JUNOS 9.5 Routing Protocols Configuration Guide

Configuring a Flow Route

A flow route is an aggregation of match conditions for IP packets. Flow routes are propagated through the network using flow-specification network-layer reachability information (NLRI) messages and installed into the flow routing table instance-name.inetflow.0. Packets can travel through flow routes only if specific match conditions are met.

Flow routes and firewall filters are similar in that they filter packets based on their components and perform an action on the packets that match. Flow routes provide traffic filtering and rate-limiting capabilities much like firewall filters. In addition, you can propagate flow routes across different autonomous systems.

To configure a flow route, include the flow statement:


            
               flow {
               
               
                  
                     route name {
                     
                     
                        
                           match {
                           match-conditions;
                           
                           }
                        
                     
                     
                        
                           then {
                           actions;
                           
                           }
                        
                     
                     }
                  
               
               
                  
                     validation {
                     
                        
                           traceoptions {
                           
                           file filename <files number> <size size> <world-readable |
                              no-world-readable>;
                           
                           flag flag <flag-modifier> <disable>;
                           
                           }
                        
                     
                     }
                  
               
               }

For a list of hierarchy levels at which you can include this statement, see the statement summary section for this statement.

Flow routes are propagated by BGP through flow-specification NLRI messages. You must enable BGP to propagate these NLRIs. For more information on configuring BGP, see BGP Configuration Guidelines.

The following sections describe the specified tasks:

Configuring the Match Condition

You specify conditions that the packet must match before the action in the then statement is taken for a flow route. All conditions in the from statement must match for the action to be taken. The order in which you specify match conditions is not important, because a packet must match all the conditions in a term for a match to occur.

To configure a match condition, include the match statement at the [edit routing-options flow] hierarchy level:


            
               [edit routing-options flow]
               
               match {
               match-conditions;
               
               }

Table 5 describes the flow route match conditions.

Table 5: Flow Route Match Conditions

Match Condition	Description
destination prefix	IP destination address field.
destination-port number	TCP or User Datagram Protocol (UDP) destination port field. You cannot specify both the port and destination-port match conditions in the same term. In place of the numeric value, you can specify one of the following text synonyms (the port numbers are also listed): afs (1483), bgp (179), biff (512), bootpc (68), bootps (67), cmd (514), cvspserver (2401), dhcp (67), domain (53), eklogin (2105), ekshell (2106), exec (512), finger (79), ftp (21), ftp-data (20), http (80), https (443), ident (113), imap (143), kerberos-sec (88), klogin (543), kpasswd (761), krb-prop (754), krbupdate (760), kshell (544), ldap (389), login (513), mobileip-agent (434), mobilip-mn (435), msdp (639), netbios-dgm (138), netbios-ns (137), netbios-ssn (139), nfsd (2049), nntp (119), ntalk (518), ntp (123), pop3 (110), pptp (1723), printer (515), radacct (1813), radius (1812), rip (520), rkinit (2108), smtp (25), snmp (161), snmptrap (162), snpp (444), socks (1080), ssh (22), sunrpc (111), syslog (514), tacacs-ds (65), talk (517), telnet (23), tftp (69), timed (525), who (513), xdmcp (177), zephyr-clt (2103), or zephyr-hm (2104).
dscp number	Differentiated Services code point (DSCP). The DiffServ protocol uses the type-of-service (ToS) byte in the IP header. The most significant six bits of this byte form the DSCP. You can specify DSCP in hexadecimal or decimal form.
fragment type	Fragment type field. The keywords are grouped by the fragment type with which they are associated: dont-fragment first-fragment is-fragment last-fragment not-a-fragment
icmp-code number	ICMP code field. This value or keyword provides more specific information than icmp-type. Because the value’s meaning depends upon the associated icmp-type value, you must specify icmp-type along with icmp-code. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed). The keywords are grouped by the ICMP type with which they are associated: parameter-problem: ip-header-bad (0), required-option-missing (1) redirect: redirect-for-host (1), redirect-for-network (0), redirect-for-tos-and-host (3), redirect-for-tos-and-net (2) time-exceeded: ttl-eq-zero-during-reassembly (1), ttl-eq-zero-during-transit (0) unreachable: communication-prohibited-by-filtering (13), destination-host-prohibited (10), destination-host-unknown (7), destination-network-prohibited (9), destination-network-unknown (6), fragmentation-needed (4), host-precedence-violation (14), host-unreachable (1), host-unreachable-for-TOS (12), network-unreachable (0), network-unreachable-for-TOS (11), port-unreachable (3), precedence-cutoff-in-effect (15), protocol-unreachable (2), source-host-isolated (8), source-route-failed (5)
icmp-type number	ICMP packet type field. Normally, you specify this match in conjunction with the protocol match statement to determine which protocol is being used on the port. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): echo-reply (0), echo-request (8), info-reply (16), info-request (15), mask-request (17), mask-reply (18), parameter-problem (12), redirect (5), router-advertisement (9), router-solicit (10), source-quench (4), time-exceeded (11), timestamp (13), timestamp-reply (14), or unreachable (3).
packet-length number	Total IP packet length.
port number	TCP or UDP source or destination port field. You cannot specify both the port match and either the destination-port or source-port match condition in the same term. In place of the numeric value, you can specify one of the text synonyms listed under destination-port.
protocol number	IP protocol field. In place of the numeric value, you can specify one of the following text synonyms (the field values are also listed): ah, egp (8), esp (50), gre (47), icmp (1), igmp (2), ipip (4), ipv6 (41), ospf (89), pim (103), rsvp (46), tcp (6), or udp (17).
source prefix	IP source address field.
source-port number	TCP or UDP source port field. You cannot specify the port and source-port match conditions in the same term. In place of the numeric field, you can specify one of the text synonyms listed under destination-port.
tcp-flag type	TCP header format.

Configuring the Action

You can specify the action to take if the packet matches the conditions you have configured in the flow route. To configure an action, include the then statement at the [edit routing-options flow] hierarchy level:


            
               [edit routing-options flow]
               
               then {
               action;
               
               }

Table 6 describes the flow route actions.

Table 6: Flow Route Action Modifiers

Action or Action Modifier	Description
Actions
accept	Accept a packet. This is the default.
discard	Discard a packet silently, without sending an Internet Control Message Protocol (ICMP) message.
community	Replace any communities in the route with the specified communities.
next-term	Continue to the next match condition for evaluation.
routing-instance extended-community	Specify a routing instance to which packets are forwarded.
rate-limit rate	Limit the bandwidth on the flow route.
sample	Sample the traffic on the flow route.

Validating Flow Routes

Flow routes are installed into the flow routing table only if they have been validated using the validation procedure. The Routing Engine does the validation before installing routes into the flow routing table.

Flow routes received using the BGP NLRI messages are validated before they are installed into the flow primary instance routing table instance.inetflow.0. The validation procedure is described in the draft-ietf-idr-flow-spec-00.txt, Dissemination of Flow Specification Rules. You can bypass the validation process and use your own specific import policy.

To trace validation operations, include the validation statement at the [edit routing-options flow] hierarchy level:


            
               [edit routing-options flow]
               
               validation {
               
                  
                     traceoptions {
                     
                     file filename <files number> <size size> <world-readable |
                        no-world-readable>;
                     
                     
                     flag flag <flag-modifier> <disable>;
                     
                     }
                  
               
               }

[Contents][Prev][Next][Index]