Question 7 - JN0-636 discussion

According to the Juniper documentation, filter-based forwarding (FBF) is a technique that allows the

SRX Series device to forward packets based on firewall filter rules, rather than the default routing table1. FBF can be used to implement policy-based routing, load balancing, or traffic engineering2.

To deploy FBF on the SRX Series device for incoming traffic sourced from the 10.10.100.0/24 network, the following steps are required:

You must create a forwarding-type routing instance. A forwarding-type routing instance is a special type of routing instance that is used for FBF. It does not have any interfaces or routing protocols associated with it, but it has its own routing table that can be populated by static routes, RIB groups, or routing policies3. You can create a forwarding-type routing instance by using the following command:

set routing-instances <instance-name> instance-type forwarding You must create and apply a firewall filter that matches on the source address 10.10.100.0/24 and then sends this traffic to your routing instance. A firewall filter is a set of rules that can match on various packet attributes, such as source and destination addresses, ports, protocols, and so on. You can use the then routing-instance action to specify the routing instance that the packet should be forwarded to4. You can create and apply a firewall filter by using the following commands:

set firewall family inet filter <filter-name> term <term-name> from source-address 10.10.100.0/24 set firewall family inet filter <filter-name> term <term-name> then routing-instance <instance-name> set interfaces <interface-name> unit <unit-number> family inet filter input <filtername> You must create a RIB group that adds interface routes to your routing instance. A RIB group is a mechanism that allows you to import routes from one routing table to another. You can use a RIB group to add the interface routes of the ingress interface to the routing table of the forwarding-type routing instance. This will ensure that the SRX device can forward the packets to the correct next hop based on the destination address5. You can create a RIB group by using the following commands:

set routing-options rib-groups <rib-group-name> import-rib inet.0 set routing-options rib-groups <rib-group-name> import-rib <instance-name>.inet.0 set routing-instances <instance-name> routingoptions instance-import <rib-group-name>

The following steps are not required or incorrect:

You do not need to create a VRF-type routing instance. A VRF-type routing instance is a type of routing instance that is used for virtual routing and forwarding. It allows you to create multiple logical routers on the same physical device, each with its own interfaces, routing protocols, and routing tables. VRF-type routing instances are typically used for VPNs, MPLS, or network segmentation. However, they are not necessary for FBF, which can be achieved with a forwardingtype routing instance.

You do not need to create and apply a firewall filter that matches on the destination address 10.10.100.0/24 and then sends this traffic to your routing instance. This would be redundant and unnecessary, as the destination address of the incoming traffic is already determined by the routing table of the forwarding-type routing instance. Moreover, this would create a loop, as the traffic would be sent back to the same routing instance that it came from.

Reference: 1: Filter-Based Forwarding Overview 2: Configuring Filter-Based Forwarding 3: forwarding (Routing Instances) 4: routing-instance (Firewall Filter Action) 5: Configuring RIB Groups : [vrf (Routing Instances)]