[j-nsp] PBR needs to be applied on tunnel interface (st0)
Fahad Khan
fahad.khan at gmail.com
Sat Aug 7 10:46:17 EDT 2010
Actually if a filter is applied on an interface, then in the packet
processing, the very first thing that is done when a packet reaches an
interface is application of filter, so in case of st0 interface, first
filter is applied and then the decryption is done, hence FBF does not work
here,
Can you guys please elaborate your solutions?
regards,
Muhammad Fahad Khan
JNCIP - M/T # 834
IT Specialist
Global Technology Services, IBM
fahad at pk.ibm.com
+92-301-8247638
Skype: fahad-ibm
http://pk.linkedin.com/in/muhammadfahadkhan
On Thu, Aug 5, 2010 at 5:21 PM, Stefan Fouant <sfouant at shortestpathfirst.net
> wrote:
> > -----Original Message-----
> > From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-
> > bounces at puck.nether.net] On Behalf Of Tony Frank
> > Sent: Thursday, August 05, 2010 7:35 AM
> > To: Fahad Khan; juniper-nsp at puck.nether.net
> > Subject: Re: [j-nsp] PBR needs to be applied on tunnel interface (st0)
> >
> > Hi,
> >
> > > I need policy based routing, but the packet receiving interface is
> > st0. Now you can not apply filter on st0. so FBF is failed here
> > > Can any body suggest the resolution?
> >
> > The good old trick of a loop link could do it.
> > You could use logical tunnel, or pair of spare physical port with a
> > hairpin/loop cable.
> >
> > Place st0 and one end of loop in own instance, routes either to st0 or
> > loop as appropriate.
> > Then apply PBR to other end of the loop.
>
> That's one option, but perhaps he could also simply apply the FBF function
> to the traffic after it's been decrypted? I know this could be done with
> the older next-hop style service sets... there should probably be an
> equivalent method in Junos for Security Devices (aka Enhanced Services)...
>
> Stefan Fouant, CISSP, JNCIEx2
> www.shortestpathfirst.net
> GPG Key ID: 0xB5E3803D
>
>
More information about the juniper-nsp
mailing list