SRX

 View Only
last person joined: 23 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Filter Based Forwarding support on st0 interface

    Posted 07-31-2017 10:35

    Hi,

    I have a need to configure FBF on IPsec tunnel interface st0

     

     SRX-300#set interfaces st0.10 family inet ?

    Possible completions:
      <[Enter]>            Execute this command
    > address              Interface address/destination prefix
    + apply-groups         Groups from which to inherit configuration data
    + apply-groups-except  Don't inherit configuration data from these groups
    > dhcp-client          Dynamic Host Configuration Protocol client configuration
      mtu                  Protocol family maximum transmission unit
      negotiate-address    Negotiate address with remote
    > next-hop-tunnel      One or more next-hop tunnel tables
      no-neighbor-learn    Disable neighbor address learning on interface
    > sampling             Interface sampling
      unconditional-src-learn  Glean from arp packets even when source cannot be validated
      |                    Pipe through a command

     

    SRX-300 is running 15.1X49, It does not even have the option to configure filters on st0 interface, is FBF only supported on physical interfaces on low end SRXes? I do see "filter" option available on higher end SRX boxes (SRX-5400 running 15.1), but I need to verify the configuration on small SRX boxes in the lab before applying to production boxes.



  • 2.  RE: Filter Based Forwarding support on st0 interface

    Posted 07-31-2017 10:48

    This option appears on my SRX-300 running 15.1X49-D100.

     

    # set interfaces st0.10 family inet filter ?                        
    Possible completions:
    + apply-groups         Groups from which to inherit configuration data
    + apply-groups-except  Don't inherit configuration data from these groups
      group                Group to which interface belongs (1..255)
    > input                Filter to be applied to received packets
    + input-list           List of filter modules applied to received packets
    > output               Filter to be applied to transmitted packets
    + output-list          List of filter modules applied to transmitted packets
    [edit]



  • 3.  RE: Filter Based Forwarding support on st0 interface

    Posted 07-31-2017 11:17

    Cool, thanks, I will upgrade SRX-300, feature parity on the same Junos but different platform is annoying.



  • 4.  RE: Filter Based Forwarding support on st0 interface

    Posted 07-31-2017 18:12

    I upgraded to D100, indeed, I am able to configure the FBF on st0 interface, but unfortunately, the FBF functionality does not work, I need to source based routing with next hop in different routing instances than the routing instance st0 interface is in, when traffic arrives at st0 interface, SRX does route lookup at current routing instance in stead of of in the routing table of egress instance, which of cause will fill, same FBF filter applied on non-st0 interface works perfectly.



  • 5.  RE: Filter Based Forwarding support on st0 interface

    Posted 08-01-2017 01:31

    Hi, 

     

    Firewall filters are not supported on tunnel interfaces. 



  • 6.  RE: Filter Based Forwarding support on st0 interface

    Posted 08-01-2017 08:40
    This is weird, because the CLI was blocked in previous releases, now the filter is configurable, something must have changed.


  • 7.  RE: Filter Based Forwarding support on st0 interface
    Best Answer

    Posted 08-01-2017 13:34

    I am able to get around this limitation by routing incoming traffic on st0 to an external device (a MX) and then hairpin back on physical interface (tagged vlans) via isolated routing instances, traffic flow is convoluted, but it works.