[j-nsp] Policy Based Routing
Cahit Eyigünlü
cahit.eyigunlu at spd.net.tr
Mon Nov 23 16:39:07 EST 2015
Our network Topology as this :
http://forums.juniper.net/t5/image/serverpage/image-id/12913i3A1C52D8896D0604/image-size/original?v=mpbl-1&px=-1
We have an MX80 router which has connection on ae0 to our isp
root at mx80-core# show interfaces ae0
aggregated-ether-options {
minimum-links 1;
lacp {
active;
periodic fast;
}
}
unit 0 {
family inet {
filter {
input FWDirect;
}
address 10.32.35.14/30;
}
}
[edit]
root at mx80-core# show firewall
filter FWDirect {
term UDPFW {
from {
destination-address {
185.9.159.86/32;
}
protocol udp;
}
then {
log;
routing-instance UDP-Routes;
}
}
term TCPFW {
from {
destination-address {
185.9.159.86/32;
}
}
then {
count TCPFWTR;
log;
routing-instance TCP-Routes;
}
}
term Default {
then accept;
}
}
[edit]
root at mx80-core# show routing-instances
Normal-Routes {
instance-type virtual-router;
}
TCP-Routes {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 37.123.100.122;
}
}
}
UDP-Routes {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 37.123.100.98;
}
}
}
[edit]
root at mx80-core# show protocols ospf
rib-group SPD-Route;
area 0.0.0.0 {
interface all;
interface ae0.0 {
disable;
}
}
[edit]
root at mx80-core# show routing-options rib-groups
SPD-Route {
import-rib [ inet.0 UDP-Routes.inet.0 TCP-Routes.inet.0 ];
}
[edit]
root at mx80-core#
The router has connection to routing instance ip addresses and logging the connections :
root at mx80-core# run ping 37.123.100.122
PING 37.123.100.122 (37.123.100.122): 56 data bytes
64 bytes from 37.123.100.122: icmp_seq=0 ttl=64 time=1.194 ms
64 bytes from 37.123.100.122: icmp_seq=1 ttl=64 time=0.956 ms
^C
--- 37.123.100.122 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.956/1.075/1.194/0.119 ms
[edit]
root at mx80-core# run ping 37.123.100.98
PING 37.123.100.98 (37.123.100.98): 56 data bytes
64 bytes from 37.123.100.98: icmp_seq=0 ttl=64 time=0.490 ms
64 bytes from 37.123.100.98: icmp_seq=1 ttl=64 time=8.739 ms
64 bytes from 37.123.100.98: icmp_seq=2 ttl=64 time=0.422 ms
^C
--- 37.123.100.98 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.422/3.217/8.739/3.905 ms
[edit]
root at mx80-core# run show firewall log
Log :
Time Filter Action Interface Protocol Src Addr Dest Addr
08:44:20 pfe A ae0.0 ICMP 212.174.232.182 185.9.159.86
08:44:19 pfe A ae0.0 ICMP 212.174.232.182 185.9.159.86
08:44:18 pfe A ae0.0 ICMP 212.174.232.182 185.9.159.86
08:44:17 pfe A ae0.0 ICMP 212.174.232.182 185.9.159.86
08:44:16 pfe A ae0.0 ICMP 212.174.232.182 185.9.159.86
08:44:15 pfe A ae0.0 ICMP 212.174.232.182 185.9.159.86
08:44:14 pfe A ae0.0 ICMP 212.174.232.182 185.9.159.86
08:44:13 pfe A ae0.0 ICMP 212.174.232.182 185.9.159.86
08:44:12 pfe A ae0.0 ICMP 212.174.232.182 185.9.159.86
08:44:11 pfe A ae0.0 ICMP 212.174.232.182 185.9.159.86
08:44:10 pfe A ae0.0 ICMP 212.174.232.182 185.9.159.86
08:44:09 pfe A ae0.0 ICMP 212.174.232.182 185.9.159.86
but we can not access from outside the network :
Request timeout for icmp_seq 14714
36 bytes from 10.32.35.14: Destination Net Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 938d 0 0000 38 01 d3ad 192.168.2.102 185.9.159.86
Request timeout for icmp_seq 14715
36 bytes from 10.32.35.14: Destination Net Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 28e7 0 0000 38 01 3e54 192.168.2.102 185.9.159.86
Request timeout for icmp_seq 14716
36 bytes from 10.32.35.14: Destination Net Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 ffb1 0 0000 38 01 6789 192.168.2.102 185.9.159.86
Request timeout for icmp_seq 14717
36 bytes from 10.32.35.14: Destination Net Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 99ee 0 0000 38 01 cd4c 192.168.2.102 185.9.159.86
Request timeout for icmp_seq 14718
36 bytes from 10.32.35.14: Destination Net Unreachable
Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
4 5 00 5400 a9d1 0 0000 38 01 bd69 192.168.2.102 185.9.159.86
how can i over come this issue ?
[SPDNet Telekomünikasyon A.S. Logo]<http://https://www.spd.net.tr/>
Cahit Eyigünlü
SPDNet Telekomünikasyon A.S.
+908508409773
75. Yl Mahallesi 5301 Sk No:24/A - MANSA 45100
[WebsiteGB]<http://https://www.spd.net.tr/> [email] <mailto:cahit.eyigunlu at spd.net.tr> [:inkedIn button] <http://https://www.linkedin.com/company/spdnet> [Twitter button] <https://twitter.com/NetSpd> [Facebook button] <https://www.facebook.com/SpdNetTR>
Bu e-posta kişiye özel olup, gizli bilgiler içeriyor olabilir. Eğer bu e-posta size yanlışlıkla ulaşmışsa, içeriğini hiç bir şekilde kullanmayınız ve ekli dosyaları açmayınız. Bu e-posta virüslere karşı anti-virüs sistemleri tarafından taranmıştır. Ancak SPDNET, bu e-postanın - virüs koruma sistemleri ile kontrol ediliyor olsa bile - virüs içermediğini garanti etmez ve meydana gelebilecek zararlardan doğacak hiçbir sorumluluğu kabul etmez.
More information about the juniper-nsp
mailing list