[j-nsp] Filter based forwarding on Olive

Ioan Branet ioan.branet at gmail.com
Tue Sep 15 05:37:23 EDT 2009 

Hello,

I used another filter applied to the interfaces which denies anything and it
seems that the filter is not working when applied to em1.0 interface.

Do you know what could be the cause?


root at R1> show configuration interfaces em1.0
family inet {
    filter {
        input DENY_ALL;
    }
    address 150.1.13.1/24;
}
family mpls;
root at R1> show configuration firewall filter DENY_ALL
term 1 {
    then {
        reject;
    }
}


root at R3> ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1): 56 data bytes
64 bytes from 1.1.1.1: icmp_seq=0 ttl=64 time=0.498 ms
^C
--- 1.1.1.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.498/0.498/0.498/0.000 ms

root at R3> ping 150.1.15.1
PING 150.1.15.1 (150.1.15.1): 56 data bytes
64 bytes from 150.1.15.1: icmp_seq=0 ttl=64 time=0.780 ms
^C
--- 150.1.15.1 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.780/0.780/0.780/0.000 ms

root at R3> traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 40 byte packets
 1  1.1.1.1 (1.1.1.1)  1.341 ms  0.771 ms  0.073 ms


root at R3> show route forwarding-table destination 1.1.1.1
Routing table: default.inet
Internet:
Destination        Type RtRef Next hop           Type Index NhRef Netif
1.1.1.1/32         user     1 150.1.13.1         ucst   554    10 em1.0

root at R3> show configuration interfaces em1.0
family inet {
    address 150.1.13.3/24;
}
family mpls;

root at R3> show ospfne
              ^
syntax error, expecting <command>.
root at R3> show ospf neighbor
Address          Interface              State     ID               Pri  Dead
150.1.13.1       em1.0                  Full      1.1.1.1          128    39


Olive relevant  file :

ethernet1.present = "TRUE"
ethernet1.connectionType = "custom"
ethernet1.vnet = "/dev/vmnet8"
ethernet1.virtualDev = "e1000"

ethernet1.addressType = "generated"
ethernet1.pciSlotNumber = "34"
ethernet1.generatedAddress = "00:0c:29:5a:3f:c1"
ethernet1.generatedAddressOffset = "10"

ethernet2.present = "TRUE"
ethernet2.connectionType = "custom"
ethernet2.vnet = "/dev/vmnet2"
ethernet2.virtualDev = "e1000"

ethernet2.addressType = "generated"
ethernet2.pciSlotNumber = "35"
ethernet2.generatedAddress = "00:0c:29:5a:3f:cb"
ethernet2.generatedAddressOffset = "20"


On Tue, Sep 15, 2009 at 11:10 AM, Ioan Branet <ioan.branet at gmail.com> wrote:

