[j-nsp] Filter based forwarding
Nilesh Khambal
nkhambal at juniper.net
Wed Dec 2 23:14:49 EST 2009
Weird. Can you try this configuration instead?
- remove the default route from PBR.
- put ge-1/3/0 in default and ge-0/1/0 in PBR instance.
- keep the filter PBR on ge-1/3/0.
- Add following configuration.
[edit routing-options]
user at host#
interface-routes {
rib-group inet redist-local-routes;
}
rib-groups {
redist-local-routes {
import-rib [ inet.0 PBR.inet.0 ];
}
}
Then try the traffic again.
Thanks,
Nilesh.
On 12/2/09 8:07 PM, "Chris Evans" <chrisccnpspam2 at gmail.com> wrote:
> Here is where I'm coming up with 'master', as you can see below 'master' is
> valid. In either case, the src is 192.168.1.210 and destination is
> 172.16.1.140.. If create another routing-instance such as PBR2 and put
> ge-1/3/0 into it and apply the firewall filter, it works properly.. It just
> seems that you cannot call the default inet.0 within the firewall filter as
> there is no really no instance defined.
>
>
>
> root at JuniperM7i# show routing-instances
> PBR {
> instance-type virtual-router;
> interface ge-0/1/0.0;
> routing-options {
> static {
> route 0.0.0.0/0 <http://0.0.0.0/0> next-table inet.0;
> }
> }
> }
> master {
> instance-type virtual-router;
> }
>
> [edit]
> root at JuniperM7i# commit check
> [edit routing-instances]
> 'master'
> RT Instance: master is a reserved instance name
> error: configuration check-out failed
>
>
>
>
> root at JuniperM7i> show route instance
> Instance Type
> Primary RIB
> Active/holddown/hidden
> PBR virtual-router
> PBR.inet.0 3/0/0
>
> __juniper_private1__ forwarding
> __juniper_private1__.inet.0 3/0/1
> __juniper_private1__.inet6.0 4/0/0
>
> __juniper_private2__ forwarding
> __juniper_private2__.inet.0 0/0/1
>
> __master.anon__ forwarding
>
> master forwarding
> inet.0 7/0/0
> inet.1 5/0/0
> inet6.0 2/0/0
>
>
> On Wed, Dec 2, 2009 at 10:44 PM, Nilesh Khambal <nkhambal at juniper.net> wrote:
>> What is the destination for the forward traffic? Is it one of the connected
>> IPs on ge-0/1/0? I suspect if the problem is with forward traffic rather than
>> return traffic. Can you specify what will be the source and destination for
>> the forward and return traffic?
>>
>> master.inet.0 is not the same as inet.0. ³inet.0² refers to the default
>> routing table for IPv4 lookup. ³master.inet.0² refers to the IPv4 routing
>> table for routing-instance name ³master² which you don¹t have it configured.
>>
>> Thanks,
>> Nilesh.
>>
>>
>>
>>
>> On 12/2/09 7:39 PM, "Chris Evans" <chrisccnpspam2 at gmail.com> wrote:
>>
>> Yes, you are correct.. it doesn't make it back to the source. I don't have
>> any active routing protocols at all, so I pasted them all. We're just relying
>> on the default route and directly connected routes. If I set the next-hop
>> table to 'master.inet.0' it doesn't install the 0.0.0.0/0 <http://0.0.0.0/0>
>> <http://0.0.0.0/0> route into PBR.inet.0 at all..
