[j-nsp] Filter based forwarding

Chris Evans chrisccnpspam2 at gmail.com
Wed Dec 2 23:51:18 EST 2009


Interesting..
Will update my SE on this and have him work with JTAC..

On Wed, Dec 2, 2009 at 11:45 PM, Nilesh Khambal <nkhambal at juniper.net>wrote:

> We basically leaked the direct and local routes which are nothing but
> interface routes for the interfaces in main routing instance from inet.0 to
> PBR.inet.0 table using rib-groups configuration. So the destination route
> which is directly connected to ge-1/3/0 is now appearing as a local route in
> PBR.inet.0. Looks like the next-table route had some limitations when
> routing the traffic to inet.0 table from PBR.inet.0 for connected routes. I
> can't  think of any such limitation as of now. The new configuration pretty
> much achieved the same in a different way. May be next-table method needs
> some more investigation to see if it is really supported in this scenario
> and if there are any known limitations in that area. You can do that by
> opening a case with JTAC.
>
> Thanks,
> Nilesh.
>
>
> --------------------------------------------------
> Sent from my mobile handheld device
>
> On Dec 2, 2009, at 8:27 PM, "Chris Evans" <chrisccnpspam2 at gmail.com
> <mailto:chrisccnpspam2 at gmail.com>> wrote:
>
> Just tried and that appears to work..
>
> Explain as to what an interface-route is?
>
> On Wed, Dec 2, 2009 at 11:14 PM, Nilesh Khambal <<mailto:
> nkhambal at juniper.net>nkhambal at juniper.net<mailto:nkhambal at juniper.net>>
> wrote:
> Weird. Can you try this configuration instead?
>
> - remove the default route from PBR.
> - put ge-1/3/0 in default and ge-0/1/0 in PBR instance.
> - keep the filter PBR on ge-1/3/0.
> - Add following configuration.
>
> [edit routing-options]
> user at host#
>
> interface-routes {
>   rib-group inet redist-local-routes;
> }
>
> rib-groups {
>   redist-local-routes {
>       import-rib [ inet.0 PBR.inet.0 ];
>   }
> }
>
> Then try the traffic again.
>
> Thanks,
> Nilesh.
>
>
>
>
> On 12/2/09 8:07 PM, "Chris Evans" <<mailto:chrisccnpspam2 at gmail.com>
> chrisccnpspam2 at gmail.com<mailto:chrisccnpspam2 at gmail.com>> wrote:
>
> > Here is where I'm coming up with 'master', as you can see below 'master'
> is
> > valid. In either case, the src is 192.168.1.210 and destination is
> > 172.16.1.140..  If create another routing-instance such as PBR2 and put
> > ge-1/3/0 into it and apply the firewall filter, it works properly.. It
> just
> > seems that you cannot call the default inet.0 within the firewall filter
> as
> > there is no really no instance defined.
> >
> >
> >
> > root at JuniperM7i# show routing-instances
> > PBR {
> >     instance-type virtual-router;
> >     interface ge-0/1/0.0;
> >     routing-options {
> >         static {
> >             route 0.0.0.0/0<http://0.0.0.0/0> <<http://0.0.0.0/0>
> http://0.0.0.0/0>  next-table inet.0;
> >         }
> >     }
> > }
> > master {
> >     instance-type virtual-router;
> > }
> >
> > [edit]
> > root at JuniperM7i# commit check
> > [edit routing-instances]
> >   'master'
> >     RT Instance: master is a reserved instance name
> > error: configuration check-out failed
> >
> >
> >
> >
> > root at JuniperM7i> show route instance
> > Instance             Type
> >          Primary RIB
> > Active/holddown/hidden
> > PBR                  virtual-router
> >          PBR.inet.0                                      3/0/0
> >
> > __juniper_private1__ forwarding
> >          __juniper_private1__.inet.0                     3/0/1
> >          __juniper_private1__.inet6.0                    4/0/0
> >
> > __juniper_private2__ forwarding
> >          __juniper_private2__.inet.0                     0/0/1
> >
> > __master.anon__      forwarding
