Routing

Expand all | Collapse all

Getting traffic out from VR to inet.0 coming from forwarding-based filter

Jump to Best Answer
  • 1.  Getting traffic out from VR to inet.0 coming from forwarding-based filter

    Posted 08-26-2017 11:45

    Hello Everyone

     

    I was hoping someone can shed a light on the setup that I have, I'm trying to force a traffic going out from a routing instance (Dirty VRF) with a static default next-table to inet.0 on higher metric as a mean of backup if it stopped receiving default routes towards another OSPF neighbor (Clean VRF)

     

    This is the diagram depicting the network

     

     

    +----------+
     | ISP      |
     |          |                          
     +----------+
         |
         |
         | ACL input
         | redirect to Dirty VRF
     +--------------------------+
     |                          |
     |            +----------+  |
     |            |          |  |                               
     |            |          |  |                               
     |            |   Dirty  |  |          +--------------+     
     |            |   VRF    |  |       in |              |     
     |            |          +-------------+              |     
     |   INET.0   |          |  |          |   Layer 2    |
     |            |          |  |          |   DDOS       |
     |            +----------+  |          |   Scrubber   |
     |                          |          |              |
     |            +----------+  |          |              |
     |            |          |  |          |              |
     |            |          +-------------+              |
     |            |   Clean  |  |       out|              |
     |            |   VRF    |  |          +--------------+
     |            |          |  |
     |            |          |  |
     |            +----------+  |
     +--------------------------+

     

    I could get the routing to work from ISP to Dirty -> Scrubber -> Clean -> inet.0, but whenever links between Dirty-Clean fails, I can't seem to get the traffic goes out from Dirty to inet.0 this way, any help is appreciated.

     

    Here is the relevant configuration that I have.

     

    firewall family inet filter on the ISP facing interface

     

    firewall {
        family inet {
            filter redirect-to-dirty {
                term bypass-bgp-traffic-from-isp {
                    from {
                        address {
                            1.1.1.1/32;
                        }
                    }
                    then accept;
                }
                term all-traffic {
                    then {
                        next-interface {
                            ge-0/0/1.0;
                            routing-instance dirty-vrf;
                        }
                    }
                }
            }
        }
    }

    routing instances configuration

    routing-instances {
        clean-vrf {
            instance-type virtual-router;
            interface ge-0/0/3.0;
            routing-options {
                static {
                    route 0.0.0.0/0 {
                        next-table inet.0
                    }
                }
            }
            protocols {
                ospf {
                    export default-originate;
                    area 0.0.0.0 {
                        interface ge-0/0/3.0;
                    }
                }
            }
        }
        dirty-vrf {
            instance-type virtual-router;
            interface ge-0/0/1.0;
            routing-options {
                static {
                    route 0.0.0.0/0 {
                        next-table inet.0;
                        preference 200;
                    }
                }
            }
            protocols {
                ospf {
                    area 0.0.0.0 {
                        interface ge-0/0/1.0;
                    }
                }
            }
        }
    }

     

     

    Thank you,

    Diyan


    #routinginstances
    #VirtualRouter
    #fbf
    #vrf


  • 2.  RE: Getting traffic out from VR to inet.0 coming from forwarding-based filter
    Best Answer

    Posted 08-26-2017 15:19

    Found the answer, I'm updating this post in case someone find it useful.

     

    Changing the forwarding-based filter from using next-interface to next-ip.

     

    firewall {
        family inet {
            filter redirect-to-dirty {
                term bypass-bgp-traffic-from-isp {
                    from {
                        address {
                            1.1.1.1/32;
                        }
                    }
                    then accept;
                }
                term all-traffic {
                    then {
                        next-ip 3.3.3.3/32 routing-instance dirty-vrf;
                        }
                    }
                }
            }
        }
    }

     

    The 3.3.3.3 IP is the Clean VRF ge-0/0/3.0 facing Dirty VRF.

     

    Also changing the next-table into qualified-next-hop 2.2.2.2 (to a logical-tunnel interface with global)

     

        dirty-vrf {
            instance-type virtual-router;
            interface ge-0/0/1.0;
    interface lt-0/0/10.1; routing-options { static { route 0.0.0.0/0 { qualified-next-hop 2.2.2.2; metric 200; } } } protocols { ospf { area 0.0.0.0 { interface ge-0/0/1.0; } } } }

     

     

    Reference: 

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/filter-based-forwarding-policy-based-routing.html#jd0e784