[j-nsp] Filter Based Forwarding with bgp import rib

Justin M. Streiner streiner at cluebyfour.org
Thu Mar 24 07:35:01 EDT 2011


On Thu, 24 Mar 2011, Doan Nguyen wrote:

> are you basically trying to redirect traffic from host and internet to take a
> detour box "access server" not shown on the topo, that is strictly hanging off
> from
> router A?  All your FBF needs to happen on router A if you're to enforce traffic
> to take a detour to your local access server.
>
>
> In this case I think you have the host to internet FBF on Router B vs. Router
> A.  Even thought the RI in B forces all traffic to 172.16.0.2 which is in router
> a,
> the traffic enters the RI and leaves it arriving at Router A.  When Router A
> gets the packet then the source/destination is still from 5.5.5.5 to 0/0 and
> forwards
> that straight out to 1.1.1/x using inet.0.  What you need is to move 
> your FBF on B to A and have the firewall input on A's link to B.  That 
> way you can force the
> outbound
> traffic to take your access server vs. using inet.0.

I've been hunting around for a solution to a similar issue - essentially 
a modified approach to RTBH.  I'd like to be able to redirect or 
optionally port-mirror inbound and outbound traffic to another interface 
on my border router, and the trigger for determining what traffic would be 
affected would be a BGP feed from a route server, and the actions to be 
taken (discard, redirect to another interface, port-mirror to another 
interface) by the border routers could be dictated by BGP community tags.

The issues I've run into with this have been that I couldn't find a way to 
get a Junos firewall filter to see and react to BGP routes and their 
associated community tags.

jms


More information about the juniper-nsp mailing list