[j-nsp] Filter based forwarding
Nilesh Khambal
nkhambal at juniper.net
Wed Dec 2 23:45:52 EST 2009
We basically leaked the direct and local routes which are nothing but interface routes for the interfaces in main routing instance from inet.0 to PBR.inet.0 table using rib-groups configuration. So the destination route which is directly connected to ge-1/3/0 is now appearing as a local route in PBR.inet.0. Looks like the next-table route had some limitations when routing the traffic to inet.0 table from PBR.inet.0 for connected routes. I can't think of any such limitation as of now. The new configuration pretty much achieved the same in a different way. May be next-table method needs some more investigation to see if it is really supported in this scenario and if there are any known limitations in that area. You can do that by opening a case with JTAC.
Thanks,
Nilesh.
--------------------------------------------------
Sent from my mobile handheld device
On Dec 2, 2009, at 8:27 PM, "Chris Evans" <chrisccnpspam2 at gmail.com<mailto:chrisccnpspam2 at gmail.com>> wrote:
Just tried and that appears to work..
Explain as to what an interface-route is?
On Wed, Dec 2, 2009 at 11:14 PM, Nilesh Khambal <<mailto:nkhambal at juniper.net>nkhambal at juniper.net<mailto:nkhambal at juniper.net>> wrote:
Weird. Can you try this configuration instead?
- remove the default route from PBR.
- put ge-1/3/0 in default and ge-0/1/0 in PBR instance.
- keep the filter PBR on ge-1/3/0.
- Add following configuration.
[edit routing-options]
user at host#
interface-routes {
rib-group inet redist-local-routes;
}
rib-groups {
redist-local-routes {
import-rib [ inet.0 PBR.inet.0 ];
}
}
Then try the traffic again.
Thanks,
Nilesh.
On 12/2/09 8:07 PM, "Chris Evans" <<mailto:chrisccnpspam2 at gmail.com>chrisccnpspam2 at gmail.com<mailto:chrisccnpspam2 at gmail.com>> wrote:
> Here is where I'm coming up with 'master', as you can see below 'master' is
> valid. In either case, the src is 192.168.1.210 and destination is
> 172.16.1.140.. If create another routing-instance such as PBR2 and put
> ge-1/3/0 into it and apply the firewall filter, it works properly.. It just
> seems that you cannot call the default inet.0 within the firewall filter as
> there is no really no instance defined.
>
>
>
> root at JuniperM7i# show routing-instances
> PBR {
> instance-type virtual-router;
> interface ge-0/1/0.0;
> routing-options {
> static {
> route 0.0.0.0/0<http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0> next-table inet.0;
> }
> }
> }
> master {
> instance-type virtual-router;
> }
>
> [edit]
> root at JuniperM7i# commit check
> [edit routing-instances]
> 'master'
> RT Instance: master is a reserved instance name
> error: configuration check-out failed
>
>
>
>
> root at JuniperM7i> show route instance
> Instance Type
> Primary RIB
> Active/holddown/hidden
> PBR virtual-router
> PBR.inet.0 3/0/0
>
> __juniper_private1__ forwarding
> __juniper_private1__.inet.0 3/0/1
> __juniper_private1__.inet6.0 4/0/0
>
> __juniper_private2__ forwarding
> __juniper_private2__.inet.0 0/0/1
>
> __master.anon__ forwarding
>
> master forwarding
> inet.0 7/0/0
> inet.1 5/0/0
> inet6.0 2/0/0
>
>
> On Wed, Dec 2, 2009 at 10:44 PM, Nilesh Khambal <<mailto:nkhambal at juniper.net>nkhambal at juniper.net<mailto:nkhambal at juniper.net>> wrote:
>> What is the destination for the forward traffic? Is it one of the connected
>> IPs on ge-0/1/0? I suspect if the problem is with forward traffic rather than
>> return traffic. Can you specify what will be the source and destination for
>> the forward and return traffic?
>>
>> master.inet.0 is not the same as inet.0. ³inet.0² refers to the default
>> routing table for IPv4 lookup. ³master.inet.0² refers to the IPv4 routing
>> table for routing-instance name ³master² which you don¹t have it configured.
>>
>> Thanks,
>> Nilesh.
>>
>>
>>
>>
>> On 12/2/09 7:39 PM, "Chris Evans" <<mailto:chrisccnpspam2 at gmail.com>chrisccnpspam2 at gmail.com<mailto:chrisccnpspam2 at gmail.com>> wrote:
>>
>> Yes, you are correct.. it doesn't make it back to the source. I don't have
>> any active routing protocols at all, so I pasted them all. We're just relying
>> on the default route and directly connected routes. If I set the next-hop
>> table to 'master.inet.0' it doesn't install the 0.0.0.0/0<http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0>
>> <<http://0.0.0.0/0>http://0.0.0.0/0> route into PBR.inet.0 at all..
