[j-nsp] Policy Based Routing

Cahit Eyigünlü cahit.eyigunlu at spd.net.tr
Mon Nov 23 16:39:07 EST 2015


Our network Topology as this :


http://forums.juniper.net/t5/image/serverpage/image-id/12913i3A1C52D8896D0604/image-size/original?v=mpbl-1&px=-1​




We have an MX80 router which has connection on ae0 to our isp



root at mx80-core# show interfaces ae0
aggregated-ether-options {
 minimum-links 1;
 lacp {
 active;
 periodic fast;
 }
}
unit 0 {
 family inet {
 filter {
 input FWDirect;
 }
 address 10.32.35.14/30;
 }
}


[edit]
root at mx80-core# show firewall
filter FWDirect {
    term UDPFW {
        from {
            destination-address {
                185.9.159.86/32;
            }
            protocol udp;
        }
        then {
            log;
            routing-instance UDP-Routes;
        }
    }
    term TCPFW {
        from {
            destination-address {
                185.9.159.86/32;
            }
        }
        then {
            count TCPFWTR;
            log;
            routing-instance TCP-Routes;
        }
    }
    term Default {
        then accept;
    }
}

[edit]
root at mx80-core# show routing-instances
Normal-Routes {
    instance-type virtual-router;
}
TCP-Routes {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 37.123.100.122;
        }
    }
}
UDP-Routes {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 37.123.100.98;
        }
    }
}

[edit]
root at mx80-core# show protocols ospf
rib-group SPD-Route;
area 0.0.0.0 {
    interface all;
    interface ae0.0 {
        disable;
    }
}

[edit]

root at mx80-core# show routing-options rib-groups
SPD-Route {
    import-rib [ inet.0 UDP-Routes.inet.0 TCP-Routes.inet.0 ];
}

[edit]
root at mx80-core#



The router has connection to routing instance ip addresses and logging the connections :


root at mx80-core# run ping 37.123.100.122
PING 37.123.100.122 (37.123.100.122): 56 data bytes
64 bytes from 37.123.100.122: icmp_seq=0 ttl=64 time=1.194 ms
64 bytes from 37.123.100.122: icmp_seq=1 ttl=64 time=0.956 ms
^C
--- 37.123.100.122 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.956/1.075/1.194/0.119 ms

[edit]
root at mx80-core# run ping 37.123.100.98
PING 37.123.100.98 (37.123.100.98): 56 data bytes
64 bytes from 37.123.100.98: icmp_seq=0 ttl=64 time=0.490 ms
64 bytes from 37.123.100.98: icmp_seq=1 ttl=64 time=8.739 ms
64 bytes from 37.123.100.98: icmp_seq=2 ttl=64 time=0.422 ms
^C
--- 37.123.100.98 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.422/3.217/8.739/3.905 ms

[edit]
root at mx80-core# run show firewall log
Log :
Time      Filter    Action Interface     Protocol        Src Addr                         Dest Addr
08:44:20  pfe       A      ae0.0         ICMP            212.174.232.182                  185.9.159.86
08:44:19  pfe       A      ae0.0         ICMP            212.174.232.182                  185.9.159.86
08:44:18  pfe       A      ae0.0         ICMP            212.174.232.182                  185.9.159.86
08:44:17  pfe       A      ae0.0         ICMP            212.174.232.182                  185.9.159.86
08:44:16  pfe       A      ae0.0         ICMP            212.174.232.182                  185.9.159.86
08:44:15  pfe       A      ae0.0         ICMP            212.174.232.182                  185.9.159.86
08:44:14  pfe       A      ae0.0         ICMP            212.174.232.182                  185.9.159.86
08:44:13  pfe       A      ae0.0         ICMP            212.174.232.182                  185.9.159.86
08:44:12  pfe       A      ae0.0         ICMP            212.174.232.182                  185.9.159.86
08:44:11  pfe       A      ae0.0         ICMP            212.174.232.182                  185.9.159.86
08:44:10  pfe       A      ae0.0         ICMP            212.174.232.182                  185.9.159.86
08:44:09  pfe       A      ae0.0         ICMP            212.174.232.182                  185.9.159.86



but we can not access from outside the network :



Request timeout for icmp_seq 14714
36 bytes from 10.32.35.14: Destination Net Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 938d   0 0000  38  01 d3ad 192.168.2.102  185.9.159.86

Request timeout for icmp_seq 14715
36 bytes from 10.32.35.14: Destination Net Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 28e7   0 0000  38  01 3e54 192.168.2.102  185.9.159.86

Request timeout for icmp_seq 14716
36 bytes from 10.32.35.14: Destination Net Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 ffb1   0 0000  38  01 6789 192.168.2.102  185.9.159.86

Request timeout for icmp_seq 14717
36 bytes from 10.32.35.14: Destination Net Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 99ee   0 0000  38  01 cd4c 192.168.2.102  185.9.159.86

Request timeout for icmp_seq 14718
36 bytes from 10.32.35.14: Destination Net Unreachable
Vr HL TOS  Len   ID Flg  off TTL Pro  cks      Src      Dst
 4  5  00 5400 a9d1   0 0000  38  01 bd69 192.168.2.102  185.9.159.86



how can i over come this issue ?


[SPDNet Telekomünikasyon  A.S. Logo]<http://https://www.spd.net.tr/>

Cahit Eyigünlü
SPDNet Telekomünikasyon A.S.
+908508409773
75. Yl Mahallesi 5301 Sk No:24/A - MANSA 45100
[WebsiteGB]<http://https://www.spd.net.tr/>   [email] <mailto:cahit.eyigunlu at spd.net.tr>     [:inkedIn button] <http://https://www.linkedin.com/company/spdnet>    [Twitter button] <https://twitter.com/NetSpd>    [Facebook button] <https://www.facebook.com/SpdNetTR>


Bu e-posta kişiye özel olup, gizli bilgiler içeriyor olabilir. Eğer bu e-posta size yanlışlıkla ulaşmışsa, içeriğini hiç bir şekilde kullanmayınız ve ekli dosyaları açmayınız. Bu e-posta virüslere karşı anti-virüs sistemleri tarafından taranmıştır. Ancak SPDNET, bu e-postanın - virüs koruma sistemleri ile kontrol ediliyor olsa bile - virüs içermediğini garanti etmez ve meydana gelebilecek zararlardan doğacak hiçbir sorumluluğu kabul etmez.


More information about the juniper-nsp mailing list