[j-nsp] Filter based forwarding issue
Brendan Regan
brendan.bregan at gmail.com
Thu Sep 27 11:26:07 EDT 2012
Hi,
I have ran into an issue with the following on a J2350 (JUNOS Software
Release [9.2R1.10] (Export edition) Enhanced Services)
Presently the client has the following address range 192.168.4.0/24 which
as can be seen below to be at the
next-hop address of 212.111.105.238 which is directly connected on ge-0/0/0.
Present to routing instances are working without any issues 4.0/26-source
and 4.64/26-source however when a 3rd routing instance PDU1178
is added it does not work.
I have tested the circuit 212.111.105.226 as the next-hop for the source
4.64/26-source and the circuit works.
This poses a problem as we will need to add more circuits in the future.
I cannot seem to find anything on the internet or on the juniper site that
tells of any limitation on the J-series.
So I have posted the config below so if anyone sees an issue or an
alternative that would work then please let me know.
Thanks,
Brendan
interfaces {
ge-0/0/0 {
unit 0 {
family inet {
filter {
input next-hop-office-DMZservers;
}
address 212.111.105.237/29;
}
}
}
ge-0/0/1 {
unit 0 {
family inet {
address 212.111.105.225/29;
}
}
}
}
routing-options {
interface-routes {
rib-group inet fbf-group;
}
static {
route 212.111.105.229/32 {
next-hop 212.111.105.225;
install;
}
route 212.111.105.227/32 {
next-hop 212.111.105.225;
install;
}
route 212.111.105.232/29 {
next-hop 212.111.105.238;
install;
}
route 212.111.101.0/27 {
next-hop 212.111.105.238;
install;
}
route 212.111.102.0/24 {
next-hop 212.111.105.238;
install;
}
route 192.168.4.0/24 {
next-hop 212.111.105.238;
install;
}
route 212.111.105.226/32 {
next-hop 212.111.105.225;
install;
}
}
rib-groups {
fbf-group {
import-rib [ inet.0 4.0/26-source.inet.0 4.64/26-source.inet.0
PDU1178.inet.0 ];
}
}
}
firewall {
filter next-hop-office-DMZservers {
inactive: term allow-all-traffic {
then accept;
}
term 1 {
from {
source-address {
192.168.4.0/26;
212.111.101.0/27;
}
}
then {
routing-instance 4.0/26-source;
}
}
term 2 {
from {
source-address {
192.168.4.64/26;
}
}
then {
routing-instance 4.64/26-source;
}
}
term telnet {
from {
source-address {
212.111.102.0/24;
192.168.4.0/24;
}
protocol tcp;
port telnet;
}
then accept;
}
term ping {
from {
source-address {
212.111.102.0/24
192.168.4.0/24;
}
protocol icmp;
}
then accept;
}
term snmp {
from {
source-address {
212.111.102.0/24
}
protocol udp;
port snmp;
}
then accept;
}
term http {
from {
source-address {
212.111.102.0/24
}
protocol tcp;
port http;
}
then accept;
}
term 3 {
from {
source-address {
192.168.4.128/26;
}
}
then {
routing-instance PDU1178;
}
}
term accept-remaining-traffic {
then {
count remaining-traffic-counter;
accept;
}
}
}
}
routing-instances {
4.0/26-source {
instance-type forwarding;
routing-options {
static {
route 151.193.141.0/24 next-hop 212.111.105.230;
}
}
}
4.64/26-source {
instance-type forwarding;
routing-options {
static {
route 151.193.141.0/24 next-hop 212.111.105.229;
}
}
}
PDU1178 {
instance-type forwarding;
routing-options {
static {
route 151.193.141.0/24 next-hop 212.111.105.226;
}
}
}
More information about the juniper-nsp
mailing list