[j-nsp] Multi Option FBF (PBR)

Chris Evans chrisccnpspam2 at gmail.com
Mon Aug 30 21:00:50 EDT 2010 

Joe

Can you post your Cisco pbr statements. The acls and route-maps please.

Chris
> Sorry if this is a repeat post but it looks like the first one did not
> go through.
>
> I have recently been working on migration from a Cisco(6509)  to
> Juniper (EX4200) environment and we have a policy based route in the
> Cisco environment that I am having a hard time replicating.
>
> I have 3 options for the policy route which is for our user segments,
> all others don't go through follow the regular routing table. If you
> are going to our DMZ go out our DMZ backend firewall.  If you are
> staying on the local network follow the general routing table, if you
> are going to the Internet go to our proxy / web filter.
>
> Below is what I have in the switch right now.  When I do a show route
> 1.2.3.3 for example it will show the static route of 2.2.2.2 and the
> Firewall.inet.0 route of 10.10.1.11 but never the DMZ.inet.0 route
> (which is what I want it to follow).  I'm sure I'm not understanding
> something here correctly so any assistance would be appreciated.
> Config is below.
>
> Thanks,
>
> Joe
>
> routing-options {
>     interface-routes {
>         rib-group inet FWProxy;
>     }
>     static {
>         route 1.2.3.0/25 next-hop 2.2.2.2;
>     }
>     rib-groups {
>         FWProxy {
>             import-rib [ inet.0 Firewall.inet.0 DMZ.inet.0 ];
>         }
>     }
> }
>
> routing-instances {
>     DMZ {
>         instance-type forwarding;
>         routing-options {
>             static {
>                 route 1.2.3.0/25 next-hop 172.16.9.28;
>             }
>         }
>     }
>     Firewall {
>         instance-type forwarding;
>         routing-options {
>             static {
>                 route 0.0.0.0/0 next-hop 10.10.1.11;
>             }
>         }
>     }
> }
>
> firewall {
>     family inet {
>         filter Firewall-Proxy {
>             term 1 {
>                 from {
>                     destination-address {
>                         10.0.0.0/8;
>                         172.16.0.0/16;
>                         192.168.0.0/16;
>                     }
>                 }
>                 then {
>                     count InternalCount;
>                     accept;
>                 }
>             }
>             term 2 {
>                 from {
>                     destination-address {
>                         1.2.3.0/25;
>                     }
>                 }
>                 then {
>                     count DMZCount;
>                     routing-instance DMZ;
>                 }
>             }
>             term 3 {
>                 then {
>                     count ProxyCount;
>                     routing-instance Firewall;
>                 }
>             }
>         }
>     }
> }
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list