[j-nsp] Filter Based Forwarding with bgp import rib

Doan Nguyen doan_group at yahoo.com
Thu Mar 24 11:04:18 EDT 2011 

Hi,

are you basically trying to redirect traffic from host and internet to take a 
detour box "access server" not shown on the topo, that is strictly hanging off 
from
router A?  All your FBF needs to happen on router A if you're to enforce traffic 
to take a detour to your local access server.  


In this case I think you have the host to internet FBF on Router B vs. Router 
A.  Even thought the RI in B forces all traffic to 172.16.0.2 which is in router 
a,
the traffic enters the RI and leaves it arriving at Router A.  When Router A 
gets the packet then the source/destination is still from 5.5.5.5 to 0/0 and 
forwards
that straight out to 1.1.1/x using inet.0.  What you need is to move your FBF on 
B to A and have the firewall input on A's link to B.  That way you can force the 
outbound
traffic to take your access server vs. using inet.0.

-Doan



________________________________
From:Mohammad Salbad <salbad1981 at hotmail.com>
To: juniper-nsp at puck.nether.net
Sent: Thu, March 24, 2011 10:19:45 AM
Subject: [j-nsp] Filter Based Forwarding with bgp import rib

Hi All



I have the following setup

Internet  .1- - - - 1.1.1.0/30 - - - - .2 RouterA  .1 - - 10.0.0.0/30 - - .2
RouterB .5 - - 10.0.0.4/30 - - .6 routerC  .1 - - - -  5.5.5.5/24 Host

RouterA is connected to an access server and the access server has a LAN
(172.16.0.2/30) and WAN (172.16.1.2/30) interface.

RouterA has a default route from 1.1.1.1 and it is advertised to routerB
through ibgp

RouterA and routerB are running ibgp between themselves

Access Server LAN and WAN interface are advertised from routerA to routerB
through ibgp

Link between routerB and routerC (10.0.0.4/30) is advertised from routerB to
routerA through ibgp

5.5.5.0/24 is advertised from routerB to routerA through ibgp

RouterB has a static route to 5.5.5.0/24 pointing to routerC

RouterC has a default route pointing to RouterB (10.0.0.5)

Access server has a default route pointing to routerA (172.16.1.1/30)

Access server has a static route to 5.5.5.0/24 pointing to routerA
(172.16.0.1/30)

Requirement

Traffic from host 5.5.5.5 to the internet shall follow the following path

Host à RouterC à RouterB à RouterA à Access Server LAN à Access Server WAN à
routerA à Internet

Traffic from the internet to host 5.5.5.5 shall follow the following path

Internet à routerA à Access Server WAN à Access Server LAN à RouterA à
RouterB àRouterC à Host



What I’ve done so far to achieve the above requirements:

I’ve added a static route on routerA to reach 5.5.5.0/24 go to Access Server
LAN (172.16.0.2), this route will be more preferred than the ibgp route
advertised by routerB

I’ve applied a filter based forwarding on routerA interface that is facing
the Access Server LAN interface as following:

-          Source: 0.0.0.0/0

-          Destination: 5.5.5.0/24

-          Next-Hop: 10.0.0.6 (RouterC) with the resolve option

Since 10.0.0.6 is known to routerA via ibgp I did an import for bgp routes
to the routing instance used in the FBF

I’ve also applied a filter based forwarding on routerB interface that is
facing routerC interface as following:

-          Source: 5.5.5.0/24

-          Destination: 0.0.0.0/0

-          Next-Hop: 172.16.0.2 (Access Server LAN) with the resolve option

And Since 172.16.0.0/30 is known to routerB via ibgp I did an import for bgp
routes to the routing instance used in the FBF



The problem

Traffic from host 5.5.5.5 to the internet is following the below path:

Host à RouterC à RouterB à RouterA à Internet  

I think this is because when the packet reaches routerA it does normal
routing lookup, and it is not aware of the next-hop



Traffic from the internet to host 5.5.5.5 is following the below path:

Internet à routerA à Access Server WAN à Access Server LAN à RouterA à
RouterB à RouterC

Which is OK with me and it is as it should be



So finally my problem is with the traffic from the host to the internet, I
need to force it to go through the access server LAN.



Thank you

Mohammad Salbad





                                

_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list