[j-nsp] Mx Policy routing problem
Cahit Eyigünlü
cahit.eyigunlu at spd.net.tr
Mon Nov 23 06:07:20 EST 2015
Actually we want to build sth. Like this :
————— ISP ——>———— (AE0) MX80 (Xe-0/0/3) ——>—— Ex4500
(Xe-0/0/1) (Xe-0/0/2)
| |
| |
(Xe-0/0/1) |
| |
SRX 3600 ——— <—— UDP FW
|
(ae1 4x1Gbit)
|
|
Returns MX80 with 4x1G
We have put the policy to inbound side of AE0 because we want to redirect only ip addresses that need to be firewalled and the download traffic from the isp side.
When we try next-ip instead of routing instance it is hitting to the firewall and system working but this time it is dropping so much packets :)
I should not decide where should be the problem
On 23/11/15 12:27, "Dave Bell" <me at geordish.org> wrote:
>Hi Cahit,
>
>> root at mx80-core# show interfaces ae0
>> aggregated-ether-options {
>> minimum-links 1;
>> lacp {
>> active;
>> periodic fast;
>> }
>> }
>> unit 0 {
>> family inet {
>> filter {
>> input FWDirect;
>> }
>> address 10.32.35.14/30;
>> }
>> }
>
>> Request timeout for icmp_seq 14714
>> 36 bytes from 10.32.35.14: Destination Net Unreachable
>> Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
>> 4 5 00 5400 938d 0 0000 38 01 d3ad 192.168.2.102 185.9.159.86
>
>This looks like you are sourcing your traffic from the address on
>interface ae0? If this is the case, then it is not actually ingressing
>ae0, therefore the firewall won't be hit.
>
>Try testing from the thing connected to ae0 (if you can).
>
>Regards,
>Dave
>
>
>On 23 November 2015 at 10:08, Cahit Eyigünlü <cahit.eyigunlu at spd.net.tr> wrote:
>> Hello friends ;
>>
>> We have an MX80 router which has connection on ae0 to our isp
>>
>>
>>
>> root at mx80-core# show interfaces ae0
>> aggregated-ether-options {
>> minimum-links 1;
>> lacp {
>> active;
>> periodic fast;
>> }
>> }
>> unit 0 {
>> family inet {
>> filter {
>> input FWDirect;
>> }
>> address 10.32.35.14/30;
>> }
>> }
>>
>>
>> [edit]
>> root at mx80-core# show firewall
>> filter FWDirect {
>> term UDPFW {
>> from {
>> destination-address {
>> 185.9.159.86/32;
>> }
>> protocol udp;
>> }
>> then {
>> log;
>> routing-instance UDP-Routes;
>> }
>> }
>> term TCPFW {
>> from {
>> destination-address {
>> 185.9.159.86/32;
>> }
>> }
>> then {
>> count TCPFWTR;
>> log;
>> routing-instance TCP-Routes;
>> }
>> }
>> term Default {
>> then accept;
>> }
>> }
>>
>> [edit]
>> root at mx80-core# show routing-instances
>> Normal-Routes {
>> instance-type virtual-router;
>> }
>> TCP-Routes {
>> instance-type forwarding;
>> routing-options {
>> static {
>> route 0.0.0.0/0 next-hop 37.123.100.122;
>> }
>> }
>> }
>> UDP-Routes {
>> instance-type forwarding;
>> routing-options {
>> static {
>> route 0.0.0.0/0 next-hop 37.123.100.98;
>> }
>> }
>> }
>>
>> [edit]
>> root at mx80-core# show protocols ospf
>> rib-group SPD-Route;
>> area 0.0.0.0 {
>> interface all;
>> interface ae0.0 {
>> disable;
>> }
>> }
>>
>> [edit]
>>
>> root at mx80-core# show routing-options rib-groups
>> SPD-Route {
>> import-rib [ inet.0 UDP-Routes.inet.0 TCP-Routes.inet.0 ];
>> }
>>
>> [edit]
>> root at mx80-core#
>>
>>
>>
>> The router has connection to routing instance ip addresses and logging the connections :
>>
>>
>> root at mx80-core# run ping 37.123.100.122
>> PING 37.123.100.122 (37.123.100.122): 56 data bytes
>> 64 bytes from 37.123.100.122: icmp_seq=0 ttl=64 time=1.194 ms
>> 64 bytes from 37.123.100.122: icmp_seq=1 ttl=64 time=0.956 ms
>> ^C
>> --- 37.123.100.122 ping statistics ---
>> 2 packets transmitted, 2 packets received, 0% packet loss
>> round-trip min/avg/max/stddev = 0.956/1.075/1.194/0.119 ms
>>
>> [edit]
>> root at mx80-core# run ping 37.123.100.98
>> PING 37.123.100.98 (37.123.100.98): 56 data bytes
>> 64 bytes from 37.123.100.98: icmp_seq=0 ttl=64 time=0.490 ms
>> 64 bytes from 37.123.100.98: icmp_seq=1 ttl=64 time=8.739 ms
>> 64 bytes from 37.123.100.98: icmp_seq=2 ttl=64 time=0.422 ms
>> ^C
>> --- 37.123.100.98 ping statistics ---
>> 3 packets transmitted, 3 packets received, 0% packet loss
