[j-nsp] Filter based forwarding
Chris Evans
chrisccnpspam2 at gmail.com
Wed Dec 2 23:51:18 EST 2009
Interesting..
Will update my SE on this and have him work with JTAC..
On Wed, Dec 2, 2009 at 11:45 PM, Nilesh Khambal <nkhambal at juniper.net>wrote:
> We basically leaked the direct and local routes which are nothing but
> interface routes for the interfaces in main routing instance from inet.0 to
> PBR.inet.0 table using rib-groups configuration. So the destination route
> which is directly connected to ge-1/3/0 is now appearing as a local route in
> PBR.inet.0. Looks like the next-table route had some limitations when
> routing the traffic to inet.0 table from PBR.inet.0 for connected routes. I
> can't think of any such limitation as of now. The new configuration pretty
> much achieved the same in a different way. May be next-table method needs
> some more investigation to see if it is really supported in this scenario
> and if there are any known limitations in that area. You can do that by
> opening a case with JTAC.
>
> Thanks,
> Nilesh.
>
>
> --------------------------------------------------
> Sent from my mobile handheld device
>
> On Dec 2, 2009, at 8:27 PM, "Chris Evans" <chrisccnpspam2 at gmail.com
> <mailto:chrisccnpspam2 at gmail.com>> wrote:
>
> Just tried and that appears to work..
>
> Explain as to what an interface-route is?
>
> On Wed, Dec 2, 2009 at 11:14 PM, Nilesh Khambal <<mailto:
> nkhambal at juniper.net>nkhambal at juniper.net<mailto:nkhambal at juniper.net>>
> wrote:
> Weird. Can you try this configuration instead?
>
> - remove the default route from PBR.
> - put ge-1/3/0 in default and ge-0/1/0 in PBR instance.
> - keep the filter PBR on ge-1/3/0.
> - Add following configuration.
>
> [edit routing-options]
> user at host#
>
> interface-routes {
> rib-group inet redist-local-routes;
> }
>
> rib-groups {
> redist-local-routes {
> import-rib [ inet.0 PBR.inet.0 ];
> }
> }
>
> Then try the traffic again.
>
> Thanks,
> Nilesh.
>
>
>
>
> On 12/2/09 8:07 PM, "Chris Evans" <<mailto:chrisccnpspam2 at gmail.com>
> chrisccnpspam2 at gmail.com<mailto:chrisccnpspam2 at gmail.com>> wrote:
>
> > Here is where I'm coming up with 'master', as you can see below 'master'
> is
> > valid. In either case, the src is 192.168.1.210 and destination is
> > 172.16.1.140.. If create another routing-instance such as PBR2 and put
> > ge-1/3/0 into it and apply the firewall filter, it works properly.. It
> just
> > seems that you cannot call the default inet.0 within the firewall filter
> as
> > there is no really no instance defined.
> >
> >
> >
> > root at JuniperM7i# show routing-instances
> > PBR {
> > instance-type virtual-router;
> > interface ge-0/1/0.0;
> > routing-options {
> > static {
> > route 0.0.0.0/0<http://0.0.0.0/0> <<http://0.0.0.0/0>
> http://0.0.0.0/0> next-table inet.0;
> > }
> > }
> > }
> > master {
> > instance-type virtual-router;
> > }
> >
> > [edit]
> > root at JuniperM7i# commit check
> > [edit routing-instances]
> > 'master'
> > RT Instance: master is a reserved instance name
> > error: configuration check-out failed
> >
> >
> >
> >
> > root at JuniperM7i> show route instance
> > Instance Type
> > Primary RIB
> > Active/holddown/hidden
> > PBR virtual-router
> > PBR.inet.0 3/0/0
> >
> > __juniper_private1__ forwarding
> > __juniper_private1__.inet.0 3/0/1
> > __juniper_private1__.inet6.0 4/0/0
> >
> > __juniper_private2__ forwarding
> > __juniper_private2__.inet.0 0/0/1
> >
> > __master.anon__ forwarding
> >
> > master forwarding
> > inet.0 7/0/0
> > inet.1 5/0/0
> > inet6.0 2/0/0
> >
> >
> > On Wed, Dec 2, 2009 at 10:44 PM, Nilesh Khambal <<mailto:
> nkhambal at juniper.net>nkhambal at juniper.net<mailto:nkhambal at juniper.net>>
> wrote:
> >> What is the destination for the forward traffic? Is it one of the
> connected
> >> IPs on ge-0/1/0? I suspect if the problem is with forward traffic rather
> than
> >> return traffic. Can you specify what will be the source and destination
> for
> >> the forward and return traffic?
