[j-nsp] Policy Based Routing
Mattias Gyllenvarg
mattias at gyllenvarg.se
Mon Nov 30 04:08:09 EST 2015
Not sure about Juniper but on Cisco PBR does not apply to CPU punted
packets.
So, in most PBR environments you will not be able to reach interfaces
routed in via PBR.
PBR is often counter-intuitive to trouble shoot because it (locally) breaks
most ICMP features.
This may be the expected behavior or not. I can not tell as I don't
understand the purpose of your topology.
mån 23 nov. 2015 kl 22:39 skrev Cahit Eyigünlü <cahit.eyigunlu at spd.net.tr>:
> Our network Topology as this :
>
>
>
> http://forums.juniper.net/t5/image/serverpage/image-id/12913i3A1C52D8896D0604/image-size/original?v=mpbl-1&px=-1
>
>
>
>
>
> We have an MX80 router which has connection on ae0 to our isp
>
>
>
> root at mx80-core# show interfaces ae0
> aggregated-ether-options {
> minimum-links 1;
> lacp {
> active;
> periodic fast;
> }
> }
> unit 0 {
> family inet {
> filter {
> input FWDirect;
> }
> address 10.32.35.14/30;
> }
> }
>
>
> [edit]
> root at mx80-core# show firewall
> filter FWDirect {
> term UDPFW {
> from {
> destination-address {
> 185.9.159.86/32;
> }
> protocol udp;
> }
> then {
> log;
> routing-instance UDP-Routes;
> }
> }
> term TCPFW {
> from {
> destination-address {
> 185.9.159.86/32;
> }
> }
> then {
> count TCPFWTR;
> log;
> routing-instance TCP-Routes;
> }
> }
> term Default {
> then accept;
> }
> }
>
> [edit]
> root at mx80-core# show routing-instances
> Normal-Routes {
> instance-type virtual-router;
> }
> TCP-Routes {
> instance-type forwarding;
> routing-options {
> static {
> route 0.0.0.0/0 next-hop 37.123.100.122;
> }
> }
> }
> UDP-Routes {
> instance-type forwarding;
> routing-options {
> static {
> route 0.0.0.0/0 next-hop 37.123.100.98;
> }
> }
> }
>
> [edit]
> root at mx80-core# show protocols ospf
> rib-group SPD-Route;
> area 0.0.0.0 {
> interface all;
> interface ae0.0 {
> disable;
> }
> }
>
> [edit]
>
> root at mx80-core# show routing-options rib-groups
> SPD-Route {
> import-rib [ inet.0 UDP-Routes.inet.0 TCP-Routes.inet.0 ];
> }
>
> [edit]
> root at mx80-core#
>
>
>
> The router has connection to routing instance ip addresses and logging the
> connections :
>
>
> root at mx80-core# run ping 37.123.100.122
> PING 37.123.100.122 (37.123.100.122): 56 data bytes
> 64 bytes from 37.123.100.122: icmp_seq=0 ttl=64 time=1.194 ms
> 64 bytes from 37.123.100.122: icmp_seq=1 ttl=64 time=0.956 ms
> ^C
> --- 37.123.100.122 ping statistics ---
> 2 packets transmitted, 2 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 0.956/1.075/1.194/0.119 ms
>
> [edit]
> root at mx80-core# run ping 37.123.100.98
> PING 37.123.100.98 (37.123.100.98): 56 data bytes
> 64 bytes from 37.123.100.98: icmp_seq=0 ttl=64 time=0.490 ms
> 64 bytes from 37.123.100.98: icmp_seq=1 ttl=64 time=8.739 ms
> 64 bytes from 37.123.100.98: icmp_seq=2 ttl=64 time=0.422 ms
> ^C
> --- 37.123.100.98 ping statistics ---
> 3 packets transmitted, 3 packets received, 0% packet loss
