[j-nsp] Filter based forwarding on Olive

Tue Sep 15 08:20:46 EDT 2009

Comments in-line...

On Tue, Sep 15, 2009 at 4:10 AM, Ioan Branet <ioan.branet at gmail.com> wrote:

> Hello Group,
>
> I want to test the feature on Olive and it seems that is not ok.When I try
> to ping R5 loopback from R3 I receive icmp unreachable from R1 where the
> filter is applied.
>
> It seems that the filter is seen as unknown when applied to em1.0 interface
> on input.
>
> If you have a working example with instance type forwarding or instance
> type
> virtual router used with FBF it will help.
>
>
>
> My topology looks like this:
>
> R3 ----em0.0----R1---em2.0---R5
>

In the diagram above I'm assuming you mean em1.0, not em0.0?  Because you
applied the ingress firewall filter to em1.0.

> My configuration looks like this:
>
> root at R1> show configuration firewall filter FBF
> term 1 {
>    then {
>        routing-instance FBF;
>    }
> }
>
> root at R1> show configuration routing-instances FBF
> instance-type forwarding;
> routing-options {
>    static {
>        route 0.0.0.0/0 next-hop 150.1.15.5;
>    }
> }
>
> root at R1> show configuration routing-options
> interface-routes {
>    rib-group inet FBF;
> }
> rib-groups {
>    FBF {
>        import-rib [ inet.0 FBF.inet.0 ];
>    }
>
> root at R1> show configuration interfaces
> em0 {
>    unit 0 {
>        family inet {
>            address 150.1.12.1/24;
>        }
>        family mpls;
>    }
> }
> em1 {
>    unit 0 {
>        family inet {
>            filter {
>                input FBF;
>            }
>            address 150.1.13.1/24;
>        }
>        family mpls;
>    }
> }
> em2 {
>    unit 0 {
>        family inet {
>            address 150.1.15.1/24;
>        }
>        family mpls;
>    }
> }
> lo0 {
>    unit 0 {
>        family inet {
>            address 1.1.1.1/32;
>        }
>    }
> }
>
> root at R3> show route 0.0.0.0
>
> inet.0: 19 destinations, 28 routes (19 active, 0 holddown, 1 hidden)
> + = Active Route, - = Last Active, * = Both
>
> 0.0.0.0/0          *[Static/5] 03:08:35
>                    > to 150.1.13.1 via em1.0
>
> root at R3>
>
> root at R1> show route 0.0.0.0
>
> FBF.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
> + = Active Route, - = Last Active, * = Both
>
> 0.0.0.0/0          *[Static/5] 00:03:10
>                    > to 150.1.15.5 via em2.0
>
> root at R1> show route 5.5.5.5
>
> FBF.inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden)
> + = Active Route, - = Last Active, * = Both
>
> 0.0.0.0/0          *[Static/5] 00:03:16
>                    > to 150.1.15.5 via em2.0
>
>
> root at R1> show route forwarding-table destination 0.0.0.0
> Routing table: default.inet
> Internet:
> Destination        Type RtRef Next hop           Type Index NhRef Netif
> 0.0.0.0/32         perm     0                    dscd    34     1
>
> Routing table: __juniper_private1__.inet
> Internet:
> Destination        Type RtRef Next hop           Type Index NhRef Netif
> 0.0.0.0/32         perm     0                    dscd   114     1
>
> Routing table: __juniper_private2__.inet
> Internet:
> Destination        Type RtRef Next hop           Type Index NhRef Netif
> 0.0.0.0/32         perm     0                    dscd   194     1
>
> Routing table: FBF.inet
> Internet:
> Destination        Type RtRef Next hop           Type Index NhRef Netif
> 0.0.0.0/32         perm     0                    dscd   529     1
>
> root at R1>
>
> root at R1> show interfaces filters em1.0
> Interface       Admin Link Proto Input Filter         Output Filter
> em1.0           up    up   inet  unknown
>                           mpls
>
> root at R3> traceroute 5.5.5.5
> traceroute to 5.5.5.5 (5.5.5.5), 30 hops max, 40 byte packets
>  1  150.1.13.1 (150.1.13.1)  0.881 ms  0.671 ms  0.128 ms
>  2  150.1.13.1 (150.1.13.1)  0.483 ms !H  0.694 ms !H  0.098 ms !H
>
> root at R3> ping 5.5.5.5 source 150.1.13.3
> PING 5.5.5.5 (5.5.5.5): 56 data bytes
> 36 bytes from 150.1.13.1: Destination Host Unreachable
> Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
>  4  5  00 0054 6a0f   0 0000  40  01 638c 150.1.13.3  5.5.5.5
>
> 36 bytes from 150.1.13.1: Destination Host Unreachable
> Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
>  4  5  00 0054 6a10   0 0000  40  01 638b 150.1.13.3  5.5.5.5
>
> ^C
> --- 5.5.5.5 ping statistics ---
> 2 packets transmitted, 0 packets received, 100% packet loss
>
>
> root at R1> ping routing-instance FBF 5.5.5.5 source 150.1.15.1
> PING 5.5.5.5 (5.5.5.5): 56 data bytes
> ping: sendto: Can't assign requested address
> ping: sendto: Can't assign requested address
> ping: sendto: Can't assign requested address
> ping: sendto: Can't assign requested address
> ^C
>

150.1.15.1 is associated with your em2.0 interface which is not bound to the
FBF routing-instance, therefore you can't specify it as the source of the
packet when sourcing pings from the FBF routing-instance,

> --- 5.5.5.5 ping statistics ---
> 4 packets transmitted, 0 packets received, 100% packet loss
>
> root at R1>
>
> root at R1> show route forwarding-table destination 5.5.5.5
> Routing table: default.inet
> Internet:
> Destination        Type RtRef Next hop           Type Index NhRef Netif
> default            perm     0                    rjct    36     1
>
> Routing table: __juniper_private1__.inet
> Internet:
> Destination        Type RtRef Next hop           Type Index NhRef Netif
> default            perm     0                    rjct   116     1
>
> Routing table: __juniper_private2__.inet
> Internet:
> Destination        Type RtRef Next hop           Type Index NhRef Netif
> default            perm     0                    rjct   196     1
>
> Routing table: FBF.inet
> Internet:
> Destination        Type RtRef Next hop           Type Index NhRef Netif
> default            user     0 0:c:29:bb:f:be     ucst   547     4 em2.0
> default            perm     0                    rjct   531     1
>
> root at R1>
>

Does R5 have routes back to r3?

-- 
Stefan Fouant