[j-nsp] PBR needs to be applied on tunnel interface (st0)
Stefan Fouant
sfouant at shortestpathfirst.net
Thu Aug 5 08:21:35 EDT 2010
> -----Original Message-----
> From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> bounces at puck.nether.net] On Behalf Of Tony Frank
> Sent: Thursday, August 05, 2010 7:35 AM
> To: Fahad Khan; juniper-nsp at puck.nether.net
> Subject: Re: [j-nsp] PBR needs to be applied on tunnel interface (st0)
>
> Hi,
>
> > I need policy based routing, but the packet receiving interface is
> st0. Now you can not apply filter on st0. so FBF is failed here
> > Can any body suggest the resolution?
>
> The good old trick of a loop link could do it.
> You could use logical tunnel, or pair of spare physical port with a
> hairpin/loop cable.
>
> Place st0 and one end of loop in own instance, routes either to st0 or
> loop as appropriate.
> Then apply PBR to other end of the loop.
That's one option, but perhaps he could also simply apply the FBF function
to the traffic after it's been decrypted? I know this could be done with
the older next-hop style service sets... there should probably be an
equivalent method in Junos for Security Devices (aka Enhanced Services)...
Stefan Fouant, CISSP, JNCIEx2
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D
More information about the juniper-nsp
mailing list