[j-nsp] FBF with st interfaces on SRX3400

[Dennis Hagens]

Hi,

I'm running into a design problem for FBF with a Riverbed Steelhead. Our requirement is, to send __part__ of our VPN traffic through a Riverbed appliance for acceleration.
The complicating factors here, are a multi tunnel VPN connection between 2 sites, running OSPF over the tunnel interfaces. Also, since we will process a lot more VPN traffic than the Riverbed can handle (1G+ whilst the Riverbed only has 1G interfaces), we cannot put the Riverbed physically in-line.

I have been able to separate the traffic with firewall filters and as such i can apply an action like send to different routing instance. I cannot however apply this to a tunnel (st) interface in this firewall, running Junos 12.1R2.9.

Currently i'm considering to set up 3 (Riverbed+VPN+inet.0) routing instances and running OSPF between 2 of them over a logical tunnel and using 1 of them purely for connectivity to the Riverbed (see http://postimage.org/image/tsxjq5gjv/ ).
That way i i can apply the FBF filters on the lt and physical interfaces and redirect traffic to the riverbed instance, with a default to the riverbed. The riverbed would have a default back to the physical interface, where i could apply FBF again and push all traffic back to inet.0 again.
The Riverbed would run in virtual in-path mode.

Besides the fact that in my initial setup OSPF wasn't working over the lt interfaces, i don't like the complexity of this. If i would be able to attach filters to the tunnel interfaces, i think i could set this up somewhat more simple.

Does anyone have a suggestion or experience with a similar setup?

Kind regards,

Dennis Hagens