[j-nsp] FBF configs
Dean Albano
cmjdad at gmail.com
Mon Nov 20 14:33:52 EST 2006
We are planning on using Filter-Based-Forwarding on our BRAS M320s.
The filter will forward port 80 traffic to a next hop on the remote
end of an IPIP tunnel. There are 2 filters actually (1 for dest-
port, the other for source-port). Both filters have to be on the
ingress port due to the use of MPLS on the egress. The following
config will be used:
ge-1/1/0 {
apply-groups VRRP;
description " Uplink Lag2 (Band=1000M)";
vlan-tagging;
mtu 9192;
link-mode full-duplex;
gigether-options {
no-flow-control;
}
unit 1101 {
description "Test 1";
vlan-id 1101;
family inet {
rpf-check fail-filter rpf-dhcp;
mtu 1500;
no-redirects;
filter {
output dhcp;
group 6;
output cache;
output reverse-cache;
}
address 1.1.1.1/30 {
primary;
}
address 2.2.2.2/30;
}
}
ip-1/1/0 {
unit 0 {
tunnel {
source y.y.y.y;(y.y.y.y IS THE LOCAL TUNNEL ENDPOINT)
destination x.x.x.x;(x.x.x.x IS THE REMOTE TUNNEL
ENDPOINT)
}
family inet;
}
}
firewall {
policer ip-option-policer {
if-exceeding {
bandwidth-limit 3m;
burst-size-limit 3200000;
}
then discard;
}
policer icmp-traceroute-policer {
if-exceeding {
bandwidth-limit 1m;
burst-size-limit 15k;
}
then discard;
}
filter ip-options {
term one {
from {
ip-options any;
}
then {
policer ip-option-policer;
count option-packets;
}
}
term default {
then accept;
}
family inet {
filter cache {
term http {
from {
protocol tcp;
destination-port [ 80 ];
}
then {
routing-instance cache;
}
}
term default {
then accept;
}
family inet {
filter reverse-cache {
term http {
from {
protocol tcp;
source-port [ 80 ];
}
then {
routing-instance cache;
}
}
term default {
then accept;
}
}
}
}
}
}
}
routing-instances {
cache {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop x.x.x.x ; (WHERE x.x.x.x IS
THE REMOTE TUNNEL ENDPOINT)
}
}
}
}
Please advise if anyone sees anything that is wrong.
Thanks in advance,
Dean
More information about the juniper-nsp
mailing list