Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Juniper policy based filter based forwarding
1. Juniper Policy based Filter based Forwarding
Juniper’s FBF implementation breaks into 2 parts
1. Firewall filter – direct filtered packets to specific routing instance
– Applying filter with interface input/output direction
2. Construction of routing instance – using import policy to choose specific routes
into specific routing instances
1 2
Firewall filter – direct filtered packets to specific routing instance
– Applying filter with interface input/output direction
--- Config Filter
Match condition
Action
2. --- Applying filter to interface ( input/output direction)
Filter match condition
> address Match IP source or destination address
+ ah-spi Match IPSec AH SPI value
+ ah-spi-except Do not match IPSec AH SPI value
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> destination-address Match IP destination address
+ destination-class Match destination class
+ destination-class-except Do not match destination class
+ destination-port Match TCP/UDP destination port
+ destination-port-except Do not match TCP/UDP destination port
> destination-prefix-list Match IP destination prefixes in named list
+ dscp Match Differentiated Services (DiffServ) code point (DSCP
)
+ dscp-except Do not match Differentiated Services (DiffServ) code poin
t (DSCP)
+ esp-spi Match IPSec ESP SPI value
+ esp-spi-except Do not match IPSec ESP SPI value
first-fragment Match if packet is the first fragment
+ forwarding-class Match forwarding class
+ forwarding-class-except Do not match forwarding class
fragment-flags Match fragment flags
+ fragment-offset Match fragment offset
+ fragment-offset-except Do not match fragment offset
+ icmp-code Match ICMP message code
+ icmp-code-except Do not match ICMP message code
+ icmp-type Match ICMP message type
+ icmp-type-except Do not match ICMP message type
3. + interface-group Match interface group
+ interface-group-except Do not match interface group
+ ip-options Match IP options
+ ip-options-except Do not match IP options
is-fragment Match if packet is a fragment
+ packet-length Match packet length
+ packet-length-except Do not match packet length
+ port Match TCP/UDP source or destination port
+ port-except Do not match TCP/UDP source or destination port
+ precedence Match IP precedence value
+ precedence-except Do not match IP precedence value
> prefix-list Match IP source or destination prefixes in named list
+ protocol Match IP protocol type
+ protocol-except Do not match IP protocol type
> source-address Match IP source address
+ source-class Match source class
+ source-class-except Do not match source class
+ source-port Match TCP/UDP source port
+ source-port-except Do not match TCP/UDP source port
> source-prefix-list Match IP source prefixes in named list
tcp-established Match packet of an established TCP connection
tcp-flags Match TCP flags
tcp-initial Match initial packet of a TCP connection
Filter action
accept Accept the packet
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
count Count the packet in the named counter
> discard Discard the packet
forwarding-class Classify packet to forwarding class
ipsec-sa Use specified IPSec security association
load-balance Use specified load balancing group
log Log the packet
> logical-router Use specified logical router
loss-priority Packet's loss priority
next Continue to next term in a filter
4. next-hop-group Use specified next-hop group
policer Police the packet using the named policer
port-mirror Port-mirror the packet
prefix-action Police or count packets using named prefix action
> reject Reject the packet
routing-instance Use specified routing instance
sample Sample the packet
syslog System log (syslog) information about the packet
2. Construction of routing instance – using import policy to choose specific routes
into specific routing instances
5. 1
2
1. import all bgp routes into rib-group peer
protocols {
bgp {
family inet {
unicast {
1. importALL BGP ( Adj-
rib-group peer; RIB-in)
} note : Adj-RIB-in is unlike
} local-RIB
group ibgp { local-RIB is BEST routes, adj-
type internal; RIB-in does not process by
family inet { routes selection rule
unicast;
}
family inet-vpn {
unicast;
}
neighbor 1.1.1.1;
}
}
2. choose specific routes into specific routing-instance
interface-routes { -- (1) put direct routes into rib-group peer
6. rib-group inet peer;
}
rib-groups { -- (2) put rib-peer routes into inet.0, p1.inet.0, p2.inet.0
peer {
import-rib [ inet.0 p1.inet.0 p2.inet.0 ];
import-policy peer; -- (3)filter specific routes into routing instances
}
}
term p1 {
from {
protocol bgp;
community r5;
}
to rib p1.inet.0;
then {
local-preference 110;
accept;
}
}
term p2 {
from {
protocol bgp;
community r6;
}
to rib p2.inet.0;
then {
local-preference 120;
accept;
}
}
Routing Policy match condition ( from)
aggregate-contributor Match more specifics of an aggregate
7. + apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
area OSPF area identifier
+ as-path Name of AS path regular expression (BGP only)
+ as-path-group Name of AS path group (BGP only)
color Color (preference) value
color2 Color (preference) value 2
+ community BGP community
> external External route
family
instance Routing protocol instance
+ interface Interface name or address
level IS-IS level
local-preference Local preference associated with a route
metric Metric value
metric2 Metric value 2
metric3 Metric value 3
metric4 Metric value 4
+ neighbor Neighboring router
+ next-hop Next-hop router
origin BGP origin attribute
+ policy Name of policy to evaluate
preference Preference value
preference2 Preference value 2
> prefix-list List of prefix-lists of routes to match
+ protocol Protocol from which route was learned
rib Routing table
> route-filter List of routes to match
route-type Route type
> source-address-filter List of source addresses to match
tag Tag string
tag2 Tag string 2
Routing Policy match condition ( to)
+ apply-groups Groups from which to inherit configuration data
8. + apply-groups-except Don't inherit configuration data from these groups
area OSPF area identifier
+ as-path Name of AS path regular expression (BGP only)
+ as-path-group Name of AS path group (BGP only)
color Color (preference) value
color2 Color (preference) value 2
+ community BGP community
> external External route
family
instance Routing protocol instance
+ interface Interface name or address
level IS-IS level
local-preference Local preference associated with a route
metric Metric value
metric2 Metric value 2
metric3 Metric value 3
metric4 Metric value 4
+ neighbor Neighboring router
+ next-hop Next-hop router
origin BGP origin attribute
+ policy Name of policy to evaluate
preference Preference value
preference2 Preference value 2
+ protocol Protocol from which route was learned
rib Routing table
tag Tag string
tag2 Tag string 2
Routing Policy action
accept Accept a route
+ apply-groups Groups from which to inherit configuration data
+ apply-groups-except Don't inherit configuration data from these groups
> as-path-expand Prepend AS numbers prior to adding local-as (BGP only)
as-path-prepend Prepend AS numbers to an AS path (BGP only)
class Set class-of-service parameters
> color Color (preference) value
9. > color2 Color (preference) value 2
> community BGP community properties associated with a route
cos-next-hop-map Set CoS-based next-hop map in forwarding table
damping Define BGP route flap damping parameters
default-action Set default policy action
destination-class Set destination class in forwarding table
> external External route
forwarding-class Set source or destination class in forwarding table
> install-nexthop Choose the next hop to be used for forwarding
> load-balance Type of load balancing in forwarding table
> local-preference Local preference associated with a route
> metric Metric value
> metric2 Metric value 2
> metric3 Metric value 3
> metric4 Metric value 4
next Skip to next policy or term
> next-hop Set the address of the next-hop router
origin BGP path origin
> preference Preference value
> preference2 Preference value 2
reject Reject a route
source-class Set source class in forwarding table
> tag Tag string
> tag2 Tag string 2
trace Log matches to a trace file