[j-nsp] inet forwarding-options filter in a VRF routing-instance

Sorin CONSTANTINESCU consta at gmail.com
Sat Dec 3 15:49:33 EST 2005 

On 12/3/05, Harshit Kumar <harshit at juniper.net> wrote:
> Can you try action "then syslog" in both terms and see what
> Kind of traffic is hitting each of them. Or you can try

Hi,

The traffic passing through this VRF is ~300mbps / 80kpps. Wouldn't it
have an impact on the RE?

> Applying a firewall filter on the interface and see if the
> Interface belonging to that vrf is indeed getting the traffic.

I haven't told you yet, but on this particular router, i don't have an
interface in this vrf :) This is the router where traffic from the
public network enters the Customer's VRF (EBGP multihop session +
rib-groups), and the place where customer's traffic exits the VRF
(static route with next-table pointing to inet.0).

I'm beggining to think i cannot filter inside this particulat VRF
where i don't have an interface in it.

Please advise,

>
> -Harshit
>
>
> > -----Original Message-----
> > From: juniper-nsp-bounces at puck.nether.net
> > [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
> > Sorin CONSTANTINESCU
> > Sent: Saturday, December 03, 2005 10:10 AM
> > To: juniper-nsp at puck.nether.net
> > Subject: [j-nsp] inet forwarding-options filter in a VRF
> > routing-instance
> >
> > Hi, all.
> >
> > I need to filter traffic from a specific source inside a vrf
> > routing-instance. I have an M7i running 7.3R1.5.
> >
> > The problem is that i don't get any matches on any of the counters.
> >
> > === cut here ===
> > adonay at M7i> show firewall filter filter-vrf-customer
> > Filter: filter-vrf-customer
> > Counters:
> > Name                                                Bytes
> >          Packets
> > counter-customer-deny-1.2.3.4                     0
> >          0
> > counter-filter-vrf-customer-accept                        0
> >                  0
> >
> > adonay at M7i>
> > === and here ===
> >
> > Here's my config. Thanks,
> >
> > === cut here ===
> > adonay at M7i# show firewall family inet filter filter-vrf-customer
> > term 1 {
> >     from {
> >         source-address {
> >             1.2.3.4/32;
> >         }
> >     }
> >     then {
> >         count counter-customer-deny-1.2.3.4;
> >         discard;
> >     }
> > }
> > term 2 {
> >     then {
> >         count counter-filter-vrf-customer-accept;
> >         accept;
> >     }
> > }
> >
> > [edit]
> > adonay at M7i#
> >
> >
> > adonay at M7i# show routing-instances vrf-customer-internet
> > forwarding-options
> > family inet {
> >     filter {
> >         input filter-vrf-customer;
> >     }
> > }
> >
> > [edit]
> > adonay at M7i#
> > === and here ===
> >
> > --
> > Sorin CONSTANTINESCU
> > JNCIS-M, CCNP
> > consta at gmail.com
> >
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > http://puck.nether.net/mailman/listinfo/juniper-nsp
> >
>


--
Sorin CONSTANTINESCU
JNCIS-M, CCNP
consta at gmail.com

More information about the juniper-nsp mailing list