[j-nsp] PBR needs to be applied on tunnel interface (st0)

Stefan Fouant sfouant at shortestpathfirst.net
Thu Aug 5 08:21:35 EDT 2010


> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of Tony Frank
> Sent: Thursday, August 05, 2010 7:35 AM
> To: Fahad Khan; juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] PBR needs to be applied on tunnel interface (st0)
> 
> Hi,
> 
> > I need policy based routing, but the packet receiving interface is
> st0. Now you can not apply filter on st0. so FBF is failed here
> > Can any body suggest the resolution?
> 
> The good old trick of a loop link could do it.
> You could use logical tunnel, or pair of spare physical port with a
> hairpin/loop cable.
> 
> Place st0 and one end of loop in own instance, routes either to st0 or
> loop as appropriate.
> Then apply PBR to other end of the loop.

That's one option, but perhaps he could also simply apply the FBF function
to the traffic after it's been decrypted?  I know this could be done with
the older next-hop style service sets... there should probably be an
equivalent method in Junos for Security Devices (aka Enhanced Services)...

Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D



More information about the juniper-nsp mailing list