>>
>> root at JuniperM7i> show route extensive table inet.0
>>
>> inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
>> Restart Complete
>> 0.0.0.0/0<http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0> (1 entry, 1 announced)
>> TSI:
>> KRT in-kernel 0.0.0.0/0<http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0> ->
>> {192.168.1.1}
>> *Static Preference: 5
>> Next hop type: Router, Next hop index: 614
>> Next-hop reference count: 3
>> Next hop: 192.168.1.1 via ge-1/3/0.0, selected
>> State: <Active Int Ext>
>> Age: 1:26:03
>> Task: RT
>> Announcement bits (1): 0-KRT
>> AS path: I
>>
>> 192.168.1.0/24<http://192.168.1.0/24> <<http://192.168.1.0/24>http://192.168.1.0/24> <<http://192.168.1.0/24>http://192.168.1.0/24> (1 entry, 0
>> announced)
>> *Direct Preference: 0
>> Next hop type: Interface
>> Next-hop reference count: 1
>> Next hop: via ge-1/3/0.0, selected
>> State: <Active Int>
>> Age: 1:26:03
>> Task: IF
>> AS path: I
>>
>> 192.168.1.252/32<http://192.168.1.252/32> <<http://192.168.1.252/32>http://192.168.1.252/32> <<http://192.168.1.252/32>http://192.168.1.252/32> (1
>> entry, 0 announced)
>> *Local Preference: 0
>> Next hop type: Local
>> Next-hop reference count: 6
>> Interface: ge-1/3/0.0
>> State: <Active NoReadvrt Int>
>> Age: 1:26:03
>> Task: IF
>> AS path: I
>>
>>
>>
>> root at JuniperM7i> show route extensive table PBR.inet.0
>>
>> PBR.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
>> 0.0.0.0/0<http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0> (1 entry, 1 announced)
>> TSI:
>> KRT in-kernel 0.0.0.0/0<http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0> -> {Table}
>> *Static Preference: 5
>> Next table: inet.0
>> Next-hop reference count: 3
>> State: <Active Int Ext>
>> Age: 22
>> Task: RT
>> Announcement bits (1): 0-KRT
>> AS path: I
>>
>> 172.16.1.128/25<http://172.16.1.128/25> <<http://172.16.1.128/25>http://172.16.1.128/25> <<http://172.16.1.128/25>http://172.16.1.128/25> (1 entry,
>> 0 announced)
>> *Direct Preference: 0
>> Next hop type: Interface
>> Next-hop reference count: 1
>> Next hop: via ge-0/1/0.0, selected
>> State: <Active Int>
>> Age: 3:52:19
>> Task: IF
>> AS path: I
>>
>> 172.16.1.129/32<http://172.16.1.129/32> <<http://172.16.1.129/32>http://172.16.1.129/32> <<http://172.16.1.129/32>http://172.16.1.129/32> (1 entry,
>> 0 announced)
>> *Local Preference: 0
>> Next hop type: Local
>> Next-hop reference count: 6
>> Interface: ge-0/1/0.0
>> State: <Active NoReadvrt Int>
>> Age: 3:52:20
>> Task: IF
>> AS path: I
>>
>>
>>
>>
>>
>> On Wed, Dec 2, 2009 at 10:26 PM, Nilesh Khambal <<mailto:nkhambal at juniper.net>nkhambal at juniper.net<mailto:nkhambal at juniper.net>> wrote:
>> So, are you saying that by adding a default route pointing to the inet.0
>> table (default routing table) the return traffic is not getting routed to
>> via inet.0 via appropriate egress interface?
>>
>> Is there any another more specific route in PBR.inet.0 for the return traffic
>> destination?
>>
>> Is there a route for the return traffic destination in inet.0 point to the
>> correct egress interface?
>>
>> Can you post ³show route a.b.c.d extensive table PBR.inet.0² and then ³show
>> route a.b.c.d extensive²?
>>
>> Thanks,
>> Nilesh
>>
>>
>> On 12/2/09 7:21 PM, "Chris Evans" <<mailto:chrisccnpspam2 at gmail.com>chrisccnpspam2 at gmail.com<mailto:chrisccnpspam2 at gmail.com>> wrote:
>>
>> Just tried that, no dice.. I also tried 'master.inet.0' with no luck.
>>
>> If I pull the interfaces out of the global routing instance, I can
>> successfully use a firewall filter to forward how I need it to. Unfortunately
>> it just doens't work with interfaces are in the default instance..
>>
>> Thanks
>>
>> Chris
>>
>>
>> On Wed, Dec 2, 2009 at 10:11 PM, Nilesh Khambal <<mailto:nkhambal at juniper.net>nkhambal at juniper.net<mailto:nkhambal at juniper.net>> wrote:
>>
>>
>>
>> On 12/2/09 7:10 PM, "Nilesh Khambal" <<mailto:nkhambal at juniper.net>nkhambal at juniper.net<mailto:nkhambal at juniper.net>> wrote:
>>
>>> - set virtual-router PBR routing-options static route 0.0.0.0/0<http://0.0.0.0/0>
>>> <<http://0.0.0.0/0>http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0> next-table
>>> inet.0
>>
>> Sorry the syntax should be
>>
>> - set routing-instances PBR routing-options static route 0.0.0.0/0<http://0.0.0.0/0>
>> <<http://0.0.0.0/0>http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0>
>> next-table inet.0
>>
>> Thanks,
>> Nilesh.
>>
>>
>>
>>
>>
>
>
More information about the juniper-nsp
mailing list