[j-nsp] Question on SCU/DSU
Matjaž Straus Istenič
juniper at arnes.si
Fri Aug 19 15:40:34 EDT 2011
Hi,
I've tried something similar -- FBF (firewall-based forwarding) based on SC (source-class). It does _not_ work in ingress/input firewall filter, but it _should_ at egress/output firewall filter. It is interesting to see that traffic destined to some particular interface X is redirected and forwarded to another interface Y by an output filter which is actually applied to interface X.
But ... *Unfortunately*, I found out that, at least in JUNOS 10.4R4.5, a Juniper router starts to drop internal sessions when firewall-based forwarding based on SCU is being actived in the output filter:
rpd[1433]: RPD_BGP_NEIGHBOR_STATE_CHANGED: BGP peer *.*.*.x (Internal AS xxxx) changed state from Established to Idle (event Closed)
rpd[1433]: bgp_recv: read from peer *.*.*.x (Internal AS xxxx) failed: Operation not permitted
rpd[1433]: RPD_BGP_NEIGHBOR_STATE_CHANGED: BGP peer *.*.*.y (Internal AS xxxx) changed state from Established to Idle (event Closed)
rpd[1433]: bgp_recv: read from peer *.*.*.y (Internal AS xxxx) failed: Operation not permitted
/kernel: jsr_sdrl_reinject:reinject failed 1
/kernel: jsr_sdrl_recv_replication_ack: reinject error (1)
/kernel: jsr_sdrl_reinject:reinject failed 1
/kernel: jsr_sdrl_recv_replication_ack: reinject error (1)
rpd[1433]: bgp_recv: read from peer *.*.*.z (Internal AS xxxx) failed: Operation not permitted
rpd[1433]: RPD_BGP_NEIGHBOR_STATE_CHANGED: BGP peer *.*.*.z (Internal AS xxxx) changed state from Established to Idle (event Closed)
rpd[1433]: RPD_BGP_NEIGHBOR_STATE_CHANGED: BGP peer *.*.*.w (Internal AS xxxx) changed state from Established to Idle (event Closed)
rpd[1433]: bgp_recv: read from peer *.*.*.w (Internal AS xxxx) failed: Operation not permitted
/kernel: jsr_sdrl_reinject:reinject failed 1
/kernel: jsr_sdrl_recv_replication_ack: reinject error (1)
On the other hand, the similar thing works fine with IPv6 :-).
A case was opened with JTAC and they first claimed, that problems was due to a complex or wrong firewall filter configuration. We simplified the original filter to just two terms, like this:
+ term 1 {
+ from {
+ source-class [ ***SourceClass ***SourceClass ];
+ }
+ then {
+ routing-instance ForwardFrom...;
+ }
+ }
+ term 2 {
+ then accept;
+ }
...and the problem remained. Local BGP sessios and IGP (OSPF) went down and flapping.
On 23.7.2011, at 23:20, cc loo wrote:
> Hey folks,
>
> I have some problems understanding SCU/DSU so some clarification would help
> here !
>
> I'm trying to do some policy-based-routing base on source prefixes.
>
> So when a packet enters my router, it would like to tag it with a class
> (local,transit-customers,upstream). Then i would like to send it to another
> routing-instance (default route it to a proxy actually), base on the class
> tagged
>
>
> I have some configs here
>
> ### this is to tag packets to see what kind of customers
> policy-statement identify-prefixes {
> term 1 {
> from {
> protocol [ ospf static direct local ]; ### my access customers
> }
> then {
> destination-class dcu-ospf;
> source-class scu-ospf;
> accept;
> }
> }
> term 2 {
> from {
> protocol bgp;
> community [ 12345:1304 12345:1305 12345:1307 12345:1308
> 12345:1400 ]; ### my transit customers
> }
> then {
> destination-class dcu-bgp;
> source-class scu-bgp;
> accept;
> }
> }
> term 3 {
> from protocol bgp;
> then {
> destination-class dcu-all-others; ### anything else
> source-class scu-all-others;
> accept;
> }
> }
> }
>
>
> Now i read the official docs that i have to enable a input and a output
> interface. (access interface and upstream interface)
> But i don't quite understand the direction of the interface.
>
> What i'm trying to find out is what class a packet belongs to when it enters
> the route. Base on that i'll inspect the packet's class to decide if i want
> to forward it to the proxy or not.
> Hope someone can shed some light on this, its giving me heaps of headache.
> The more i read the more confusing it gets
Regards,
Matjaž
---
Matjaž Straus Istenič, Arnes
http://www.arnes.si
Tel: +386 1 4798-877
Fax: +386 1 4798-878
matjaz.straus at arnes.si
MS6745-RIPE
PGP 490F3B4F 2009-10-21
Fingerprint = 6172 7BF8 B0B7 1F09 47B3 AFA3 0946 1701 490F 3B4F
More information about the juniper-nsp
mailing list