> >
> > master               forwarding
> >          inet.0                                          7/0/0
> >          inet.1                                          5/0/0
> >          inet6.0                                         2/0/0
> >
> >
> > On Wed, Dec 2, 2009 at 10:44 PM, Nilesh Khambal <<mailto:
> nkhambal at juniper.net>nkhambal at juniper.net<mailto:nkhambal at juniper.net>>
> wrote:
> >> What is the destination for the forward traffic? Is it one  of the
> connected
> >> IPs on ge-0/1/0? I suspect if the problem is with forward traffic rather
> than
> >> return traffic. Can you specify what will be the source and destination
> for
> >> the forward and return traffic?
> >>
> >> master.inet.0 is not the same as inet.0.  ³inet.0² refers to the default
> >> routing table for IPv4 lookup. ³master.inet.0² refers to the IPv4
> routing
> >> table for routing-instance name ³master² which you don¹t have it
> configured.
> >>
> >> Thanks,
> >> Nilesh.
> >>
> >>
> >>
> >>
> >> On 12/2/09 7:39 PM, "Chris Evans" <<mailto:chrisccnpspam2 at gmail.com>
> chrisccnpspam2 at gmail.com<mailto:chrisccnpspam2 at gmail.com>> wrote:
> >>
> >> Yes, you are correct.. it doesn't make it back to the source. I don't
> have
> >> any active routing protocols at all, so I pasted them all. We're just
> relying
> >> on the default route and directly connected routes. If I set the
> next-hop
> >> table to 'master.inet.0' it doesn't install the 0.0.0.0/0<
> http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0>
> >> <<http://0.0.0.0/0>http://0.0.0.0/0>  route into PBR.inet.0 at all..
> >>
> >> root at JuniperM7i> show route extensive table inet.0
> >>
> >> inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
> >> Restart Complete
> >> 0.0.0.0/0<http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0>  <<
> http://0.0.0.0/0>http://0.0.0.0/0>  (1 entry, 1 announced)
> >> TSI:
> >> KRT in-kernel 0.0.0.0/0<http://0.0.0.0/0> <<http://0.0.0.0/0>
> http://0.0.0.0/0>  <<http://0.0.0.0/0>http://0.0.0.0/0>  ->
> >> {192.168.1.1}
> >>         *Static Preference: 5
> >>                 Next hop type: Router, Next hop index: 614
> >>                 Next-hop reference count: 3
> >>                 Next hop: 192.168.1.1 via ge-1/3/0.0, selected
> >>                 State: <Active Int Ext>
> >>                 Age: 1:26:03
> >>                 Task: RT
> >>                 Announcement bits (1): 0-KRT
> >>                 AS path: I
> >>
> >> 192.168.1.0/24<http://192.168.1.0/24> <<http://192.168.1.0/24>
> http://192.168.1.0/24>  <<http://192.168.1.0/24>http://192.168.1.0/24>  (1
> entry, 0
> >> announced)
> >>         *Direct Preference: 0
> >>                 Next hop type: Interface
> >>                 Next-hop reference count: 1
> >>                 Next hop: via ge-1/3/0.0, selected
> >>                 State: <Active Int>
> >>                 Age: 1:26:03
> >>                 Task: IF
> >>                 AS path: I
> >>
> >> 192.168.1.252/32<http://192.168.1.252/32> <<http://192.168.1.252/32>
> http://192.168.1.252/32>  <<http://192.168.1.252/32>
> http://192.168.1.252/32>  (1
> >> entry, 0 announced)
> >>         *Local  Preference: 0
> >>                 Next hop type: Local
> >>                 Next-hop reference count: 6
> >>                 Interface: ge-1/3/0.0
> >>                 State: <Active NoReadvrt Int>
> >>                 Age: 1:26:03
> >>                 Task: IF
> >>                 AS path: I
> >>
> >>
> >>
> >> root at JuniperM7i> show route extensive table PBR.inet.0
> >>
> >> PBR.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
> >> 0.0.0.0/0<http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0>  <<
> http://0.0.0.0/0>http://0.0.0.0/0>  (1 entry, 1 announced)