>>
>> root at JuniperM7i> show route extensive table inet.0
>>
>> inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
>> Restart Complete
>> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> (1 entry, 1 announced)
>> TSI:
>> KRT in-kernel 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> ->
>> {192.168.1.1}
>> *Static Preference: 5
>> Next hop type: Router, Next hop index: 614
>> Next-hop reference count: 3
>> Next hop: 192.168.1.1 via ge-1/3/0.0, selected
>> State: <Active Int Ext>
>> Age: 1:26:03
>> Task: RT
>> Announcement bits (1): 0-KRT
>> AS path: I
>>
>> 192.168.1.0/24 <http://192.168.1.0/24> <http://192.168.1.0/24> (1 entry, 0
>> announced)
>> *Direct Preference: 0
>> Next hop type: Interface
>> Next-hop reference count: 1
>> Next hop: via ge-1/3/0.0, selected
>> State: <Active Int>
>> Age: 1:26:03
>> Task: IF
>> AS path: I
>>
>> 192.168.1.252/32 <http://192.168.1.252/32> <http://192.168.1.252/32> (1
>> entry, 0 announced)
>> *Local Preference: 0
>> Next hop type: Local
>> Next-hop reference count: 6
>> Interface: ge-1/3/0.0
>> State: <Active NoReadvrt Int>
>> Age: 1:26:03
>> Task: IF
>> AS path: I
>>
>>
>>
>> root at JuniperM7i> show route extensive table PBR.inet.0
>>
>> PBR.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
>> 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> (1 entry, 1 announced)
>> TSI:
>> KRT in-kernel 0.0.0.0/0 <http://0.0.0.0/0> <http://0.0.0.0/0> -> {Table}
>> *Static Preference: 5
>> Next table: inet.0
>> Next-hop reference count: 3
>> State: <Active Int Ext>
>> Age: 22
>> Task: RT
>> Announcement bits (1): 0-KRT
>> AS path: I
>>
>> 172.16.1.128/25 <http://172.16.1.128/25> <http://172.16.1.128/25> (1 entry,
>> 0 announced)
>> *Direct Preference: 0
>> Next hop type: Interface
>> Next-hop reference count: 1
>> Next hop: via ge-0/1/0.0, selected
>> State: <Active Int>
>> Age: 3:52:19
>> Task: IF
>> AS path: I
>>
>> 172.16.1.129/32 <http://172.16.1.129/32> <http://172.16.1.129/32> (1 entry,
>> 0 announced)
>> *Local Preference: 0
>> Next hop type: Local
>> Next-hop reference count: 6
>> Interface: ge-0/1/0.0
>> State: <Active NoReadvrt Int>
>> Age: 3:52:20
>> Task: IF
>> AS path: I
>>
>>
>>
>>
>>
>> On Wed, Dec 2, 2009 at 10:26 PM, Nilesh Khambal <nkhambal at juniper.net> wrote:
>> So, are you saying that by adding a default route pointing to the inet.0
>> table (default routing table) the return traffic is not getting routed to
>> via inet.0 via appropriate egress interface?
>>
>> Is there any another more specific route in PBR.inet.0 for the return traffic
>> destination?
>>
>> Is there a route for the return traffic destination in inet.0 point to the
>> correct egress interface?
>>
>> Can you post ³show route a.b.c.d extensive table PBR.inet.0² and then ³show
>> route a.b.c.d extensive²?
>>
>> Thanks,
>> Nilesh
>>
>>
>> On 12/2/09 7:21 PM, "Chris Evans" <chrisccnpspam2 at gmail.com> wrote:
>>
>> Just tried that, no dice.. I also tried 'master.inet.0' with no luck.
>>
>> If I pull the interfaces out of the global routing instance, I can
>> successfully use a firewall filter to forward how I need it to. Unfortunately
>> it just doens't work with interfaces are in the default instance..
>>
>> Thanks
>>
>> Chris
>>
>>
>> On Wed, Dec 2, 2009 at 10:11 PM, Nilesh Khambal <nkhambal at juniper.net> wrote:
>>
>>
>>
>> On 12/2/09 7:10 PM, "Nilesh Khambal" <nkhambal at juniper.net> wrote:
>>
>>> - set virtual-router PBR routing-options static route 0.0.0.0/0
>>> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0> next-table
>>> inet.0
>>
>> Sorry the syntax should be
>>
>> - set routing-instances PBR routing-options static route 0.0.0.0/0
>> <http://0.0.0.0/0> <http://0.0.0.0/0> <http://0.0.0.0/0>
>> next-table inet.0
>>
>> Thanks,
>> Nilesh.
>>
>>
>>
>>
>>
>
>
More information about the juniper-nsp
mailing list