[j-nsp] Filter based forwarding
Chris Evans
chrisccnpspam2 at gmail.com
Thu Dec 3 00:00:06 EST 2009
Interesting point you bring up about the directly connected interfaces.. I
went back and just did the 0.0.0.0/0 to inet.0. (also without the rib-group
configuration) and did a connection sourcing from a different subnet than
the local interface. It luckily worked, so I agree with you on the directly
connected interface.
This is 9.6R2.11 code..
On Wed, Dec 2, 2009 at 11:51 PM, Chris Evans <chrisccnpspam2 at gmail.com>wrote:
> Interesting..
> Will update my SE on this and have him work with JTAC..
>
>
> On Wed, Dec 2, 2009 at 11:45 PM, Nilesh Khambal <nkhambal at juniper.net>wrote:
>
>> We basically leaked the direct and local routes which are nothing but
>> interface routes for the interfaces in main routing instance from inet.0 to
>> PBR.inet.0 table using rib-groups configuration. So the destination route
>> which is directly connected to ge-1/3/0 is now appearing as a local route in
>> PBR.inet.0. Looks like the next-table route had some limitations when
>> routing the traffic to inet.0 table from PBR.inet.0 for connected routes. I
>> can't think of any such limitation as of now. The new configuration pretty
>> much achieved the same in a different way. May be next-table method needs
>> some more investigation to see if it is really supported in this scenario
>> and if there are any known limitations in that area. You can do that by
>> opening a case with JTAC.
>>
>> Thanks,
>> Nilesh.
>>
>>
>> --------------------------------------------------
>> Sent from my mobile handheld device
>>
>> On Dec 2, 2009, at 8:27 PM, "Chris Evans" <chrisccnpspam2 at gmail.com
>> <mailto:chrisccnpspam2 at gmail.com>> wrote:
>>
>> Just tried and that appears to work..
>>
>> Explain as to what an interface-route is?
>>
>> On Wed, Dec 2, 2009 at 11:14 PM, Nilesh Khambal <<mailto:
>> nkhambal at juniper.net>nkhambal at juniper.net<mailto:nkhambal at juniper.net>>
>> wrote:
>> Weird. Can you try this configuration instead?
>>
>> - remove the default route from PBR.
>> - put ge-1/3/0 in default and ge-0/1/0 in PBR instance.
>> - keep the filter PBR on ge-1/3/0.
>> - Add following configuration.
>>
>> [edit routing-options]
>> user at host#
>>
>> interface-routes {
>> rib-group inet redist-local-routes;
>> }
>>
>> rib-groups {
>> redist-local-routes {
>> import-rib [ inet.0 PBR.inet.0 ];
>> }
>> }
>>
>> Then try the traffic again.
>>
>> Thanks,
>> Nilesh.
>>
>>
>>
>>
>> On 12/2/09 8:07 PM, "Chris Evans" <<mailto:chrisccnpspam2 at gmail.com>
>> chrisccnpspam2 at gmail.com<mailto:chrisccnpspam2 at gmail.com>> wrote:
>>
>> > Here is where I'm coming up with 'master', as you can see below 'master'
>> is
>> > valid. In either case, the src is 192.168.1.210 and destination is
>> > 172.16.1.140.. If create another routing-instance such as PBR2 and put
>> > ge-1/3/0 into it and apply the firewall filter, it works properly.. It
>> just
>> > seems that you cannot call the default inet.0 within the firewall filter
>> as
>> > there is no really no instance defined.
>> >
>> >
>> >
>> > root at JuniperM7i# show routing-instances
>> > PBR {
>> > instance-type virtual-router;
>> > interface ge-0/1/0.0;
>> > routing-options {
>> > static {
>> > route 0.0.0.0/0<http://0.0.0.0/0> <<http://0.0.0.0/0>
>> http://0.0.0.0/0> next-table inet.0;
>> > }
>> > }
>> > }
>> > master {
>> > instance-type virtual-router;
>> > }
>> >
>> > [edit]
>> > root at JuniperM7i# commit check
>> > [edit routing-instances]
>> > 'master'
>> > RT Instance: master is a reserved instance name
>> > error: configuration check-out failed
>> >
>> >
>> >
>> >
>> > root at JuniperM7i> show route instance
>> > Instance Type
>> > Primary RIB
>> > Active/holddown/hidden
>> > PBR virtual-router
>> > PBR.inet.0 3/0/0
>> >
>> > __juniper_private1__ forwarding
>> > __juniper_private1__.inet.0 3/0/1
>> > __juniper_private1__.inet6.0 4/0/0
>> >
>> > __juniper_private2__ forwarding
>> > __juniper_private2__.inet.0 0/0/1
>> >
>> > __master.anon__ forwarding
>> >
>> > master forwarding
>> > inet.0 7/0/0
>> > inet.1 5/0/0
>> > inet6.0 2/0/0
>> >
>> >
>> > On Wed, Dec 2, 2009 at 10:44 PM, Nilesh Khambal <<mailto:
>> nkhambal at juniper.net>nkhambal at juniper.net<mailto:nkhambal at juniper.net>>
>> wrote:
>> >> What is the destination for the forward traffic? Is it one of the
>> connected
>> >> IPs on ge-0/1/0? I suspect if the problem is with forward traffic
>> rather than
>> >> return traffic. Can you specify what will be the source and destination
>> for
>> >> the forward and return traffic?
