[j-nsp] Filter based forwarding and SCU/DCU
Alex
alex.arseniev at gmail.com
Wed Oct 7 14:31:47 EDT 2009
SCU/DCU works only in output FW filters
http://www.juniper.net/techpubs/en_US/junos9.6/information-products/topic-collections/config-guide-policy/policy-configuring-match-conditions-in-firewall-filter-terms.html#id-10823080
You can specify a source class or destination class for an output firewall
filter. Although you can specify a source class and destination class for an
input firewall filter, the counters are incremented only if the firewall
filter is applied on the output interface.
The class-based filter match condition works only for output filters because
the source class usage (SCU) and destination class usage (DCU) are
determined after route lookup.
HTH
Cheers
Alex
----- Original Message -----
From: "Ioan Branet" <ioan.branet at gmail.com>
To: "juniper-nsp" <juniper-nsp at puck.nether.net>
Sent: Wednesday, October 07, 2009 2:40 PM
Subject: [j-nsp] Filter based forwarding and SCU/DCU
> }Hello,
>
> Does anyone configured filter based forwarding using a filter on which you
> match traffic using source-class ussage ?
>
> I want to forward traffic matching particular source-class to a specific
> routing-instance.
>
> It seems that these 2 features do not work toghether according to:
> http://www.juniper.net/techpubs/software/junos/junos72/swconfig72-policy/html/firewall-config33.html
>
> The topology looks like this
>
> R1-----R2----Customer router 1
> |
> |
> Customer router 2
>
>
> R1 and R2 are both ISP routers, R2 is the router on which I configure FBF
> and SCU/DCU.
>
> I want the metro traffic matched by community metro to be forwarded to
> Customer router 2 IP address and all other traffic to be forwarded
> normaly.
>
> R2 has EBGP session with Customer router 1.
>
> THe FBF filter should be configured inbound on the link R1-R2 on R2.
>
> Configuration
>
> routing-instances {
> INSTANCE {
> instance-type forwarding;
> routing-options {
> static {
> route 0.0.0.0/0 nexthop Customer router 2 ;
> }
>
> routing-options {
> forwarding-table {
> export SCU_DCU
>
> }
> interface-routes {
> rib-group inet RIB_GROUP;
> }
> rib-groups {
> RIB_GROUP {
> import-rib [ inet.0 INSTANCE.inet.0 ];
> }
> }
>
>
> protocols {
> bgp {
> group R2-CUSTOMER1 {
> type external;
>
>
> }
> }
> neighbor Customer router 1 {
> peer-as1 ;
>
> community PEER members 2:1;
> community METRO members 2:2;
> community NATIONAL members 2:3;
>
> policy-statement SCU_DCU {
> term PEER {
> from {
> protocol bgp;
> community PEER;
> }
> then {
> destination-class DCU-PEER;
> source-class SCU-PEER;
> next policy;
> }
> }
> term METRO {
> from {
> protocol bgp;
> community METRO;
> }
> then {
> destination-class DCU-METRO;
> source-class SCU-METRO;
> next policy;
> }
> }
> term NATIONAL {
> from {
> protocol bgp;
> community NATIONAL;
> }
> then {
> destination-class DCU-NATIONAL;
> source-class SCU-NATIONAL;
> next policy;
> }
> }
>
> }
> }
> term REMAINING {
> then {
> destination-class DCU-REMAINING;
> source-class SCU-REMAINING;
> next policy;
> }
>
> filter CUSTOMER_SCU {
> term CUSTOMER-SCU-INTERNATIONAL {
> from {
> source-class SCU-REMAINING;
> }
> then {
> policer SCU-INTERNATIONAL;
> routing-instance INSTANCE;
>
> accept;
>
> term 2 then accept
>
> CUSTOMER_SCU filter is applied outbound on the interface between R2 and
> Custmer-router 1.
>
>
> On the interface between R1 and R2 on R2 I apply :
>
> family inet {
> accounting {
> source-class-usage {
> input;
>
> Any alternative if this solution does not work?
> How to forward traffic on differnet next-hops by matching communities/as
> path/scu/dcu ?
>
>
> Thank you,
> Ioan
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
More information about the juniper-nsp
mailing list