> >>
> >> master.inet.0 is not the same as inet.0. ³inet.0² refers to the default
> >> routing table for IPv4 lookup. ³master.inet.0² refers to the IPv4
> routing
> >> table for routing-instance name ³master² which you don¹t have it
> configured.
> >>
> >> Thanks,
> >> Nilesh.
> >>
> >>
> >>
> >>
> >> On 12/2/09 7:39 PM, "Chris Evans" <<mailto:chrisccnpspam2 at gmail.com>
> chrisccnpspam2 at gmail.com<mailto:chrisccnpspam2 at gmail.com>> wrote:
> >>
> >> Yes, you are correct.. it doesn't make it back to the source. I don't
> have
> >> any active routing protocols at all, so I pasted them all. We're just
> relying
> >> on the default route and directly connected routes. If I set the
> next-hop
> >> table to 'master.inet.0' it doesn't install the 0.0.0.0/0<
> http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0>
> >> <<http://0.0.0.0/0>http://0.0.0.0/0> route into PBR.inet.0 at all..
> >>
> >> root at JuniperM7i> show route extensive table inet.0
> >>
> >> inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
> >> Restart Complete
> >> 0.0.0.0/0<http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0> <<
> http://0.0.0.0/0>http://0.0.0.0/0> (1 entry, 1 announced)
> >> TSI:
> >> KRT in-kernel 0.0.0.0/0<http://0.0.0.0/0> <<http://0.0.0.0/0>
> http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0> ->
> >> {192.168.1.1}
> >> *Static Preference: 5
> >> Next hop type: Router, Next hop index: 614
> >> Next-hop reference count: 3
> >> Next hop: 192.168.1.1 via ge-1/3/0.0, selected
> >> State: <Active Int Ext>
> >> Age: 1:26:03
> >> Task: RT
> >> Announcement bits (1): 0-KRT
> >> AS path: I
> >>
> >> 192.168.1.0/24<http://192.168.1.0/24> <<http://192.168.1.0/24>
> http://192.168.1.0/24> <<http://192.168.1.0/24>http://192.168.1.0/24> (1
> entry, 0
> >> announced)
> >> *Direct Preference: 0
> >> Next hop type: Interface
> >> Next-hop reference count: 1
> >> Next hop: via ge-1/3/0.0, selected
> >> State: <Active Int>
> >> Age: 1:26:03
> >> Task: IF
> >> AS path: I
> >>
> >> 192.168.1.252/32<http://192.168.1.252/32> <<http://192.168.1.252/32>
> http://192.168.1.252/32> <<http://192.168.1.252/32>
> http://192.168.1.252/32> (1
> >> entry, 0 announced)
> >> *Local Preference: 0
> >> Next hop type: Local
> >> Next-hop reference count: 6
> >> Interface: ge-1/3/0.0
> >> State: <Active NoReadvrt Int>
> >> Age: 1:26:03
> >> Task: IF
> >> AS path: I
> >>
> >>
> >>
> >> root at JuniperM7i> show route extensive table PBR.inet.0
> >>
> >> PBR.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
> >> 0.0.0.0/0<http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0> <<
> http://0.0.0.0/0>http://0.0.0.0/0> (1 entry, 1 announced)
> >> TSI:
> >> KRT in-kernel 0.0.0.0/0<http://0.0.0.0/0> <<http://0.0.0.0/0>
> http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0> -> {Table}
> >> *Static Preference: 5
> >> Next table: inet.0
> >> Next-hop reference count: 3
> >> State: <Active Int Ext>
> >> Age: 22
> >> Task: RT
> >> Announcement bits (1): 0-KRT
> >> AS path: I
