[j-nsp] Multi Option FBF (PBR)

Joe Goldberg joe.goldberg at falconstor.com
Mon Aug 30 16:53:23 EDT 2010


Sorry if this is a repeat post but it looks like the first one did not
go through.

I have recently been working on migration from a Cisco(6509)  to
Juniper (EX4200) environment and we have a policy based route in the
Cisco environment that I am having a hard time replicating.

I have 3 options for the policy route which is for our user segments,
all others don't go through follow the regular routing table. If you
are going to our DMZ go out our DMZ backend firewall.  If you are
staying on the local network follow the general routing table, if you
are going to the Internet go to our proxy / web filter.

Below is what I have in the switch right now.  When I do a show route
1.2.3.3 for example it will show the static route of 2.2.2.2 and the
Firewall.inet.0 route of 10.10.1.11 but never the DMZ.inet.0 route
(which is what I want it to follow).  I'm sure I'm not understanding
something here correctly so any assistance would be appreciated.
Config is below.

Thanks,

Joe

routing-options {
    interface-routes {
        rib-group inet FWProxy;
    }
    static {
        route 1.2.3.0/25 next-hop 2.2.2.2;
    }
    rib-groups {
        FWProxy {
            import-rib [ inet.0 Firewall.inet.0 DMZ.inet.0 ];
        }
    }
}

routing-instances {
    DMZ {
        instance-type forwarding;
        routing-options {
            static {
                route 1.2.3.0/25 next-hop 172.16.9.28;
            }
        }
    }
    Firewall {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 10.10.1.11;
            }
        }
    }
}

firewall {
    family inet {
        filter Firewall-Proxy {
            term 1 {
                from {
                    destination-address {
                        10.0.0.0/8;
                        172.16.0.0/16;
                        192.168.0.0/16;
                    }
                }
                then {
                    count InternalCount;
                    accept;
                }
            }
            term 2 {
                from {
                    destination-address {
                        1.2.3.0/25;
                    }
                }
                then {
                    count DMZCount;
                    routing-instance DMZ;
                }
            }
            term 3 {
                then {
                    count ProxyCount;
                    routing-instance Firewall;
                }
            }
        }
    }
}



More information about the juniper-nsp mailing list