[j-nsp] Question on SCU/DSU

Matjaž Straus Istenič juniper at arnes.si
Fri Aug 19 15:40:34 EDT 2011 

Hi,

I've tried something similar -- FBF (firewall-based forwarding) based on SC (source-class). It does _not_ work in ingress/input firewall filter, but it _should_ at egress/output firewall filter. It is interesting to see that traffic destined to some particular interface X is redirected and forwarded to another interface Y by an output filter which is actually applied to interface X.

But ... *Unfortunately*, I found out that, at least in JUNOS 10.4R4.5, a Juniper router starts to drop internal sessions when firewall-based forwarding based on SCU is being actived in the output filter:

       rpd[1433]: RPD_BGP_NEIGHBOR_STATE_CHANGED: BGP peer *.*.*.x (Internal AS xxxx) changed state from Established to Idle (event Closed)
       rpd[1433]: bgp_recv: read from peer *.*.*.x (Internal AS xxxx) failed: Operation not permitted
       rpd[1433]: RPD_BGP_NEIGHBOR_STATE_CHANGED: BGP peer *.*.*.y (Internal AS xxxx) changed state from Established to Idle (event Closed)
       rpd[1433]: bgp_recv: read from peer *.*.*.y (Internal AS xxxx) failed: Operation not permitted
       /kernel: jsr_sdrl_reinject:reinject failed 1
       /kernel: jsr_sdrl_recv_replication_ack: reinject error (1)
       /kernel: jsr_sdrl_reinject:reinject failed 1
       /kernel: jsr_sdrl_recv_replication_ack: reinject error (1)
       rpd[1433]: bgp_recv: read from peer *.*.*.z (Internal AS xxxx) failed: Operation not permitted
       rpd[1433]: RPD_BGP_NEIGHBOR_STATE_CHANGED: BGP peer *.*.*.z (Internal AS xxxx) changed state from Established to Idle (event Closed)
       rpd[1433]: RPD_BGP_NEIGHBOR_STATE_CHANGED: BGP peer *.*.*.w (Internal AS xxxx) changed state from Established to Idle (event Closed)
       rpd[1433]: bgp_recv: read from peer *.*.*.w (Internal AS xxxx) failed: Operation not permitted
       /kernel: jsr_sdrl_reinject:reinject failed 1
       /kernel: jsr_sdrl_recv_replication_ack: reinject error (1)

On the other hand, the similar thing works fine with IPv6 :-).

A case was opened with JTAC and they first claimed, that problems was due to a complex or wrong firewall filter configuration. We simplified the original filter to just two terms, like this:

+      term 1 {
+          from {
+              source-class [ ***SourceClass ***SourceClass ];
+          }
+          then {
+              routing-instance ForwardFrom...;
+          }
+      }
+      term 2 {
+          then accept;
+      }

...and the problem remained. Local BGP sessios and IGP (OSPF) went down and flapping.


On 23.7.2011, at 23:20, cc loo wrote:

> Hey folks,
> 
> I have some problems understanding SCU/DSU so some clarification would help
> here !
> 
> I'm trying to do some policy-based-routing base on source prefixes.
> 
> So when a packet enters my router, it would like to tag it with a class
> (local,transit-customers,upstream). Then i would like to send it to another
> routing-instance (default route it to a proxy actually), base on the class
> tagged
> 
> 
> I have some configs here
> 
> ### this is to tag packets to see what kind of customers
> policy-statement identify-prefixes {
>    term 1 {
>        from {
>            protocol [ ospf static direct local ];   ### my access customers
>        }
>        then {
>            destination-class dcu-ospf;
>            source-class scu-ospf;
>            accept;
>        }
>    }
>    term 2 {
>        from {
>            protocol bgp;
>            community [ 12345:1304 12345:1305 12345:1307 12345:1308
> 12345:1400 ];  ### my transit customers
>        }
>        then {
>            destination-class dcu-bgp;
>            source-class scu-bgp;
>            accept;
>        }
>    }
>    term 3 {
>        from protocol bgp;
>        then {
>            destination-class dcu-all-others;   ### anything else
>            source-class scu-all-others;
>            accept;
>        }
>    }
> }
> 
> 
> Now i read the official docs that i have to enable a input and a output
> interface. (access interface and upstream interface)
> But i don't quite understand the direction of the interface.
> 
> What i'm trying to find out is what class a packet belongs to when it enters
> the route. Base on that i'll inspect the packet's class to decide if i want
> to forward it to the proxy or not.
> Hope someone can shed some light on this, its giving me heaps of headache.
> The more i read the more confusing it gets


Regards,
	Matjaž

---
Matjaž Straus Istenič, Arnes
http://www.arnes.si

Tel: +386 1 4798-877
Fax: +386 1 4798-878
matjaz.straus at arnes.si
MS6745-RIPE
PGP 490F3B4F 2009-10-21
Fingerprint = 6172 7BF8 B0B7 1F09 47B3  AFA3 0946 1701 490F 3B4F

More information about the juniper-nsp mailing list