[j-nsp] Filter Based Forwarding with bgp import rib
Doan Nguyen
doan_group at yahoo.com
Thu Mar 24 11:04:18 EDT 2011
Hi,
are you basically trying to redirect traffic from host and internet to take a
detour box "access server" not shown on the topo, that is strictly hanging off
from
router A? All your FBF needs to happen on router A if you're to enforce traffic
to take a detour to your local access server.
In this case I think you have the host to internet FBF on Router B vs. Router
A. Even thought the RI in B forces all traffic to 172.16.0.2 which is in router
a,
the traffic enters the RI and leaves it arriving at Router A. When Router A
gets the packet then the source/destination is still from 5.5.5.5 to 0/0 and
forwards
that straight out to 1.1.1/x using inet.0. What you need is to move your FBF on
B to A and have the firewall input on A's link to B. That way you can force the
outbound
traffic to take your access server vs. using inet.0.
-Doan
________________________________
From:Mohammad Salbad <salbad1981 at hotmail.com>
To: juniper-nsp at puck.nether.net
Sent: Thu, March 24, 2011 10:19:45 AM
Subject: [j-nsp] Filter Based Forwarding with bgp import rib
Hi All
I have the following setup
Internet .1- - - - 1.1.1.0/30 - - - - .2 RouterA .1 - - 10.0.0.0/30 - - .2
RouterB .5 - - 10.0.0.4/30 - - .6 routerC .1 - - - - 5.5.5.5/24 Host
RouterA is connected to an access server and the access server has a LAN
(172.16.0.2/30) and WAN (172.16.1.2/30) interface.
RouterA has a default route from 1.1.1.1 and it is advertised to routerB
through ibgp
RouterA and routerB are running ibgp between themselves
Access Server LAN and WAN interface are advertised from routerA to routerB
through ibgp
Link between routerB and routerC (10.0.0.4/30) is advertised from routerB to
routerA through ibgp
5.5.5.0/24 is advertised from routerB to routerA through ibgp
RouterB has a static route to 5.5.5.0/24 pointing to routerC
RouterC has a default route pointing to RouterB (10.0.0.5)
Access server has a default route pointing to routerA (172.16.1.1/30)
Access server has a static route to 5.5.5.0/24 pointing to routerA
(172.16.0.1/30)
Requirement
Traffic from host 5.5.5.5 to the internet shall follow the following path
Host à RouterC à RouterB à RouterA à Access Server LAN à Access Server WAN à
routerA à Internet
Traffic from the internet to host 5.5.5.5 shall follow the following path
Internet à routerA à Access Server WAN à Access Server LAN à RouterA à
RouterB àRouterC à Host
What I’ve done so far to achieve the above requirements:
I’ve added a static route on routerA to reach 5.5.5.0/24 go to Access Server
LAN (172.16.0.2), this route will be more preferred than the ibgp route
advertised by routerB
I’ve applied a filter based forwarding on routerA interface that is facing
the Access Server LAN interface as following:
- Source: 0.0.0.0/0
- Destination: 5.5.5.0/24
- Next-Hop: 10.0.0.6 (RouterC) with the resolve option
Since 10.0.0.6 is known to routerA via ibgp I did an import for bgp routes
to the routing instance used in the FBF
I’ve also applied a filter based forwarding on routerB interface that is
facing routerC interface as following:
- Source: 5.5.5.0/24
- Destination: 0.0.0.0/0
- Next-Hop: 172.16.0.2 (Access Server LAN) with the resolve option
And Since 172.16.0.0/30 is known to routerB via ibgp I did an import for bgp
routes to the routing instance used in the FBF
The problem
Traffic from host 5.5.5.5 to the internet is following the below path:
Host à RouterC à RouterB à RouterA à Internet
I think this is because when the packet reaches routerA it does normal
routing lookup, and it is not aware of the next-hop
Traffic from the internet to host 5.5.5.5 is following the below path:
Internet à routerA à Access Server WAN à Access Server LAN à RouterA à
RouterB à RouterC
Which is OK with me and it is as it should be
So finally my problem is with the traffic from the host to the internet, I
need to force it to go through the access server LAN.
Thank you
Mohammad Salbad
_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list