Simple FBF Not Working
It is probably due to the fact that I am new to Junos, but I am trying to implement a FBF to redirect traffic from a particular host (and eventaully network) and route it out a different interface then the rest of the traffic.
This is on an SRX 650
set routing-instances ToAthena instance-type forwarding routing-options static route 0.0.0.0/0 next-hop 172.30.4.2
set firewall filter AthenaDR term redirect from source-address 172.21.70.7
set firewall filter AthenaDR term redirect then routing-instance ToAthena
set firewall filter AthenaDR term allow-all then accept
set interfaces ge-0/0/2.0 family inet filter input AthenaDR
When I do a show route there is no ToAthena instance. And a traceroute from 172.21.70.7 shows it using the default route from the default routing table.
Thanks,
This is on an SRX 650
set routing-instances ToAthena instance-type forwarding routing-options static route 0.0.0.0/0 next-hop 172.30.4.2
set firewall filter AthenaDR term redirect from source-address 172.21.70.7
set firewall filter AthenaDR term redirect then routing-instance ToAthena
set firewall filter AthenaDR term allow-all then accept
set interfaces ge-0/0/2.0 family inet filter input AthenaDR
When I do a show route there is no ToAthena instance. And a traceroute from 172.21.70.7 shows it using the default route from the default routing table.
Thanks,
Comments
BGP peers are quiet.
Something must be wrong.
Sure
static {
route 172.30.0.0/16 next-hop 172.30.1.2;
route 0.0.0.0/0 next-hop 172.30.1.2;
}
http://www.mashtronauts.com
Also do post the whole configuration... do not edit the output since this is just a lab config...
BGP peers are quiet.
Something must be wrong.
<Removed Config>
http://www.mashtronauts.com
i don't see ge-2/0/2.0 and ge-2/0/20.1200 defined in a security zone. this will default them to to the null "goodbye all packets" zone. create address book entries and a security policy to allow the traffic.
also, you use: route 0.0.0.0/0 next-hop 172.30.4.2
set interfaces ge-2/0/2 unit 0 family inet address 172.30.200.1/24
set interfaces ge-2/0/20 unit 1200 family inet address 172.30.253.0/31
how is the instance going to resolve the next-hop of 172.30.4.2? your interfaces are in different subnets.
and now that i think of it, shouldn't the ip addresses and vlans for those interfaces be defined under the routing-instances stanza and not in the main configuration, which would put them in the main inet.0 table?
it's been awhile since i did the fbf, but this just doesn't look right, i could be forgetting how to do it though
so anyhoo, here's an actual guide showing you how to do it on the srx.
Juniper Networks - How to configure Filter Based Forwarding on SRX for a typical dual-ISP scenario - Knowledge Base
hope this helps!
And that's exactly why I was asking routing-options configuration...
Missing the rib-groups here.. and lots of good stuff...
The document provided by Zoidberg is spot on... You may want to avoid the JTAC and just get it resolved yourself...
Do also delete the configuration of this page... Looks like TW Telecom...
BGP peers are quiet.
Something must be wrong.
I changed it IPs and ASs and yes we use TW Telecom.
I have only made a few changes to this SRX since I got here. Most of that config was done by someone who thankfully is now gone. I have glanced over the rib-groups but did not think they would be necessary for this case, but will take a closer look. I used the display set as this takes up less room to print. Thanks guys, I'll look over your suggestions.
http://www.mashtronauts.com
interface-routes {
rib-group inet IMPORT-RIB;
}
rib-groups {
IMPORT-RIB {
import-rib [ ToAthena.inet.0 inet.0];
}
}
So it looks like the routing table has to be associated with an interface? I am assuming that is what the interface-routes stanza does.
We really don't need the entire default routing table to be shared with the ToAthena routing table, is there another cleaner way to do this?
http://www.mashtronauts.com
BGP peers are quiet.
Something must be wrong.
You are absolutely correct, it is just the connected interfaces. I am playing with this on an SRX 250 where the entire table is directly connected interfaces.
See if I have this right. The ToAthena routing table did no show up because the only route in it pointed to an address that could not be resolved as that address/subnet did not exist in the ToAthena table. Using the 'rib import' and 'interface routes' allowed directly connected routes to be shared from the default table into the ToAthena table. Those two commands are still a bit of a mystery in exactly what they do.
Here is the complete config with the filter. We will try this on our production unit once we get out of freeze next week.
set routing-instances ToAthena instance-type forwarding routing-options static route 0.0.0.0/0 next-hop 172.30.4.2
set firewall filter AthenaDR term redirect from source-address 172.21.70.7
set firewall filter AthenaDR term redirect then routing-instance ToAthena
set firewall filter AthenaDR term allow-all then accept
set interfaces ge-0/0/0.0 family inet filter input AthenaDR
set routing-options rib-groups IMPORT import-rib inet.0
set routing-options rib-groups IMPORT import-rib ToAthena.inet.0
set routing-options rib-groups IMPORT import-policy proxy-interface
set routing-options interface-routes rib-group inet IMPORT
set policy-options policy-statement proxy-interface term service from interface ge-0/0/2.0
set policy-options policy-statement proxy-interface term service to rib ToAthena.inet.0
set policy-options policy-statement proxy-interface term service then accept
set policy-options policy-statement proxy-interface term reject then reject
Thanks everyone for your help with this, I will post the results.
http://www.mashtronauts.com
http://www.mashtronauts.com
BGP peers are quiet.
Something must be wrong.