[j-nsp] policy based routing, rib-groups and issues...

[Andrew Ramsey]

Hi Bill,

In your config:

firewall {
    filter servers-to-peerX {
        term private-only {
            then routing-instance peerX.inet.0; <======here
        }
        term all-other {
            then accept;
        }
    }
}

Can you change the "then routing-instance peerX.inet.0" to "then
routing-instance peerX"

Andy

> -----Original Message-----
> From: Bill Petrisko [mailto:billp at wjp.net] 
> Sent: Tuesday, October 26, 2004 3:16 PM
> To: Andrew Ramsey
> Cc: Bill Petrisko; juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] policy based routing, rib-groups and issues...
> 
> 
> On Tue, Oct 26, 2004 at 05:16:59AM -0700, Andrew Ramsey wrote:
> > 1.  Put a counter on the filter "servers-to-peerX" to check for 
> > packets coming in.
> 
> Added term to count at the top of the policy, and all packets from 
> the interface ge7/0/1.1 appear to be counted, no matter what 
> the destination.
> 
> Added line to count in the same term (private-only) before 
> sending to routing instance peerX.inet.0.  These packets get 
> counted as 
> well.
> 
> > 2.  Put a filter and counter on the interface to "peerX" 
> (in/out) to 
> > check for packets leaving/into the router
> 
> Packets from the server never reach the peer interface.
> 
> Packets directly pinged from the router itself do reach the 
> .26 peer interface.  (Using default inet.0 routing table.)
> 
> > The static route "route 0.0.0.0/0 next-table inet.0" looks 
> like it's 
> > defeating the purpose of what you're trying to achieve.  You should 
> > remove it - I don't think it's causing you a problem though 
> since you 
> > have this:
> > 
> > 192.168.90.0/24     *[BGP/170] 00:15:03, MED 0, localpref 400
> >                       AS path: 23059 I
> >                     > to 192.168.91.26 via ge-7/0/0.3
> 
> Removing the static route 0.0.0.0/0 has no effect on the 
> issue. I will leave it removed for now.
> 
> > I think it looks like you're in good shape in the "server" 
> to "peerX" 
> > direction.  What about the other way?  Is there a route for the 
> > "server" in peerX.inet.0?
> 
> Yep, "server" is one half of a /30 that is an interface 
> route, all interface routes are imported into peerX.inet.0 
> (as shown by a 'show route table peerX'.)
> 
> The odd part is that it seems that the router itself has no 
> idea how to route using this rib.  Even a manual traceroute 
> or ping using 'routing-instance' to use the direct rib do not work:
> 
> root at jr3.phx3-LABROUTER> ping 192.168.91.26 source 
> 192.168.91.25 routing-instance peerX
> --- 192.168.91.26 ping statistics ---
> 8 packets transmitted, 0 packets received, 100% packet loss
> 
> (And firewall filter counter does not increase either.)
> 
> Is is almost like everything directed to this rib goes into a 
> black hole....
> 
> Possibly juniper bug?  We are on an old release of code 
> (5.6R2.4) on this lab router.
> 
> Thanks for the help
> bill
>