>> >>
>> >> master.inet.0 is not the same as inet.0. ³inet.0² refers to the
>> default
>> >> routing table for IPv4 lookup. ³master.inet.0² refers to the IPv4
>> routing
>> >> table for routing-instance name ³master² which you don¹t have it
>> configured.
>> >>
>> >> Thanks,
>> >> Nilesh.
>> >>
>> >>
>> >>
>> >>
>> >> On 12/2/09 7:39 PM, "Chris Evans" <<mailto:chrisccnpspam2 at gmail.com>
>> chrisccnpspam2 at gmail.com<mailto:chrisccnpspam2 at gmail.com>> wrote:
>> >>
>> >> Yes, you are correct.. it doesn't make it back to the source. I don't
>> have
>> >> any active routing protocols at all, so I pasted them all. We're just
>> relying
>> >> on the default route and directly connected routes. If I set the
>> next-hop
>> >> table to 'master.inet.0' it doesn't install the 0.0.0.0/0<
>> http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0>
>> >> <<http://0.0.0.0/0>http://0.0.0.0/0> route into PBR.inet.0 at all..
>> >>
>> >> root at JuniperM7i> show route extensive table inet.0
>> >>
>> >> inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
>> >> Restart Complete
>> >> 0.0.0.0/0<http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0> <<
>> http://0.0.0.0/0>http://0.0.0.0/0> (1 entry, 1 announced)
>> >> TSI:
>> >> KRT in-kernel 0.0.0.0/0<http://0.0.0.0/0> <<http://0.0.0.0/0>
>> http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0> ->
>> >> {192.168.1.1}
>> >> *Static Preference: 5
>> >> Next hop type: Router, Next hop index: 614
>> >> Next-hop reference count: 3
>> >> Next hop: 192.168.1.1 via ge-1/3/0.0, selected
>> >> State: <Active Int Ext>
>> >> Age: 1:26:03
>> >> Task: RT
>> >> Announcement bits (1): 0-KRT
>> >> AS path: I
>> >>
>> >> 192.168.1.0/24<http://192.168.1.0/24> <<http://192.168.1.0/24>
>> http://192.168.1.0/24> <<http://192.168.1.0/24>http://192.168.1.0/24>
>> (1 entry, 0
>> >> announced)
>> >> *Direct Preference: 0
>> >> Next hop type: Interface
>> >> Next-hop reference count: 1
>> >> Next hop: via ge-1/3/0.0, selected
>> >> State: <Active Int>
>> >> Age: 1:26:03
>> >> Task: IF
>> >> AS path: I
>> >>
>> >> 192.168.1.252/32<http://192.168.1.252/32> <<http://192.168.1.252/32>
>> http://192.168.1.252/32> <<http://192.168.1.252/32>
>> http://192.168.1.252/32> (1
>> >> entry, 0 announced)
>> >> *Local Preference: 0
>> >> Next hop type: Local
>> >> Next-hop reference count: 6
>> >> Interface: ge-1/3/0.0
>> >> State: <Active NoReadvrt Int>
>> >> Age: 1:26:03
>> >> Task: IF
>> >> AS path: I
>> >>
>> >>
>> >>
>> >> root at JuniperM7i> show route extensive table PBR.inet.0
>> >>
>> >> PBR.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
>> >> 0.0.0.0/0<http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0> <<
>> http://0.0.0.0/0>http://0.0.0.0/0> (1 entry, 1 announced)
>> >> TSI:
>> >> KRT in-kernel 0.0.0.0/0<http://0.0.0.0/0> <<http://0.0.0.0/0>
>> http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0> -> {Table}
>> >> *Static Preference: 5
>> >> Next table: inet.0
>> >> Next-hop reference count: 3
>> >> State: <Active Int Ext>
>> >> Age: 22
>> >> Task: RT
>> >> Announcement bits (1): 0-KRT
>> >> AS path: I
>> >>
