Problem
You want to find out how much traffic is passing through an interface.
Solution
To check how much traffic is successfully passing through an interface, add the count option to a then clause that accepts traffic:
[edit firewall filter incoming-to-me] aviva@RouterF# set term final-accept then count incoming-accepted aviva@RouterF# set term final-accept then accept
To track unwanted traffic, use the count option and a then clause that discards traffic:
[edit firewall filter incoming-to-me] aviva@RouterF# set term reject-addresses then count bad-addresses aviva@RouterF# set term final-accept then discard
To look at the counters, use the show firewall filter command:
aviva@RouterF> show firewall filter incoming-to-me Filter: incoming-to-me Counters: Name Bytes Packets incoming-accepted 246 4
Discussion
Either as part of your standard network practices or while tracking a problem, you often want to know how much traffic has either successfully passed through an interface or how much traffic attempted but failed to pass through an interface. You do this by counting the packets that match each term in a firewall filter.
The first command in this recipe counts all the traffic accepted by the interface other than the ICMP and BGP traffic. Each counter is identified by name, and this counter is called incoming-accepted.
Use the show firewall filter command to see the counters. The output is very straightforward, showing how many bytes and packets have matched the final-accept term in the filter.
The second command in this recipe shows how to count unwanted traffic. As a general point, you rarely just reject a firewall term without also either counting the rejections or logging or syslogging it (see Recipe 9.13). Tracking the rejections is useful for documenting abuse of your router, attacks on the router, or even misconfigurations.
As with routing policy, you define firewall filters in a common location in the configuration and then apply them where needed. Designing filters that apply to several interfaces in the router can help minimize your administrative overhead. If you do use the same filter on more than one interface, the packet counts from the two interfaces are stored in the same counter. Use the following configuration command to create separate counters for packets from the different interfaces:
[edit firewall filter incoming-to-me] aviva@RouterF# set interface-specific
Again, use the show firewall filter command to see the counters:
aviva@RouterF> show firewall filter ? Possible completions: counter Counter name incoming-to-me-fe-0/0/1.0-i incoming-to-me-t1-0/0/3.0-i aviva@RouterF> show firewall filter incoming-to-me-t1-0/0/3.0-i Filter: incoming-to-me-t1-0/0/3.0-i Counters: Name Bytes Packets incoming-accepted-t1-0/0/3.0-i 6474 105
The interface name andi are appended to the filter name to separate the counters into two different buckets.
Router Configuration and File Management
Basic Router Security and Access Control
IPSec
SNMP
Logging
NTP
Router Interfaces
IP Routing
Routing Policy and Firewall Filters
RIP
IS-IS
OSPF
BGP
MPLS
VPNs
IP Multicast