[j-nsp] Juniper FBF
Harshit Kumar
harshit at juniper.net
Fri Jul 23 18:00:25 EDT 2004
Mellot,
Looks like there might be a direct route thru fe-1/1/1 for
2.11/16
and a static route 0/0 pointing to nh 20.20.20.2. The former would
be prefered over the latter for destination 2.11.*.* A "show route"
can confirm/deny my guess.
- Harshit
>-----Original Message-----
>From: juniper-nsp-bounces at puck.nether.net
>[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Mellott, Eric
>Sent: Friday, July 23, 2004 5:51 AM
>To: juniper-nsp at puck.nether.net
>Subject: [j-nsp] Juniper FBF
>
>Having a filter-based forwarding problem....I have setup the
>appropriate
>routing-instance and firewall filters, but my traffic is not being
>forwarded out to the specified next hop. The specified next-hop is
>reachable and in table. Below is a copy of a test configuration that I
>have been working on. As you can see from the configuration
>below, I am
>trying to redirect a packet (source of 144.251.1.1 and destination of
>2.11.100.11) coming into interface fe-1/1/0 out interface fe-1/1/2. It
>just so happens that the network that 2.11.100.11 belongs to
>is directly
>connected to interface fe-1/1/1. I have set up firewall
>counters to see
>where my hits are taking place.
>
>
>
>When I try to test this configuration, I see hits on my INT_IN counter
>but no where else. It seems the packets make it to the router and then
>die. With further testing, I can connect a host to the fe-1/1/1
>interface that has the ip address of 2.11.100.11. When this
>is done the
>router will arp for 2.11.100.11 and forward the packet out the fe-1/1/1
>interface and my TEST-OUT counter will register the hit.
>
>
>
>I guess my problem is that I don't want the router to arp for
>2.11.100.11, I want it to use the FBF and forward the packet out
>interface fe-1/1/2 to 20.20.20.2. Any help would be greatly
>appreciated!
>
>
>
>
>
>Thank you,
>
>Eric
>
>
>
>
>
>
>
>
>
>Interfaces:
>
> fe-1/1/0 {
>
> unit 0 {
>
> family inet {
>
> filter {
>
> input INT_IN;
>
> }
>
> address 144.251.0.1/16;
>
> }
>
> }
>
> }
>
> fe-1/1/1 {
>
> unit 0 {
>
> family inet {
>
> filter {
>
> output TEST-OUT;
>
> }
>
> address 2.11.100.101/16;
>
> }
>
> }
>
> }
>
> fe-1/1/2 {
>
> unit 0 {
>
> family inet {
>
> filter {
>
> input IF-COUNT-IN;
>
> output IF-COUNT-OUT;
>
> }
>
> address 20.20.20.1/24;
>
> }
>
> }
>
> }
>
>
>
>
>
>
>
>Routing-options:
>
>routing-options {
>
> interface-routes {
>
> rib-group inet VPN-group;
>
> }
>
> rib-groups {
>
> VPN-group {
>
> import-rib [ inet.0 IF-route-table.inet.0 ];
>
> }
>
> }
>
>
>
>
>
>
>
>Firewall
>
> family inet {
>
> filter INT_IN {
>
> term Redirect {
>
> from {
>
> source-address {
>
> 144.251.1.1/32;
>
> }
>
> destination-address {
>
> 2.11.100.11/32;
>
> }
>
> }
>
> then {
>
> count INT-IN;
>
> routing-instance IF-route-table;
>
> }
>
> }
>
> term 2 {
>
> then accept;
>
> }
>
> }
>
> filter IF-COUNT-OUT {
>
> term 1 {
>
> from {
>
> source-address {
>
> 144.251.1.1/32;
>
> }
>
> destination-address {
>
> 2.11.100.11/32;
>
> }
>
> }
>
> then {
>
> count IF-COUNT-OUT;
>
> accept;
>
> }
>
> }
>
> term 2 {
>
> then accept;
>
> }
>
> }
>
> filter IF-COUNT-IN {
>
> term 1 {
>
> from {
>
> source-address {
>
> 2.11.100.11/32;
>
> }
>
> destination-address {
>
> 144.251.1.1/32;
>
> }
>
> }
>
> then {
>
> count IF-COUNT-IN;
>
> accept;
>
> }
>
> }
>
> term 2 {
>
> then accept;
>
> }
>
> }
>
> filter TEST-OUT {
>
> term 1 {
>
> then {
>
> count TEST-OUT;
>
> accept;
>
> }
>
> }
>
> }
>
> }
>
>}
>
>
>
>Routing-instances:
>
>
>
>routing-instances {
>
> IF-route-table {
>
> instance-type forwarding;
>
> routing-options {
>
> static {
>
> route 0.0.0.0/0 next-hop 20.20.20.2;
>
> }
>
> }
>
> }
>
>
>
>
>
>_______________________________________________
>juniper-nsp mailing list juniper-nsp at puck.nether.net
>http://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
More information about the juniper-nsp
mailing list