[j-nsp] Filter based forwarding for IPv6 with SRX

Mircho Mirchev mircho at gmail.com
Thu Sep 15 10:19:12 EDT 2016


Hi all,

This a copy of J-net forum topic.

http://forums.juniper.net/t5/SRX-Services-Gateway/Filter-based-forwarding-for-IPv6/td-p/297266

Has someone ever tried to do FBF for inet6 on SRX?

I'm having trouble with the following configuration:

security {
	forwarding-options {
        family {
            inet6 {
                mode flow-based;
            }
        }
    }
}
interfaces {
    ge-0/0/0 {
        description Untrust;
        per-unit-scheduler;
        vlan-tagging;
        unit 153 {
            vlan-id 153;
            family inet {
                address 192.168.153.172/24;
            }
            family inet6 {
                address aaaa:bbbb:cccc:153:192:168:153:172/64;
            }
        }
        unit 4001 {
            vlan-id 4001;
            family inet;
            family inet6 {
                address aaaa:bbbb:cccc:4001::2/64;
            }
        }
        unit 4002 {
            vlan-id 4002;
            family inet {
                address 10.42.0.1/24;
            }
            family inet6 {
                filter {
                    input mm6;
                }
                address aaaa:bbbb:cccc:4002::1/64 {
                    preferred;
                }
                address aaaa:bbbb:cccc:400a::1/64;
            }
        }
    }
}
routing-options {
    interface-routes {
        rib-group inet6 all6;
    }
    rib inet6.0 {
        static {
            route ::/0 next-hop aaaa:bbbb:cccc:ffff::1;
        }
    }
    static {
        route 0.0.0.0/0 next-hop 192.168.153.1;
    }
    rib-groups {
        all6 {
            import-rib [ inet6.0 mm.inet6.0 ];
        }
    }
}
firewall {
    family inet6 {
        filter mm6 {
            interface-specific;
            term 1 {
                from {
                    source-address {
                        aaaa:bbbb:cccc:400a::/64;
                    }
                }
                then {
                    forwarding-class expedited-forwarding;
                    routing-instance mm;
                }
            }
            term last {
                then {
                    forwarding-class assured-forwarding;
                    accept;
                }
            }
        }
    }
}
routing-instances {
    mm {
        instance-type forwarding;
        routing-options {
            rib mm.inet6.0 {
                static {
                    route ::/0 next-hop aaaa:bbbb:cccc:4001::1;
                }
            }
        }
    }
}

It's nothing fancy (as per the guide) and similar config for inet is
working fine.

However, for inet6 the outbound traffic (from aaaa:bbbb:cccc:400a::/64) is
routed using the route from the master RI, and not from the "mm" RI,
although the filter is applying (that's why I've put it in different FW
classes to see what exactly is wrong).

If I change the RI type to virtual-router, the issue is no longer present,
but this has a lot of implications, like new security zones, policies, etc.

Tried this with 12.1X46, 12.1X47 and 12.3X48 - no change in behaviour.


More information about the juniper-nsp mailing list