[j-nsp] Filter based forwarding issue

Brendan Regan brendan.bregan at gmail.com
Thu Sep 27 11:26:07 EDT 2012


Hi,

I have ran into an issue with the following on a J2350 (JUNOS Software
Release [9.2R1.10] (Export edition) Enhanced Services)

Presently the client has the following address range 192.168.4.0/24 which
as can be seen below to be at the
next-hop address of 212.111.105.238 which is directly connected on ge-0/0/0.

Present to routing instances are working without any issues 4.0/26-source
and 4.64/26-source however when a 3rd routing instance PDU1178
is added it does not work.

I have tested the circuit 212.111.105.226 as the next-hop for the source
4.64/26-source and the circuit works.

This poses a problem as we will need to add more circuits in the future.

I cannot seem to find anything on the internet or on the juniper site that
tells of any limitation on the J-series.

So I have posted the config below so if anyone sees an issue or an
alternative that would work then please let me know.

Thanks,
Brendan

interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                filter {
                    input next-hop-office-DMZservers;
                }
                address 212.111.105.237/29;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 212.111.105.225/29;
            }
        }
    }
}
routing-options {
    interface-routes {
        rib-group inet fbf-group;
    }
    static {
        route 212.111.105.229/32 {
            next-hop 212.111.105.225;
            install;
        }
        route 212.111.105.227/32 {
            next-hop 212.111.105.225;
            install;
        }
        route 212.111.105.232/29 {
            next-hop 212.111.105.238;
            install;
        }
        route 212.111.101.0/27 {
            next-hop 212.111.105.238;
            install;
        }
        route 212.111.102.0/24 {
            next-hop 212.111.105.238;
            install;
        }
        route 192.168.4.0/24 {
            next-hop 212.111.105.238;
            install;
        }
        route 212.111.105.226/32 {
            next-hop 212.111.105.225;
            install;
        }
    }
    rib-groups {
        fbf-group {
            import-rib [ inet.0 4.0/26-source.inet.0 4.64/26-source.inet.0
PDU1178.inet.0 ];
        }
    }
}
firewall {
    filter next-hop-office-DMZservers {
        inactive: term allow-all-traffic {
            then accept;
        }
        term 1 {
            from {
                source-address {
                    192.168.4.0/26;
                    212.111.101.0/27;
                }
            }
            then {
                routing-instance 4.0/26-source;
            }
        }
        term 2 {
            from {
                source-address {
                    192.168.4.64/26;
                }
            }
            then {
                routing-instance 4.64/26-source;
            }
        }
        term telnet {
            from {
                source-address {
                    212.111.102.0/24;
                    192.168.4.0/24;
                }
                protocol tcp;
                port telnet;
            }
            then accept;
        }
        term ping {
            from {
                source-address {
                    212.111.102.0/24
                    192.168.4.0/24;

                }
                protocol icmp;
            }
            then accept;
        }
        term snmp {
            from {
                source-address {
                    212.111.102.0/24
                }
                protocol udp;
                port snmp;
            }
            then accept;
        }
        term http {
            from {
                source-address {
                    212.111.102.0/24
                }
                protocol tcp;
                port http;
            }
            then accept;
        }
        term 3 {
            from {
                source-address {
                    192.168.4.128/26;
                }
            }
            then {
                routing-instance PDU1178;
            }
        }
        term accept-remaining-traffic {
            then {
                count remaining-traffic-counter;
                accept;
            }
        }
    }
}
routing-instances {
    4.0/26-source {
        instance-type forwarding;
        routing-options {
            static {
                route 151.193.141.0/24 next-hop 212.111.105.230;
            }
        }
    }
    4.64/26-source {
        instance-type forwarding;
        routing-options {
            static {
                route 151.193.141.0/24 next-hop 212.111.105.229;
            }
        }
    }
    PDU1178 {
        instance-type forwarding;
        routing-options {
            static {
                route 151.193.141.0/24 next-hop 212.111.105.226;
            }
        }
    }


More information about the juniper-nsp mailing list