[j-nsp] Routing Engine filtering on EX with VRF

Raphael Mazelier raph at futomaki.net
Tue Mar 22 13:20:21 EDT 2016 


Le 22/03/2016 17:35, Scott Granados a écrit :
> I believe this is correct.  In order for a specific filter to have effect with in an routing instance you have to apply that filter to the loopback else I believe and am more than willing to be corrected but I believe the instance takes on the characteristics of the global filter when no filter is applied to the loopback within the instance.
>

Quoting the doc :


""You can create an individual loopback interface logical unit for each 
and every VRF, such as lo0.x (x>1). When assigning the loopback 
interface logical unit to one VRF, you can also apply the firewall 
filter on the subinterface.

Additionally, the loopback0.0 logical unit (also referred as the default 
loopback interface), which is associated with the default routing table, 
can also have its own firewall filter. You can define multiple firewall 
filters and apply them on different logical units of the loopback 
interface. Which filter should take effect can be decided by the 
following three rules:

     If you configure Filter A on the default loopback interface and 
Filter B on the VRF loopback interface, then the VRF routing instance 
uses Filter B.

     If you configure Filter A on the default loopback interface, but do 
not configure a filter on the VRF loopback interface, then the VRF 
routing instance does not use a filter.

     If you configure Filter A on the default loopback interface, but do 
not even configure a VRF loopback interface, the VRF routing instance 
uses Filter A.

""

on my EX :

/* global loopback */
unit 0 {
     family inet {
         filter {
             input protect-routing-engine;
         }
         address 1.1.1.14/32;
     }
}
/* vrf internet loopback */
unit 2 {
     family inet {
         filter {
             input protect-routing-engine;
         }
         address 1.2.2.114/32;
     }
}

But for an interface which was on the 'internet' vrf :

interfaces ge-1/0/13
unit 0 {
     family inet {
         address 1.2.2.174/31;
     }
}

internet {
     instance-type vrf;
     interface ge-1/0/13.0;
     interface lo0.1;
     route-distinguisher 10:14;
     vrf-target target:10:10;
     vrf-table-label;

}

The filter is never reached...
I will open a case on the Jtac.


-- 
Raphael Mazelier

More information about the juniper-nsp mailing list