[j-nsp] policy based routing, rib-groups and issues...
Bill Petrisko
billp at wjp.net
Tue Oct 26 03:45:28 EDT 2004
Ok... I have been playing with this for a bit, and I think
that everything looks good. Unfortunately, it does not work.
When I apply the firewall filter to the interface we want
to policy route from, NO traffic will pass through that
interface.
I'm hoping that there is a simple explanation that I am
overlooking at this late hour....
Here is the goal:
I have a router that has multiple upstreams and peers.
We currently have a peering session to peer X over the
public peering switch.
I need to be able to bring up a NEW private session to this
peer X, and ONLY send him the traffic from a group of
servers on interface ge-7/0/0.1. All other peer X traffic
should continue to use the public session.
Also note that any traffic from these servers NOT destined
for peer X need to follow the normal inet.0 routing table.
Here is the config from the lab:
interfaces {
ge-7/0/0 {
vlan-tagging;
unit 1 {
vlan-id 1;
family inet {
filter {
input servers-to-peerX;
}
address 192.168.91.17/30;
}
}
}
routing-options {
interface-routes {
rib-group inet peerX-group;
}
rib-groups {
peerX-group {
import-rib [ inet.0 peerX.inet.0 ];
import-policy set-peer-private-comm;
}
}
route-record;
}
protocols {
bgp {
advertise-inactive;
group PEER {
neighbor 192.168.91.22 {
description "TEST public peer";
import set-peer-public-comm;
family inet {
unicast;
}
export reject-all;
peer-as 23059;
}
neighbor 192.168.91.26 {
description "TEST private peer";
import set-peer-public-comm-backup;
family inet {
unicast {
rib-group peerX-group;
}
any;
}
peer-as 23059;
}
}
}
}
policy-options {
policy-statement set-peer-private-comm {
from inactive: rib peerX.inet.0;
then {
local-preference 400;
accept;
}
}
policy-statement set-peer-public-comm {
then {
local-preference 300;
}
}
policy-statement set-peer-public-comm-backup {
then {
local-preference 290;
}
}
}
firewall {
filter servers-to-peerX {
term private-only {
then routing-instance peerX.inet.0;
}
term all-other {
then accept;
}
}
}
routing-instances {
peerX {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-table inet.0;
}
}
}
}
Everything looks like it should be working:
192.168.90.0/24 is the route being received from the peer.
root at jr3.phx3-LABROUTER> show route summary
Router ID: 192.168.91.2
inet.0: 146255 destinations, 146256 routes (146218 active, 36 holddown, 1 hidden)
Direct: 5 routes, 4 active
Local: 4 routes, 4 active
BGP: 146246 routes, 146209 active
Static: 1 routes, 1 active
peerX.inet.0: 11 destinations, 11 routes (10 active, 0 holddown, 1 hidden)
Direct: 5 routes, 4 active
Local: 4 routes, 4 active
BGP: 1 routes, 1 active
Static: 1 routes, 1 active
All the interface IP's and the BGP IP's from the .26 session
are properly installed in the routing table peerX:
root at jr3.phx3-LABROUTER> show route table peerX
peerX.inet.0: 11 destinations, 11 routes (10 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 00:31:23
to table inet.0
192.168.90.0/24 *[BGP/170] 00:15:03, MED 0, localpref 400
AS path: 23059 I
> to 192.168.91.26 via ge-7/0/0.3
192.168.91.16/30 *[Direct/0/-401] 00:16:50
> via ge-7/0/0.1
192.168.91.17/32 *[Local/0/-401] 00:16:49
Local via ge-7/0/0.1
192.168.91.20/30 *[Direct/0/-401] 00:16:50
> via ge-7/0/0.2
192.168.91.21/32 *[Local/0/-401] 00:16:49
Local via ge-7/0/0.2
192.168.91.24/30 *[Direct/0/-401] 00:16:50
> via ge-7/0/0.3
192.168.91.25/32 *[Local/0/-401] 00:16:49
Local via ge-7/0/0.3
Tracerouting to the route in the peerX.inet.0, forcing the use
of that routing instance fails:
root at jr3.phx3-LABROUTER> traceroute 192.168.90.99 routing-instance peerX
traceroute to 192.168.90.99 (192.168.90.99), 30 hops max, 40 byte packets
1 * * *
2 * * *
Tracerouting to the route via the normal routing table follows
the inet.0 route like it should:
root at jr3.phx3-LABROUTER> traceroute 192.168.90.99
traceroute to 192.168.90.99 (192.168.90.99), 30 hops max, 40 byte packets
1 192.168.91.22 1.871 ms
Even from the "server", I cannot get anywhere, on ANY route:
server-2600>traceroute 192.168.90.99
Type escape sequence to abort.
Tracing the route to 192.168.90.99
1 * * *
2 * * *
server-2600>traceroute 206.165.222.1
Type escape sequence to abort.
Tracing the route to 206.165.222.1
1 * * *
2 * * *
Yet, if I remove the interface filter that directs it to the
alternate routing group, all traceroutes work (non-peer go via
other upstreams, 192.168.90.99 peer route goes via public
peering session .22):
server-2600>traceroute 192.168.90.99
Tracing the route to (192.168.90.99)
1 (192.168.91.17) 0 msec 4 msec 0 msec
2 (192.168.91.22) 4 msec * 0 msec
server-2600>traceroute 206.165.222.1
Tracing the route to (206.165.222.1)
1 (192.168.91.17) 0 msec 0 msec 0 msec
2 (192.168.91.1) 0 msec 0 msec 24 msec
3 (64.211.60.165) 20 msec 20 msec 20 msec
4 (67.17.71.97) 64 msec 64 msec 64 msec
...etc
Hope this isn't too long winded, and isn't too confusing.
Thanks to anyone who can provide insight...
bill
Limelight Networks
More information about the juniper-nsp
mailing list