[j-nsp] filter based forwarding of self-generated traffic
Alexander Arseniev
arseniev at btinternet.com
Thu Dec 7 10:38:13 EST 2017
Hello,
FBF for self-originated traffic is not supported.
The technical explanation is that all filters bar one are instantiated
in the forwarding plane but self-generated traffic is routed &
L2-encapsulated by RE itself.
The only filter that is instantiated in the RE is fxp0 filter.
Your best bet would be to have primary ISP in the custom routing
instance but secondary ISP in the GRT. Then You CAN have ALL
self-generated traffic to go via secondary ISP.
Sure, You can route SOME self-generated traffic via custom routing
instance (like sending SNMP traps, or NTP server) but not all, notable
exception is RADIUS/TACACS for login authentication.
HTH
Thx
Alex
On 07/12/2017 15:14, Daniel Hagerty wrote:
> [ Please pardon any duplication, it looks like my first post attempt
> was scrubbed. ]
>
> I have built up a lab to test a configuration where I'd like an
> srx240 to route some of its self generated to a secondary ISP via
> filter based forwarding. I'm utterly failing at this.
>
> I can trivially get the config to work as I want for other hosts
> being forwarded by the srx, but not the srx's own traffic. srx
> traffic that meets filter forwarding criteria always receives
> "Operation not permitted" error messages, as if there's a default
> reject somewhere that I haven't found.
>
> Can anybody tell me what I'm missing here? I've tried fiddling
> many ways and have yet to figure it out. The seemingly relevant bits
> of config are below. Thanks in advance.
>
> version 12.3X48-D50.6;
> security {
> policies {
> from-zone internet to-zone internet {
> policy sure {
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> permit;
> }
> }
> }
> from-zone internet to-zone inside {
> policy sure {
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> permit;
> }
> }
> }
> from-zone inside to-zone internet {
> policy sure {
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> permit;
> }
> }
> }
> from-zone junos-host to-zone internet {
> policy sure {
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> permit;
> }
> }
> }
> from-zone internet to-zone junos-host {
> policy sure {
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> permit;
> }
> }
> }
> from-zone inside to-zone junos-host {
> policy sure {
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> permit;
> }
> }
> }
> from-zone junos-host to-zone inside {
> policy sure {
> match {
> source-address any;
> destination-address any;
> application any;
> }
> then {
> permit;
> }
> }
> }
> }
> zones {
> security-zone internet {
> host-inbound-traffic {
> system-services {
> all;
> }
> }
> interfaces {
> ge-0/0/1.0;
> ge-0/0/2.0;
> }
> }
> security-zone inside {
> host-inbound-traffic {
> system-services {
> all;
> }
> }
> interfaces {
> ge-0/0/0.0;
> }
> }
> }
> }
> interfaces {
> ge-0/0/0 {
> description "Faux Internal";
> unit 0 {
> family inet {
> inactive: filter {
> input forward;
> }
> address 192.168.1.1/24;
> }
> }
> }
> ge-0/0/1 {
> description "Faux isp1 ethernet";
> unit 0 {
> family inet {
> address 172.22.1.2/24;
> }
> }
> }
> ge-0/0/2 {
> description "Faux isp2 ethernet";
> unit 0 {
> family inet {
> filter {
> output accept;
> }
> address 10.50.1.2/24;
> }
> }
> }
> lo0 {
> unit 0 {
> family inet {
> filter {
> output forward;
> }
> address 10.127.1.2/32;
> }
> }
> }
> }
> routing-options {
> interface-routes {
> rib-group inet interface-routes;
> }
> static {
> route 0.0.0.0/0 next-hop 172.22.1.1;
> }
> rib-groups {
> interface-routes {
> import-rib [ inet.0 isp2.inet.0 ];
> }
> }
> }
> firewall {
> filter forward {
> term t1 {
> from {
> source-address {
> 10.50.1.2/32;
> }
> }
> then {
> count isp2;
> log;
> routing-instance isp2;
> }
> }
> term t2 {
> then {
> count isp1;
> log;
> accept;
> }
> }
> }
> filter accept {
> term t1 {
> then accept;
> }
> }
> }
> routing-instances {
> cc {
> instance-type virtual-router;
> routing-options {
> static {
> route 0.0.0.0/0 next-hop 10.50.1.1;
> }
> }
> }
> }
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
More information about the juniper-nsp
mailing list