> >> TSI:
> >> KRT in-kernel 0.0.0.0/0<http://0.0.0.0/0> <<http://0.0.0.0/0>
> http://0.0.0.0/0>  <<http://0.0.0.0/0>http://0.0.0.0/0>  -> {Table}
> >>         *Static Preference: 5
> >>                 Next table: inet.0
> >>                 Next-hop reference count: 3
> >>                 State: <Active Int Ext>
> >>                 Age: 22
> >>                 Task: RT
> >>                 Announcement bits (1): 0-KRT
> >>                 AS path: I
> >>
> >> 172.16.1.128/25<http://172.16.1.128/25> <<http://172.16.1.128/25>
> http://172.16.1.128/25>  <<http://172.16.1.128/25>http://172.16.1.128/25>
>  (1 entry,
> >> 0 announced)
> >>         *Direct Preference: 0
> >>                 Next hop type: Interface
> >>                 Next-hop reference count: 1
> >>                 Next hop: via ge-0/1/0.0, selected
> >>                 State: <Active Int>
> >>                 Age: 3:52:19
> >>                 Task: IF
> >>                 AS path: I
> >>
> >> 172.16.1.129/32<http://172.16.1.129/32> <<http://172.16.1.129/32>
> http://172.16.1.129/32>  <<http://172.16.1.129/32>http://172.16.1.129/32>
>  (1 entry,
> >> 0 announced)
> >>         *Local  Preference: 0
> >>                 Next hop type: Local
> >>                 Next-hop reference count: 6
> >>                 Interface: ge-0/1/0.0
> >>                 State: <Active NoReadvrt Int>
> >>                 Age: 3:52:20
> >>                 Task: IF
> >>                 AS path: I
> >>
> >>
> >>
> >>
> >>
> >> On Wed, Dec 2, 2009 at 10:26 PM, Nilesh Khambal <<mailto:
> nkhambal at juniper.net>nkhambal at juniper.net<mailto:nkhambal at juniper.net>>
> wrote:
> >> So, are you saying that by adding a default route pointing to the inet.0
> >> table (default routing table) the return traffic is not getting  routed
> to
> >> via inet.0 via appropriate egress interface?
> >>
> >> Is there any another more specific route in PBR.inet.0 for the return
> traffic
> >> destination?
> >>
> >> Is there a route for the return traffic destination in inet.0 point to
> the
> >> correct egress interface?
> >>
> >> Can you post ³show route a.b.c.d extensive table PBR.inet.0² and then
> ³show
> >> route a.b.c.d extensive²?
> >>
> >> Thanks,
> >> Nilesh
> >>
> >>
> >> On 12/2/09 7:21 PM, "Chris Evans" <<mailto:chrisccnpspam2 at gmail.com>
> chrisccnpspam2 at gmail.com<mailto:chrisccnpspam2 at gmail.com>> wrote:
> >>
> >> Just tried that, no dice.. I also tried 'master.inet.0' with no luck.
> >>
> >> If I pull the interfaces out of the global routing instance, I can
> >> successfully use a firewall filter to forward how I need it to.
> Unfortunately
> >> it just doens't work with interfaces are in the default instance..
> >>
> >> Thanks
> >>
> >> Chris
> >>
> >>
> >> On Wed, Dec 2, 2009 at 10:11 PM, Nilesh Khambal <<mailto:
> nkhambal at juniper.net>nkhambal at juniper.net<mailto:nkhambal at juniper.net>>
> wrote:
> >>
> >>
> >>
> >> On 12/2/09 7:10 PM, "Nilesh Khambal" <<mailto:nkhambal at juniper.net>
> nkhambal at juniper.net<mailto:nkhambal at juniper.net>> wrote:
> >>
> >>> - set virtual-router PBR routing-options static route 0.0.0.0/0<
> http://0.0.0.0/0>
> >>> <<http://0.0.0.0/0>http://0.0.0.0/0>  <<http://0.0.0.0/0>
> http://0.0.0.0/0>  <<http://0.0.0.0/0>http://0.0.0.0/0>  next-table
> >>>   inet.0
> >>
> >> Sorry the syntax should be
> >>
> >> - set routing-instances PBR routing-options static route 0.0.0.0/0<
> http://0.0.0.0/0>
> >> <<http://0.0.0.0/0>http://0.0.0.0/0>  <<http://0.0.0.0/0>
> http://0.0.0.0/0>  <<http://0.0.0.0/0>http://0.0.0.0/0>
> >>   next-table inet.0
> >>
> >> Thanks,
> >> Nilesh.
> >>
> >>
> >>
> >>
> >>
> >
> >
>
>
>


More information about the juniper-nsp mailing list