> >>
> >> 172.16.1.128/25<http://172.16.1.128/25> <<http://172.16.1.128/25>
> http://172.16.1.128/25> <<http://172.16.1.128/25>http://172.16.1.128/25>
> (1 entry,
> >> 0 announced)
> >> *Direct Preference: 0
> >> Next hop type: Interface
> >> Next-hop reference count: 1
> >> Next hop: via ge-0/1/0.0, selected
> >> State: <Active Int>
> >> Age: 3:52:19
> >> Task: IF
> >> AS path: I
> >>
> >> 172.16.1.129/32<http://172.16.1.129/32> <<http://172.16.1.129/32>
> http://172.16.1.129/32> <<http://172.16.1.129/32>http://172.16.1.129/32>
> (1 entry,
> >> 0 announced)
> >> *Local Preference: 0
> >> Next hop type: Local
> >> Next-hop reference count: 6
> >> Interface: ge-0/1/0.0
> >> State: <Active NoReadvrt Int>
> >> Age: 3:52:20
> >> Task: IF
> >> AS path: I
> >>
> >>
> >>
> >>
> >>
> >> On Wed, Dec 2, 2009 at 10:26 PM, Nilesh Khambal <<mailto:
> nkhambal at juniper.net>nkhambal at juniper.net<mailto:nkhambal at juniper.net>>
> wrote:
> >> So, are you saying that by adding a default route pointing to the inet.0
> >> table (default routing table) the return traffic is not getting routed
> to
> >> via inet.0 via appropriate egress interface?
> >>
> >> Is there any another more specific route in PBR.inet.0 for the return
> traffic
> >> destination?
> >>
> >> Is there a route for the return traffic destination in inet.0 point to
> the
> >> correct egress interface?
> >>
> >> Can you post ³show route a.b.c.d extensive table PBR.inet.0² and then
> ³show
> >> route a.b.c.d extensive²?
> >>
> >> Thanks,
> >> Nilesh
> >>
> >>
> >> On 12/2/09 7:21 PM, "Chris Evans" <<mailto:chrisccnpspam2 at gmail.com>
> chrisccnpspam2 at gmail.com<mailto:chrisccnpspam2 at gmail.com>> wrote:
> >>
> >> Just tried that, no dice.. I also tried 'master.inet.0' with no luck.
> >>
> >> If I pull the interfaces out of the global routing instance, I can
> >> successfully use a firewall filter to forward how I need it to.
> Unfortunately
> >> it just doens't work with interfaces are in the default instance..
> >>
> >> Thanks
> >>
> >> Chris
> >>
> >>
> >> On Wed, Dec 2, 2009 at 10:11 PM, Nilesh Khambal <<mailto:
> nkhambal at juniper.net>nkhambal at juniper.net<mailto:nkhambal at juniper.net>>
> wrote:
> >>
> >>
> >>
> >> On 12/2/09 7:10 PM, "Nilesh Khambal" <<mailto:nkhambal at juniper.net>
> nkhambal at juniper.net<mailto:nkhambal at juniper.net>> wrote:
> >>
> >>> - set virtual-router PBR routing-options static route 0.0.0.0/0<
> http://0.0.0.0/0>
> >>> <<http://0.0.0.0/0>http://0.0.0.0/0> <<http://0.0.0.0/0>
> http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0> next-table
> >>> inet.0
> >>
> >> Sorry the syntax should be
> >>
> >> - set routing-instances PBR routing-options static route 0.0.0.0/0<
> http://0.0.0.0/0>
> >> <<http://0.0.0.0/0>http://0.0.0.0/0> <<http://0.0.0.0/0>
> http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0>
> >> next-table inet.0
> >>
> >> Thanks,
> >> Nilesh.
> >>
> >>
> >>
> >>
> >>
> >
> >
>
>
>
More information about the juniper-nsp
mailing list