[j-nsp] different default for different vlans

Nilesh Khambal nkhambal at juniper.net
Fri Mar 20 21:55:17 EDT 2009


Are using proxy just for http and https? Is so, then can you be specific 
in the filters with protocol and ports. You can add a default accept at 
the end of the filter to accept all other traffic that does not match 
http or https. Traffic accepted by default accept will get routed using 
inet.0 routing table.

This way you don't have to use "except" in filter terms.

Thanks,
Nilesh

Cord MacLeod wrote:
> That would be great, and I thought of it just after I sent the email.   
> There's one big thing I'm missing though... except.
> 
>  From an m7:
> Possible completions:
>    <[Enter]>            Execute this command
>    except               Match address not in this prefix
> 
> 
>  From an ex4200:
>    <[Enter]>            Execute this command
> 
> 
> In other words, all of my traffic would hit this proxy and it would  
> break routing between the vlans if I use policy based routing and  
> can't use except.
> 
> 
> On Mar 20, 2009, at 6:37 PM, Nilesh Khambal wrote:
> 
>> Can you try policy based routing using input firewall filter on EX?  
>> This was you can redirect the traffic to another forwarding-instance  
>> where your proxy resides. You will also have to take care of reverse  
>> routing from the proxy forwarding instance back to inet.0 on EX so  
>> that return traffic can go back to client VLANs.
>>
>> Thanks,
>> Nilesh.
>>
>> Cord MacLeod wrote:
>>> I feel silly for asking this, but apparently my brain isn't  
>>> working  today.
>>> I've got some machines in a public vlan, 100 and some RFC 1918   
>>> machines on another vlan, 120.  I redistribute 0.0.0.0 in ospf  
>>> through  my network down to these EX4200's that the machines are  
>>> hanging off  of.  Is there a way for my RFC 1918 machines to  
>>> default to different  next hop (proxy machine) when not attempting  
>>> to route between vlans so  they can hit outside.  The way we do it  
>>> now is changing the default  gateway on the machines.  I'd like to  
>>> perform this automatically on  the ex4200s if possible.
>>> Any ideas?
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> .
> 


More information about the juniper-nsp mailing list