[j-nsp] Firewall filter help.

Gary Tate gtate at juniper.net
Fri Nov 21 18:34:59 EST 2003 

Add a count statement in the 'then' part of the filters to see if it is 
catching the source address 1.1.1.1/32

You can use show firewall filter DDD

Add a counter to the default accept term also and you will see what 
action is being caught.

If it is being sent to the routing-instance DDD then you need to check 
that you can reach the next-hop

try:

ping 3.3.3.3 source 1.1.1.1 routing-instance DDD

Gary

On Nov 21, 2003, at 1:12 PM, Mike Sumrall wrote:

> Hello all,
>
> I am new to this List and also the Juniper.  I have just installed a
> customer that uses about 70M worth of B/W.  Since I am running a 
> multi-homed
> BGP environment and, I only have B/W to support 70M worth of traffic 
> on one
> of my providers, I need to hard code this new customer to that 
> provider.
> Not knowing what the best way to do this is, I decided to implement a
> firewall filter (not sure what other options I have?).  I already had a
> firewall set up for another customer (filter AAA below) which seemed 
> to work
> just fine so I figured that I could do the same thing but, every time I
> apply the filter to my customers interface all of their traffic goes to
> zero.  I've checked all of my resources for help but to no avail.  I am
> running Juniper M10 with ver 5.6r1.3.  Filter AAA seems to work fine, 
> filter
> CCC (what I am trying to implement) does not work.  This may be simple 
> to
> you guys but I am stumped.  I know I must be doing something wrong but 
> I
> cannot figure it out, Please help.  Thanks in advance.
>
> Juno# show firewall
> family inet {
>     filter AAA {
>         term main {
>             from {
>                 source-prefix-list {
>                     AAA;
>                 }
>             }
>             then routing-instance BBB;
>         }
>         term Default {
>             then accept;
>         }
>     }
>     filter CCC {
>         term main {
>             from {
>                 source-address {
>                     1.1.1.1/32;
>                 }
>             }
>             then routing-instance DDD;
>         }
>         term Default {
>             then accept;
>         }
>     }
> }
>
>
> Juno# show routing-instances
> DDD {
>     instance-type forwarding;
>     routing-options {
>         static {
>             route 0.0.0.0/0 next-hop 3.3.3.3;
>         }
>     }
> }
> BBB {
>     instance-type forwarding;
>     routing-options {
>         static {
>             route 0.0.0.0/0 next-hop 2.2.2.2;
>         }
>     }
> }
>
> Thanks,
>
>  -Mike
> msumrall at ic2net.net
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list