[j-nsp] Juniper FBF
Mellott, Eric
mellotte at netcsc.com
Fri Jul 23 08:51:28 EDT 2004
Having a filter-based forwarding problem....I have setup the appropriate
routing-instance and firewall filters, but my traffic is not being
forwarded out to the specified next hop. The specified next-hop is
reachable and in table. Below is a copy of a test configuration that I
have been working on. As you can see from the configuration below, I am
trying to redirect a packet (source of 144.251.1.1 and destination of
2.11.100.11) coming into interface fe-1/1/0 out interface fe-1/1/2. It
just so happens that the network that 2.11.100.11 belongs to is directly
connected to interface fe-1/1/1. I have set up firewall counters to see
where my hits are taking place.
When I try to test this configuration, I see hits on my INT_IN counter
but no where else. It seems the packets make it to the router and then
die. With further testing, I can connect a host to the fe-1/1/1
interface that has the ip address of 2.11.100.11. When this is done the
router will arp for 2.11.100.11 and forward the packet out the fe-1/1/1
interface and my TEST-OUT counter will register the hit.
I guess my problem is that I don't want the router to arp for
2.11.100.11, I want it to use the FBF and forward the packet out
interface fe-1/1/2 to 20.20.20.2. Any help would be greatly
appreciated!
Thank you,
Eric
Interfaces:
fe-1/1/0 {
unit 0 {
family inet {
filter {
input INT_IN;
}
address 144.251.0.1/16;
}
}
}
fe-1/1/1 {
unit 0 {
family inet {
filter {
output TEST-OUT;
}
address 2.11.100.101/16;
}
}
}
fe-1/1/2 {
unit 0 {
family inet {
filter {
input IF-COUNT-IN;
output IF-COUNT-OUT;
}
address 20.20.20.1/24;
}
}
}
Routing-options:
routing-options {
interface-routes {
rib-group inet VPN-group;
}
rib-groups {
VPN-group {
import-rib [ inet.0 IF-route-table.inet.0 ];
}
}
Firewall
family inet {
filter INT_IN {
term Redirect {
from {
source-address {
144.251.1.1/32;
}
destination-address {
2.11.100.11/32;
}
}
then {
count INT-IN;
routing-instance IF-route-table;
}
}
term 2 {
then accept;
}
}
filter IF-COUNT-OUT {
term 1 {
from {
source-address {
144.251.1.1/32;
}
destination-address {
2.11.100.11/32;
}
}
then {
count IF-COUNT-OUT;
accept;
}
}
term 2 {
then accept;
}
}
filter IF-COUNT-IN {
term 1 {
from {
source-address {
2.11.100.11/32;
}
destination-address {
144.251.1.1/32;
}
}
then {
count IF-COUNT-IN;
accept;
}
}
term 2 {
then accept;
}
}
filter TEST-OUT {
term 1 {
then {
count TEST-OUT;
accept;
}
}
}
}
}
Routing-instances:
routing-instances {
IF-route-table {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 20.20.20.2;
}
}
}
More information about the juniper-nsp
mailing list