[j-nsp] Per next-hop or MACaccounting/firewall/policeronsameinterface

Jiri Sane jiri.sane at kolumbus.fi
Fri Sep 2 14:29:59 EDT 2005 

Gino,

I have have a traffic analyzer giving me a bgp-feed of "bad" customers (/32
routes). I want to forward these customers to sandbox which then serves
informative web-page to them.

For now Im using a script that gets a configuration from the analyzer and
then inserts it to input firewall of customer-interface with 'load replace'.
Its a bit of a gum-solution and I'd like to get rid of it. It seems that the
routing-instance -rule has to be at input direction of customer-interface to
function and scu-matching rules can only be at output direction of
internet-interface.

Thanks,

-- 
Jiri


> What's the use of this type of accounting?
> Gino

> > Did you try configuring a rib-group as described in
> step #3 of this
> > link:
> >
> >
> http://www.juniper.net/techpubs/software/junos/junos73/swconfig73-rout
> > in
> > g/html/instance-config18.html
> >
> > Harshit

> >> Rafal,
> >>
> >> I have been trying to do something very similar
> myself, but instead
> >> of applying a policy to class-matched traffic, I
> need to forward it
> >> to particular host (10.0.10.1). I've had no luck
> with setting
> >> firewall rule like this to output direction of my
> "lan-interface"
> >> (like in Kevin's setup)
> >>
> >> term foo {
> >>     from {
> >>        source-class bar-source;
> >>     }
> >>     then {
> >>           log;
> >>           count foo;
> >>           routing-instance foo-forward;
> >>     }
> >>
> >> along with
> >>
> >> routing-instances {
> >>      foo-forward {
> >>              instance-type forwarding;
> >>              routing-options {
> >>                   static {
> >>                        route 0.0.0.0/0  next-hop
> 10.0.10.1;
> >>                   }
> >>             }
> >>
> >> Without "then routing-instance" I can see that all
> correct traffic is
> >> matched but when "then routing-instance" is
> applied, logging stops
> >> and foo-count goes crazy (hundreds of megs in
> seconds on a box with
> >> like 10Mbit/s traffic) I would quess this
> to-be-forwarded traffic
> >> loops between output firewall filter and
> routing-instance?
> >> Any suggestions of how this shoud/could be
> achieved?

>

More information about the juniper-nsp mailing list