[j-nsp] Multi Option FBF (PBR)

Joe Goldberg joe.goldberg at falconstor.com
Mon Aug 30 21:59:49 EDT 2010


Chris,

Thanks for your reply, below is the Cisco config.  This is from
production (IP's changed to protect the innocent).  On the Juniper
config the Firewall route instance appears to be working the DMZ is
not.

ip route 1.2.3.0 255.255.255.128 5.4.3.2

access-list 50 permit 10.0.0.0 0.255.255.255
access-list 50 permit 172.16.0.0 0.0.255.255
access-list 50 permit 192.168.0.0 0.0.255.255
access-list 125 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 125 permit ip 10.0.0.0 0.255.255.255 172.16.0.0 0.0.255.255
access-list 125 permit ip 10.0.0.0 0.255.255.255 192.168.0.0 0.0.255.255
access-list 125 permit ip 172.16.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 125 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 125 permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 125 permit ip 192.168.0.0 0.0.255.255 10.0.0.0 0.255.255.255
access-list 125 permit ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 135 permit ip 10.0.0.0 0.255.255.255 1.2.3.0 0.0.0.127
access-list 135 permit ip 172.16.0.0 0.0.255.255 1.2.3.0 0.0.0.127
access-list 135 permit ip 192.168.0.0 0.0.255.255 1.2.3.0 0.0.0.127

route-map firewall-proxy permit 5
 match ip address 135
 set ip next-hop 172.16.9.28
!
route-map firewall-proxy permit 10
 match ip address 125
!
route-map firewall-proxy permit 20
 match ip address 50
 set ip next-hop 10.10.1.11

On Mon, Aug 30, 2010 at 4:53 PM, wrote:
> Joe
>
> Can you post your Cisco pbr statements. The acls and route-maps please.
>
> Chris
> Sorry if this is a repeat post but it looks like the first one did not
> go through.
>
> I have recently been working on migration from a Cisco(6509)  to
> Juniper (EX4200) environment and we have a policy based route in the
> Cisco environment that I am having a hard time replicating.
>
> I have 3 options for the policy route which is for our user segments,
> all others don't go through follow the regular routing table. If you
> are going to our DMZ go out our DMZ backend firewall.  If you are
> staying on the local network follow the general routing table, if you
> are going to the Internet go to our proxy / web filter.
>
> Below is what I have in the switch right now.  When I do a show route
> 1.2.3.3 for example it will show the static route of 2.2.2.2 and the
> Firewall.inet.0 route of 10.10.1.11 but never the DMZ.inet.0 route
> (which is what I want it to follow).  I'm sure I'm not understanding
> something here correctly so any assistance would be appreciated.
> Config is below.
>
> Thanks,
>
> Joe
>
> routing-options {
>     interface-routes {
>         rib-group inet FWProxy;
>     }
>     static {
>         route 1.2.3.0/25 next-hop 2.2.2.2;
>     }
>     rib-groups {
>         FWProxy {
>             import-rib [ inet.0 Firewall.inet.0 DMZ.inet.0 ];
>         }
>     }
> }
>
> routing-instances {
>     DMZ {
>         instance-type forwarding;
>         routing-options {
>             static {
>                 route 1.2.3.0/25 next-hop 172.16.9.28;
>             }
>         }
>     }
>     Firewall {
>         instance-type forwarding;
>         routing-options {
>             static {
>                 route 0.0.0.0/0 next-hop 10.10.1.11;
>             }
>         }
>     }
> }
>
> firewall {
>     family inet {
>         filter Firewall-Proxy {
>             term 1 {
>                 from {
>                     destination-address {
>                         10.0.0.0/8;
>                         172.16.0.0/16;
>                         192.168.0.0/16;
>                     }
>                 }
>                 then {
>                     count InternalCount;
>                     accept;
>                 }
>             }
>             term 2 {
>                 from {
>                     destination-address {
>                         1.2.3.0/25;
>                     }
>                 }
>                 then {
>                     count DMZCount;
>                     routing-instance DMZ;
>                 }
>             }
>             term 3 {
>                 then {
>                     count ProxyCount;
>                     routing-instance Firewall;
>                 }
>             }
>         }
>     }
> }
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp


More information about the juniper-nsp mailing list