>> round-trip min/avg/max/stddev = 0.422/3.217/8.739/3.905 ms
>>
>> [edit]
>> root at mx80-core# run show firewall log
>> Log :
>> Time Filter Action Interface Protocol Src Addr Dest Addr
>> 08:44:20 pfe A ae0.0 ICMP 212.174.232.182 185.9.159.86
>> 08:44:19 pfe A ae0.0 ICMP 212.174.232.182 185.9.159.86
>> 08:44:18 pfe A ae0.0 ICMP 212.174.232.182 185.9.159.86
>> 08:44:17 pfe A ae0.0 ICMP 212.174.232.182 185.9.159.86
>> 08:44:16 pfe A ae0.0 ICMP 212.174.232.182 185.9.159.86
>> 08:44:15 pfe A ae0.0 ICMP 212.174.232.182 185.9.159.86
>> 08:44:14 pfe A ae0.0 ICMP 212.174.232.182 185.9.159.86
>> 08:44:13 pfe A ae0.0 ICMP 212.174.232.182 185.9.159.86
>> 08:44:12 pfe A ae0.0 ICMP 212.174.232.182 185.9.159.86
>> 08:44:11 pfe A ae0.0 ICMP 212.174.232.182 185.9.159.86
>> 08:44:10 pfe A ae0.0 ICMP 212.174.232.182 185.9.159.86
>> 08:44:09 pfe A ae0.0 ICMP 212.174.232.182 185.9.159.86
>>
>>
>>
>> but we can not access from outside the network :
>>
>>
>>
>> Request timeout for icmp_seq 14714
>> 36 bytes from 10.32.35.14: Destination Net Unreachable
>> Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
>> 4 5 00 5400 938d 0 0000 38 01 d3ad 192.168.2.102 185.9.159.86
>>
>> Request timeout for icmp_seq 14715
>> 36 bytes from 10.32.35.14: Destination Net Unreachable
>> Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
>> 4 5 00 5400 28e7 0 0000 38 01 3e54 192.168.2.102 185.9.159.86
>>
>> Request timeout for icmp_seq 14716
>> 36 bytes from 10.32.35.14: Destination Net Unreachable
>> Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
>> 4 5 00 5400 ffb1 0 0000 38 01 6789 192.168.2.102 185.9.159.86
>>
>> Request timeout for icmp_seq 14717
>> 36 bytes from 10.32.35.14: Destination Net Unreachable
>> Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
>> 4 5 00 5400 99ee 0 0000 38 01 cd4c 192.168.2.102 185.9.159.86
>>
>> Request timeout for icmp_seq 14718
>> 36 bytes from 10.32.35.14: Destination Net Unreachable
>> Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
>> 4 5 00 5400 a9d1 0 0000 38 01 bd69 192.168.2.102 185.9.159.86
>>
>>
>>
>> how can i over come this issue ??
>>
>>
>>
>> [SPDNet Telekomünikasyon A.S. Logo]<http://https://www.spd.net.tr/>
>>
>> Cahit Eyigünlü
>> SPDNet Telekomünikasyon A.S.
>> +908508409773
>> 75. Yl Mahallesi 5301 Sk No:24/A - MANSA 45100
>> [WebsiteGB]<http://https://www.spd.net.tr/> [email] <mailto:cahit.eyigunlu at spd.net.tr> [:inkedIn button] <http://https://www.linkedin.com/company/spdnet> [Twitter button] <https://twitter.com/NetSpd> [Facebook button] <https://www.facebook.com/SpdNetTR>
>>
>>
>> Bu e-posta kişiye özel olup, gizli bilgiler içeriyor olabilir. Eğer bu e-posta size yanlışlıkla ulaşmışsa, içeriğini hiç bir şekilde kullanmayınız ve ekli dosyaları açmayınız. Bu e-posta virüslere karşı anti-virüs sistemleri tarafından taranmıştır. Ancak SPDNET, bu e-postanın - virüs koruma sistemleri ile kontrol ediliyor olsa bile - virüs içermediğini garanti etmez ve meydana gelebilecek zararlardan doğacak hiçbir sorumluluğu kabul etmez.
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
[SPDNet Telekomünikasyon A.S. Logo]<http://https://www.spd.net.tr/>
Cahit Eyigünlü
SPDNet Telekomünikasyon A.S.
+908508409773
75. Yl Mahallesi 5301 Sk No:24/A - MANSA 45100
[WebsiteGB]<http://https://www.spd.net.tr/> [email] <mailto:cahit.eyigunlu at spd.net.tr> [:inkedIn button] <http://https://www.linkedin.com/company/spdnet> [Twitter button] <https://twitter.com/NetSpd> [Facebook button] <https://www.facebook.com/SpdNetTR>
Bu e-posta kişiye özel olup, gizli bilgiler içeriyor olabilir. Eğer bu e-posta size yanlışlıkla ulaşmışsa, içeriğini hiç bir şekilde kullanmayınız ve ekli dosyaları açmayınız. Bu e-posta virüslere karşı anti-virüs sistemleri tarafından taranmıştır. Ancak SPDNET, bu e-postanın - virüs koruma sistemleri ile kontrol ediliyor olsa bile - virüs içermediğini garanti etmez ve meydana gelebilecek zararlardan doğacak hiçbir sorumluluğu kabul etmez.
More information about the juniper-nsp
mailing list