[j-nsp] different default for different vlans

Cord MacLeod cordmacleod at gmail.com
Mon Mar 23 20:13:22 EDT 2009 

Excellent options from everyone.  I had thought of this before but I  
simply was upset about the absence of an except term for the  
firewall.  Instead I simply used different terms for accepting packets  
and policy routed packets.


On Mar 23, 2009, at 5:09 PM, Truman Boyes wrote:

> Hi,
>
> A simple example for FBF would look like this:
>
> lab at cs-m10i> show configuration groups tdb-fbf logical-routers  
> manhattan routing-instances
> manhattan-alternate {
>    instance-type forwarding;
> }
>
> lab at cs-m10i> show configuration groups tdb-fbf logical-routers  
> manhattan routing-options
> interface-routes {
>    rib-group inet if-route;
>    family inet {
>        import local-comm;
>    }
> }
>
> rib-groups {
>    if-route {
>        import-rib [ inet.0 manhattan-alternate.inet.0 ];
>    }
>
> And then a filter that puts the traffic into the correct routing  
> instance:
>
> lab at cs-m10i> show configuration groups tdb-fbf firewall
> filter manhattan-fbf {
>    term 1 {
>        from {
>            source-address {
>                1.1.1.1/32;
>            }
>        }
>        then {
>            logical-router manhattan routing-instance manhattan- 
> alternate;
>        }
>    }
>    term 2 {
>        then accept;
>    }
> }
>
>
> You can configure a different 0/0 static route inside the routing- 
> instance ...
>
> Cheers,
> Truman
>
>
> On 24/03/2009, at 5:06 AM, Nilesh Khambal wrote:
>
>> Hi,
>>
>> Sorry, but I am not familiar with EX CLI. I presumed it would be  
>> same as  any other M/T/MX CLI. Please feel free to check with JTAC  
>> on this.
>>
>> However, I still think you can achieve what you want using policy  
>> based routing. In ingress filter (Layer3) on your LAN interface  
>> will forward all the traffic from local VLAN to a routing-instance  
>> (OR LR or VR) which hosts interface to your proxy server. This  
>> routing-instance will also have other Layer3 interfaces on this EX  
>> (protocol direct) via route redistribution using rib-groups. This  
>> way if the traffic is for one of the locally attached subnet, it  
>> will be routed locally using the redistributed direct routes, else  
>> it will be routed out using the default route via proxy.
>>
>>
>> Thanks,
>> Nilesh.
>>
>>
>> Cord MacLeod wrote:
>>> I wish it were.  This is all traffic except for local traffic.   
>>> Any  explanation for why the ex4200 doesn't have the except keyword?
>>> On Mar 20, 2009, at 6:55 PM, Nilesh Khambal wrote:
>>>> Are using proxy just for http and https? Is so, then can you be   
>>>> specific in the filters with protocol and ports. You can add a   
>>>> default accept at the end of the filter to accept all other  
>>>> traffic  that does not match http or https. Traffic accepted by  
>>>> default  accept will get routed using inet.0 routing table.
>>>>
>>>> This way you don't have to use "except" in filter terms.
>>>>
>>>> Thanks,
>>>> Nilesh
>>>>
>>>> Cord MacLeod wrote:
>>>>> That would be great, and I thought of it just after I sent the   
>>>>> email.   There's one big thing I'm missing though... except.
>>>>> From an m7:
>>>>> Possible completions:
>>>>> <[Enter]>            Execute this command
>>>>> except               Match address not in this prefix
>>>>> From an ex4200:
>>>>> <[Enter]>            Execute this command
>>>>> In other words, all of my traffic would hit this proxy and it   
>>>>> would  break routing between the vlans if I use policy based   
>>>>> routing and  can't use except.
>>>>> On Mar 20, 2009, at 6:37 PM, Nilesh Khambal wrote:
>>>>>> Can you try policy based routing using input firewall filter  
>>>>>> on  EX?  This was you can redirect the traffic to another  
>>>>>> forwarding- instance  where your proxy resides. You will also  
>>>>>> have to take  care of reverse  routing from the proxy  
>>>>>> forwarding instance back  to inet.0 on EX so  that return  
>>>>>> traffic can go back to client VLANs.
>>>>>>
>>>>>> Thanks,
>>>>>> Nilesh.
>>>>>>
>>>>>> Cord MacLeod wrote:
>>>>>>> I feel silly for asking this, but apparently my brain isn't    
>>>>>>> working  today.
>>>>>>> I've got some machines in a public vlan, 100 and some RFC  
>>>>>>> 1918    machines on another vlan, 120.  I redistribute 0.0.0.0  
>>>>>>> in ospf   through  my network down to these EX4200's that the  
>>>>>>> machines are   hanging off  of.  Is there a way for my RFC  
>>>>>>> 1918 machines to   default to different  next hop (proxy  
>>>>>>> machine) when not  attempting  to route between vlans so  they  
>>>>>>> can hit outside.  The  way we do it  now is changing the  
>>>>>>> default  gateway on the  machines.  I'd like to  perform this  
>>>>>>> automatically on  the  ex4200s if possible.
>>>>>>> Any ideas?
>>>>>>> _______________________________________________
>>>>>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>>>>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>>> .
>>> .
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>

More information about the juniper-nsp mailing list