> Hello Group,
>
> I want to test the feature on Olive and it seems that is not ok.When I try
> to ping R5 loopback from R3 I receive icmp unreachable from R1 where the
> filter is applied.
>
> It seems that the filter is seen as unknown when applied to em1.0 interface
> on input.
>
> If you have a working example with instance type forwarding or instance
> type virtual router used with FBF it will help.
>
>
>
> My topology looks like this:
>
> R3 ----em0.0----R1---em2.0---R5
>
> My configuration looks like this:
>
> root at R1> show configuration firewall filter FBF
> term 1 {
>     then {
>         routing-instance FBF;
>     }
> }
>
> root at R1> show configuration routing-instances FBF
> instance-type forwarding;
> routing-options {
>     static {
>         route 0.0.0.0/0 next-hop 150.1.15.5;
>     }
> }
>
> root at R1> show configuration routing-options
> interface-routes {
>     rib-group inet FBF;
> }
> rib-groups {
>     FBF {
>         import-rib [ inet.0 FBF.inet.0 ];
>     }
>
> root at R1> show configuration interfaces
> em0 {
>     unit 0 {
>         family inet {
>             address 150.1.12.1/24;
>         }
>         family mpls;
>     }
> }
> em1 {
>     unit 0 {
>         family inet {
>             filter {
>                 input FBF;
>             }
>             address 150.1.13.1/24;
>         }
>         family mpls;
>     }
> }
> em2 {
>     unit 0 {
>         family inet {
>             address 150.1.15.1/24;
>         }
>         family mpls;
>     }
> }
> lo0 {
>     unit 0 {
>         family inet {
>             address 1.1.1.1/32;
>         }
>     }
> }
>
> root at R3> show route 0.0.0.0
>
> inet.0: 19 destinations, 28 routes (19 active, 0 holddown, 1 hidden)
> + = Active Route, - = Last Active, * = Both
>
> 0.0.0.0/0          *[Static/5] 03:08:35
>                     > to 150.1.13.1 via em1.0
>
> root at R3>
>
> root at R1> show route 0.0.0.0
>
> FBF.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
> + = Active Route, - = Last Active, * = Both
>
> 0.0.0.0/0          *[Static/5] 00:03:10
>                     > to 150.1.15.5 via em2.0
>
> root at R1> show route 5.5.5.5
>
> FBF.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
> + = Active Route, - = Last Active, * = Both
>
> 0.0.0.0/0          *[Static/5] 00:03:16
>                     > to 150.1.15.5 via em2.0
>
>
> root at R1> show route forwarding-table destination 0.0.0.0
> Routing table: default.inet
> Internet:
> Destination        Type RtRef Next hop           Type Index NhRef Netif
> 0.0.0.0/32         perm     0                    dscd    34     1
>
> Routing table: __juniper_private1__.inet
> Internet:
> Destination        Type RtRef Next hop           Type Index NhRef Netif
> 0.0.0.0/32         perm     0                    dscd   114     1
>
> Routing table: __juniper_private2__.inet
> Internet:
> Destination        Type RtRef Next hop           Type Index NhRef Netif
> 0.0.0.0/32         perm     0                    dscd   194     1
>
> Routing table: FBF.inet
> Internet:
> Destination        Type RtRef Next hop           Type Index NhRef Netif
> 0.0.0.0/32         perm     0                    dscd   529     1
>
> root at R1>
>
> root at R1> show interfaces filters em1.0
> Interface       Admin Link Proto Input Filter         Output Filter
> em1.0           up    up   inet  unknown
>                            mpls
>
> root at R3> traceroute 5.5.5.5
> traceroute to 5.5.5.5 (5.5.5.5), 30 hops max, 40 byte packets
>  1  150.1.13.1 (150.1.13.1)  0.881 ms  0.671 ms  0.128 ms
>  2  150.1.13.1 (150.1.13.1)  0.483 ms !H  0.694 ms !H  0.098 ms !H
>
> root at R3> ping 5.5.5.5 source 150.1.13.3
> PING 5.5.5.5 (5.5.5.5): 56 data bytes
> 36 bytes from 150.1.13.1: Destination Host Unreachable
> Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
>  4  5  00 0054 6a0f   0 0000  40  01 638c 150.1.13.3  5.5.5.5
>
> 36 bytes from 150.1.13.1: Destination Host Unreachable
> Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
>  4  5  00 0054 6a10   0 0000  40  01 638b 150.1.13.3  5.5.5.5
>
> ^C
> --- 5.5.5.5 ping statistics ---
> 2 packets transmitted, 0 packets received, 100% packet loss
>
>
> root at R1> ping routing-instance FBF 5.5.5.5 source 150.1.15.1
> PING 5.5.5.5 (5.5.5.5): 56 data bytes
> ping: sendto: Can't assign requested address
> ping: sendto: Can't assign requested address
> ping: sendto: Can't assign requested address
> ping: sendto: Can't assign requested address
> ^C
> --- 5.5.5.5 ping statistics ---
> 4 packets transmitted, 0 packets received, 100% packet loss
>
> root at R1>
>
> root at R1> show route forwarding-table destination 5.5.5.5
> Routing table: default.inet
> Internet:
> Destination        Type RtRef Next hop           Type Index NhRef Netif
> default            perm     0                    rjct    36     1
>
> Routing table: __juniper_private1__.inet
> Internet:
> Destination        Type RtRef Next hop           Type Index NhRef Netif
> default            perm     0                    rjct   116     1
>
> Routing table: __juniper_private2__.inet
> Internet:
> Destination        Type RtRef Next hop           Type Index NhRef Netif
> default            perm     0                    rjct   196     1
>
> Routing table: FBF.inet
> Internet:
> Destination        Type RtRef Next hop           Type Index NhRef Netif
> default            user     0 0:c:29:bb:f:be     ucst   547     4 em2.0
> default            perm     0                    rjct   531     1
>
> root at R1>
>
>
>
>
>
>

More information about the juniper-nsp mailing list