> round-trip min/avg/max/stddev = 0.422/3.217/8.739/3.905 ms
>
> [edit]
> root at mx80-core# run show firewall log
> Log :
> Time Filter Action Interface Protocol Src Addr
> Dest Addr
> 08:44:20 pfe A ae0.0 ICMP 212.174.232.182
> 185.9.159.86
> 08:44:19 pfe A ae0.0 ICMP 212.174.232.182
> 185.9.159.86
> 08:44:18 pfe A ae0.0 ICMP 212.174.232.182
> 185.9.159.86
> 08:44:17 pfe A ae0.0 ICMP 212.174.232.182
> 185.9.159.86
> 08:44:16 pfe A ae0.0 ICMP 212.174.232.182
> 185.9.159.86
> 08:44:15 pfe A ae0.0 ICMP 212.174.232.182
> 185.9.159.86
> 08:44:14 pfe A ae0.0 ICMP 212.174.232.182
> 185.9.159.86
> 08:44:13 pfe A ae0.0 ICMP 212.174.232.182
> 185.9.159.86
> 08:44:12 pfe A ae0.0 ICMP 212.174.232.182
> 185.9.159.86
> 08:44:11 pfe A ae0.0 ICMP 212.174.232.182
> 185.9.159.86
> 08:44:10 pfe A ae0.0 ICMP 212.174.232.182
> 185.9.159.86
> 08:44:09 pfe A ae0.0 ICMP 212.174.232.182
> 185.9.159.86
>
>
>
> but we can not access from outside the network :
>
>
>
> Request timeout for icmp_seq 14714
> 36 bytes from 10.32.35.14: Destination Net Unreachable
> Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
> 4 5 00 5400 938d 0 0000 38 01 d3ad 192.168.2.102 185.9.159.86
>
> Request timeout for icmp_seq 14715
> 36 bytes from 10.32.35.14: Destination Net Unreachable
> Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
> 4 5 00 5400 28e7 0 0000 38 01 3e54 192.168.2.102 185.9.159.86
>
> Request timeout for icmp_seq 14716
> 36 bytes from 10.32.35.14: Destination Net Unreachable
> Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
> 4 5 00 5400 ffb1 0 0000 38 01 6789 192.168.2.102 185.9.159.86
>
> Request timeout for icmp_seq 14717
> 36 bytes from 10.32.35.14: Destination Net Unreachable
> Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
> 4 5 00 5400 99ee 0 0000 38 01 cd4c 192.168.2.102 185.9.159.86
>
> Request timeout for icmp_seq 14718
> 36 bytes from 10.32.35.14: Destination Net Unreachable
> Vr HL TOS Len ID Flg off TTL Pro cks Src Dst
> 4 5 00 5400 a9d1 0 0000 38 01 bd69 192.168.2.102 185.9.159.86
>
>
>
> how can i over come this issue ?
>
>
> [SPDNet Telekomünikasyon A.S. Logo]<http://https://www.spd.net.tr/>
>
> Cahit Eyigünlü
> SPDNet Telekomünikasyon A.S.
> +908508409773
> 75. Yl Mahallesi 5301 Sk No:24/A - MANSA 45100
> [WebsiteGB]<http://https://www.spd.net.tr/> [email] <mailto:
> cahit.eyigunlu at spd.net.tr> [:inkedIn button] <http://
> https://www.linkedin.com/company/spdnet> [Twitter button] <
> https://twitter.com/NetSpd> [Facebook button] <
> https://www.facebook.com/SpdNetTR>
>
>
> Bu e-posta kişiye özel olup, gizli bilgiler içeriyor olabilir. Eğer bu
> e-posta size yanlışlıkla ulaşmışsa, içeriğini hiç bir şekilde kullanmayınız
> ve ekli dosyaları açmayınız. Bu e-posta virüslere karşı anti-virüs
> sistemleri tarafından taranmıştır. Ancak SPDNET, bu e-postanın - virüs
> koruma sistemleri ile kontrol ediliyor olsa bile - virüs içermediğini
> garanti etmez ve meydana gelebilecek zararlardan doğacak hiçbir sorumluluğu
> kabul etmez.
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list