[j-nsp] Filter Based Forwarding with bgp import rib
Justin M. Streiner
streiner at cluebyfour.org
Thu Mar 24 07:35:01 EDT 2011
On Thu, 24 Mar 2011, Doan Nguyen wrote:
> are you basically trying to redirect traffic from host and internet to take a
> detour box "access server" not shown on the topo, that is strictly hanging off
> from
> router A? All your FBF needs to happen on router A if you're to enforce traffic
> to take a detour to your local access server.
>
>
> In this case I think you have the host to internet FBF on Router B vs. Router
> A. Even thought the RI in B forces all traffic to 172.16.0.2 which is in router
> a,
> the traffic enters the RI and leaves it arriving at Router A. When Router A
> gets the packet then the source/destination is still from 5.5.5.5 to 0/0 and
> forwards
> that straight out to 1.1.1/x using inet.0. What you need is to move
> your FBF on B to A and have the firewall input on A's link to B. That
> way you can force the
> outbound
> traffic to take your access server vs. using inet.0.
I've been hunting around for a solution to a similar issue - essentially
a modified approach to RTBH. I'd like to be able to redirect or
optionally port-mirror inbound and outbound traffic to another interface
on my border router, and the trigger for determining what traffic would be
affected would be a BGP feed from a route server, and the actions to be
taken (discard, redirect to another interface, port-mirror to another
interface) by the border routers could be dictated by BGP community tags.
The issues I've run into with this have been that I couldn't find a way to
get a Junos firewall filter to see and react to BGP routes and their
associated community tags.
jms
More information about the juniper-nsp
mailing list