting Tips to Solve Snapchat Camera Problems
  • Detailed Procedure for How to Update Snapchat on iOS 14 for Free
  • What is Snapchat Spotlight Feature? How to Make a Spotlight on Snapchat?
  • Snapchat Hack Tutorial 2021: Can I hack a Snapchat Account without them knowing?

Copyright © 2025 · News Pro Theme on Genesis Framework · WordPress · Log in