[j-nsp] Filter based forwarding

Nilesh Khambal nkhambal at juniper.net
Wed Dec 2 22:10:35 EST 2009 

Can you add a default route in virtual-router PBR to point to next-table as
inet.0?

- set virtual-router PBR routing-options static route 0.0.0.0/0 next-table
  inet.0 

You will loose the granularity of defining the source address and port to
forward the traffic but I am not sure if that matters in this case for
reverse traffic. This route will forward all the return traffic received
from port ge-0/1/0 to inet.0 for a second-level lookup if no specific route
is found in PBR.inet.0 routing table.

Thanks,
Nilesh.

On 12/2/09 6:17 PM, "Chris Evans" <chrisccnpspam2 at gmail.com> wrote:

> Question for you all..
> 
> We are a Cisco shop today primary and have some Juniper devices here and there
> in the network. We have started an RFI for our next gen data center and
> Juniper has provided some 8200's and 4200's for us to evaluate. We have come
> up with a complication of how to introduce services into the environment..
> 
> Currently we have our server farms based on Cisco Catalyst 6500 switches. For
> our services we have firewalling and load balancing in each server farm.
> Introducing firewalling with an EX platform would not be an issue, however
> load balancing appears to be. To avoic overloading the load balancers we
> policy route select traffic to the load balancer instead of all traffic. In
> general we just policy route http and https traffic to the load balancers
> which then load balances on to the servers. We have to do the PBR ingress into
> the container and also the return traffic from the server, as stateful flow
> must be maintained. The policy apply points are on the layer 3 interfaces
> between the distribution and core, as well as the VLAN interface service the
> server segment. This easy to do in the Cisco world as we can apply a next-hop
> for any traffic we chose via a simple route-map.
> 
> Our difficulty comes when implementing this on a JUNOS platform as setting a
> next-hop isn't possible with filter based forwarding. We have created the
> firewall filters classifying the traffic which points it to another
> routing-instance. This piece works fine, however the issues becomes the return
> traffic. As all return traffic is in that routing-instance we have to create
> another filter to punt this traffic back into the global/master
> routing-instance. When you configure a firewall filter for the return traffic
> and specify 'routing-instance master' it states this isn't valid, you cannot
> create a master routing-instance either as its reserved..  It seems this is a
> new thing for Juniper, how it's a new thing I cannot understand.
> 
> Looking for details if anyone else has done anything like this. I have fear
> this is another 'enterprise' not carrier feature that Juniper doesn't have. We
> are running into many road blocks with their EX platform that prohibits us
> from using it for our environment. We're finding this product line doesn't
> even have the same level of critical features that a 5 year old Cisco platform
> has. Pretty disappointing :(
> 
> Here is the configuration that I did a spare M series box for grins.. Let me
> know what you think and if you have ideas...
> 
> Traffic would come into ge-1/3/0 destined for 172.16.1.140 port http, it would
> leave towards the host via ge-0/1/0, return traffic would take this same path
> backwards.
> 
> Interface configuration:
> ge-0/1/0 {
>     unit 0 {
>         family inet {
>             filter {
>                 input RETURN;
>             }
>             address 172.16.1.129/25;
>         }
>     }
> }
> ge-1/3/0 {
>     unit 0 {
>         family inet {
>             filter {
>                 input PBR;
>             }
>             address 192.168.1.252/24;
>         }
>     }
> }
> 
> Routing-Instance Configuration:
> 
> PBR {
>     instance-type virtual-router;
>     interface ge-0/1/0.0;
> }
> 
> Firewall Configuration:
> 
> filter RETURN {
>     interface-specific;
>     term term-1 {
>         from {
>             source-address {
>                 172.16.1.128/25;
>             }
>             protocol tcp;
>             source-port http;
>         }
>         then {
>             count RETURN;
>             log;
>             routing-instance master; ## 'master' is not defined
>         }
>     }
>     term ALL-ELSE {
>         then accept;
>     }
> }
> 
> filter PBR {
>     interface-specific;
>     term term-1 {
>         from {
>             destination-address {
>                 172.16.1.128/25;
>             }
>             protocol tcp;
>             destination-port http;
>         }        
>         then {
>             count PBR;
>             routing-instance PBR;
>         }
>     }
>     term ALL-ELSE {
>         then accept;
>     }
> }
> 
> 
> Thanks
> 
> Chris
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list