[j-nsp] Filter based forwarding issue

Jonathan Looney jonlooney at gmail.com
Sat Sep 29 10:37:17 EDT 2012


It apears "term 3" is far below "term 1" and "term 2". It appears ping and
Telnet traffic from 192.168.4.128/26 would match terms "ping" and "telnet";
therefore, they will never hit "term 3" and not use filter-based forwarding.

Does this explain the behavior you are seeing?

If so, I believe the configuration-mode command "insert firewall filter
next-hop-office-DMZservers term 3 after term 2" will solve this problem.

-Jon

On Thu, Sep 27, 2012 at 11:26 AM, Brendan Regan <brendan.bregan at gmail.com>wrote:

>
> firewall {
>     filter next-hop-office-DMZservers {
>         inactive: term allow-all-traffic {
>             then accept;
>         }
>         term 1 {
>             from {
>                 source-address {
>                     192.168.4.0/26;
>                     212.111.101.0/27;
>                 }
>             }
>             then {
>                 routing-instance 4.0/26-source;
>             }
>         }
>         term 2 {
>             from {
>                 source-address {
>                     192.168.4.64/26;
>                 }
>             }
>             then {
>                 routing-instance 4.64/26-source;
>             }
>         }
>         term telnet {
>             from {
>                 source-address {
>                     212.111.102.0/24;
>                     192.168.4.0/24;
>                 }
>                 protocol tcp;
>                 port telnet;
>             }
>             then accept;
>         }
>         term ping {
>             from {
>                 source-address {
>                     212.111.102.0/24
>                     192.168.4.0/24;
>
>                 }
>                 protocol icmp;
>             }
>             then accept;
>         }
>         term snmp {
>             from {
>                 source-address {
>                     212.111.102.0/24
>                 }
>                 protocol udp;
>                 port snmp;
>             }
>             then accept;
>         }
>         term http {
>             from {
>                 source-address {
>                     212.111.102.0/24
>                 }
>                 protocol tcp;
>                 port http;
>             }
>             then accept;
>         }
>         term 3 {
>             from {
>                 source-address {
>                     192.168.4.128/26;
>                 }
>             }
>             then {
>                 routing-instance PDU1178;
>             }
>         }
>         term accept-remaining-traffic {
>             then {
>                 count remaining-traffic-counter;
>                 accept;
>             }
>         }
>     }
> }
>


More information about the juniper-nsp mailing list