[j-nsp] Filter based forwarding
Chris Evans
chrisccnpspam2 at gmail.com
Wed Dec 2 21:17:45 EST 2009
Question for you all..
We are a Cisco shop today primary and have some Juniper devices here and there in the network. We have started an RFI for our next gen data center and Juniper has provided some 8200's and 4200's for us to evaluate. We have come up with a complication of how to introduce services into the environment..
Currently we have our server farms based on Cisco Catalyst 6500 switches. For our services we have firewalling and load balancing in each server farm. Introducing firewalling with an EX platform would not be an issue, however load balancing appears to be. To avoic overloading the load balancers we policy route select traffic to the load balancer instead of all traffic. In general we just policy route http and https traffic to the load balancers which then load balances on to the servers. We have to do the PBR ingress into the container and also the return traffic from the server, as stateful flow must be maintained. The policy apply points are on the layer 3 interfaces between the distribution and core, as well as the VLAN interface service the server segment. This easy to do in the Cisco world as we can apply a next-hop for any traffic we chose via a simple route-map.
Our difficulty comes when implementing this on a JUNOS platform as setting a next-hop isn't possible with filter based forwarding. We have created the firewall filters classifying the traffic which points it to another routing-instance. This piece works fine, however the issues becomes the return traffic. As all return traffic is in that routing-instance we have to create another filter to punt this traffic back into the global/master routing-instance. When you configure a firewall filter for the return traffic and specify 'routing-instance master' it states this isn't valid, you cannot create a master routing-instance either as its reserved.. It seems this is a new thing for Juniper, how it's a new thing I cannot understand.
Looking for details if anyone else has done anything like this. I have fear this is another 'enterprise' not carrier feature that Juniper doesn't have. We are running into many road blocks with their EX platform that prohibits us from using it for our environment. We're finding this product line doesn't even have the same level of critical features that a 5 year old Cisco platform has. Pretty disappointing :(
Here is the configuration that I did a spare M series box for grins.. Let me know what you think and if you have ideas...
Traffic would come into ge-1/3/0 destined for 172.16.1.140 port http, it would leave towards the host via ge-0/1/0, return traffic would take this same path backwards.
Interface configuration:
ge-0/1/0 {
unit 0 {
family inet {
filter {
input RETURN;
}
address 172.16.1.129/25;
}
}
}
ge-1/3/0 {
unit 0 {
family inet {
filter {
input PBR;
}
address 192.168.1.252/24;
}
}
}
Routing-Instance Configuration:
PBR {
instance-type virtual-router;
interface ge-0/1/0.0;
}
Firewall Configuration:
filter RETURN {
interface-specific;
term term-1 {
from {
source-address {
172.16.1.128/25;
}
protocol tcp;
source-port http;
}
then {
count RETURN;
log;
routing-instance master; ## 'master' is not defined
}
}
term ALL-ELSE {
then accept;
}
}
filter PBR {
interface-specific;
term term-1 {
from {
destination-address {
172.16.1.128/25;
}
protocol tcp;
destination-port http;
}
then {
count PBR;
routing-instance PBR;
}
}
term ALL-ELSE {
then accept;
}
}
Thanks
Chris
More information about the juniper-nsp
mailing list