[j-nsp] different default for different vlans

Truman Boyes truman at suspicious.org
Mon Mar 23 20:09:36 EDT 2009 

Hi,

A simple example for FBF would look like this:

lab at cs-m10i> show configuration groups tdb-fbf logical-routers  
manhattan routing-instances
manhattan-alternate {
     instance-type forwarding;
}

lab at cs-m10i> show configuration groups tdb-fbf logical-routers  
manhattan routing-options
interface-routes {
     rib-group inet if-route;
     family inet {
         import local-comm;
     }
}

rib-groups {
     if-route {
         import-rib [ inet.0 manhattan-alternate.inet.0 ];
     }

And then a filter that puts the traffic into the correct routing  
instance:

lab at cs-m10i> show configuration groups tdb-fbf firewall
filter manhattan-fbf {
     term 1 {
         from {
             source-address {
                 1.1.1.1/32;
             }
         }
         then {
             logical-router manhattan routing-instance manhattan- 
alternate;
         }
     }
     term 2 {
         then accept;
     }
}


You can configure a different 0/0 static route inside the routing- 
instance ...

Cheers,
Truman


On 24/03/2009, at 5:06 AM, Nilesh Khambal wrote:

> Hi,
>
> Sorry, but I am not familiar with EX CLI. I presumed it would be  
> same as  any other M/T/MX CLI. Please feel free to check with JTAC  
> on this.
>
> However, I still think you can achieve what you want using policy  
> based routing. In ingress filter (Layer3) on your LAN interface will  
> forward all the traffic from local VLAN to a routing-instance (OR LR  
> or VR) which hosts interface to your proxy server. This routing- 
> instance will also have other Layer3 interfaces on this EX (protocol  
> direct) via route redistribution using rib-groups. This way if the  
> traffic is for one of the locally attached subnet, it will be routed  
> locally using the redistributed direct routes, else it will be  
> routed out using the default route via proxy.
>
>
> Thanks,
> Nilesh.
>
>
> Cord MacLeod wrote:
>> I wish it were.  This is all traffic except for local traffic.   
>> Any  explanation for why the ex4200 doesn't have the except keyword?
>> On Mar 20, 2009, at 6:55 PM, Nilesh Khambal wrote:
>>> Are using proxy just for http and https? Is so, then can you be   
>>> specific in the filters with protocol and ports. You can add a   
>>> default accept at the end of the filter to accept all other  
>>> traffic  that does not match http or https. Traffic accepted by  
>>> default  accept will get routed using inet.0 routing table.
>>>
>>> This way you don't have to use "except" in filter terms.
>>>
>>> Thanks,
>>> Nilesh
>>>
>>> Cord MacLeod wrote:
>>>> That would be great, and I thought of it just after I sent the   
>>>> email.   There's one big thing I'm missing though... except.
>>>> From an m7:
>>>> Possible completions:
>>>>  <[Enter]>            Execute this command
>>>>  except               Match address not in this prefix
>>>> From an ex4200:
>>>>  <[Enter]>            Execute this command
>>>> In other words, all of my traffic would hit this proxy and it   
>>>> would  break routing between the vlans if I use policy based   
>>>> routing and  can't use except.
>>>> On Mar 20, 2009, at 6:37 PM, Nilesh Khambal wrote:
>>>>> Can you try policy based routing using input firewall filter on   
>>>>> EX?  This was you can redirect the traffic to another  
>>>>> forwarding- instance  where your proxy resides. You will also  
>>>>> have to take  care of reverse  routing from the proxy forwarding  
>>>>> instance back  to inet.0 on EX so  that return traffic can go  
>>>>> back to client VLANs.
>>>>>
>>>>> Thanks,
>>>>> Nilesh.
>>>>>
>>>>> Cord MacLeod wrote:
>>>>>> I feel silly for asking this, but apparently my brain isn't    
>>>>>> working  today.
>>>>>> I've got some machines in a public vlan, 100 and some RFC  
>>>>>> 1918    machines on another vlan, 120.  I redistribute 0.0.0.0  
>>>>>> in ospf   through  my network down to these EX4200's that the  
>>>>>> machines are   hanging off  of.  Is there a way for my RFC 1918  
>>>>>> machines to   default to different  next hop (proxy machine)  
>>>>>> when not  attempting  to route between vlans so  they can hit  
>>>>>> outside.  The  way we do it  now is changing the default   
>>>>>> gateway on the  machines.  I'd like to  perform this  
>>>>>> automatically on  the  ex4200s if possible.
>>>>>> Any ideas?
>>>>>> _______________________________________________
>>>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>> .
>> .
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

More information about the juniper-nsp mailing list