>> >> 172.16.1.128/25<http://172.16.1.128/25> <<http://172.16.1.128/25>
>> http://172.16.1.128/25> <<http://172.16.1.128/25>http://172.16.1.128/25>
>> (1 entry,
>> >> 0 announced)
>> >> *Direct Preference: 0
>> >> Next hop type: Interface
>> >> Next-hop reference count: 1
>> >> Next hop: via ge-0/1/0.0, selected
>> >> State: <Active Int>
>> >> Age: 3:52:19
>> >> Task: IF
>> >> AS path: I
>> >>
>> >> 172.16.1.129/32<http://172.16.1.129/32> <<http://172.16.1.129/32>
>> http://172.16.1.129/32> <<http://172.16.1.129/32>http://172.16.1.129/32>
>> (1 entry,
>> >> 0 announced)
>> >> *Local Preference: 0
>> >> Next hop type: Local
>> >> Next-hop reference count: 6
>> >> Interface: ge-0/1/0.0
>> >> State: <Active NoReadvrt Int>
>> >> Age: 3:52:20
>> >> Task: IF
>> >> AS path: I
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> On Wed, Dec 2, 2009 at 10:26 PM, Nilesh Khambal <<mailto:
>> nkhambal at juniper.net>nkhambal at juniper.net<mailto:nkhambal at juniper.net>>
>> wrote:
>> >> So, are you saying that by adding a default route pointing to the
>> inet.0
>> >> table (default routing table) the return traffic is not getting routed
>> to
>> >> via inet.0 via appropriate egress interface?
>> >>
>> >> Is there any another more specific route in PBR.inet.0 for the return
>> traffic
>> >> destination?
>> >>
>> >> Is there a route for the return traffic destination in inet.0 point to
>> the
>> >> correct egress interface?
>> >>
>> >> Can you post ³show route a.b.c.d extensive table PBR.inet.0² and then
>> ³show
>> >> route a.b.c.d extensive²?
>> >>
>> >> Thanks,
>> >> Nilesh
>> >>
>> >>
>> >> On 12/2/09 7:21 PM, "Chris Evans" <<mailto:chrisccnpspam2 at gmail.com>
>> chrisccnpspam2 at gmail.com<mailto:chrisccnpspam2 at gmail.com>> wrote:
>> >>
>> >> Just tried that, no dice.. I also tried 'master.inet.0' with no luck.
>> >>
>> >> If I pull the interfaces out of the global routing instance, I can
>> >> successfully use a firewall filter to forward how I need it to.
>> Unfortunately
>> >> it just doens't work with interfaces are in the default instance..
>> >>
>> >> Thanks
>> >>
>> >> Chris
>> >>
>> >>
>> >> On Wed, Dec 2, 2009 at 10:11 PM, Nilesh Khambal <<mailto:
>> nkhambal at juniper.net>nkhambal at juniper.net<mailto:nkhambal at juniper.net>>
>> wrote:
>> >>
>> >>
>> >>
>> >> On 12/2/09 7:10 PM, "Nilesh Khambal" <<mailto:nkhambal at juniper.net>
>> nkhambal at juniper.net<mailto:nkhambal at juniper.net>> wrote:
>> >>
>> >>> - set virtual-router PBR routing-options static route 0.0.0.0/0<
>> http://0.0.0.0/0>
>> >>> <<http://0.0.0.0/0>http://0.0.0.0/0> <<http://0.0.0.0/0>
>> http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0> next-table
>> >>> inet.0
>> >>
>> >> Sorry the syntax should be
>> >>
>> >> - set routing-instances PBR routing-options static route 0.0.0.0/0<
>> http://0.0.0.0/0>
>> >> <<http://0.0.0.0/0>http://0.0.0.0/0> <<http://0.0.0.0/0>
>> http://0.0.0.0/0> <<http://0.0.0.0/0>http://0.0.0.0/0>
>> >> next-table inet.0
>> >>
>> >> Thanks,
>> >> Nilesh.
>> >>
>> >>
>> >>
>> >>
>> >>
>> >
>> >
>>
>>
>>
>
More information about the juniper-nsp
mailing list