Routing

IMPORTANT MODERATION NOTICE

This community is currently under full moderation, meaning  all posts will be reviewed before appearing in the community. Please expect a brief delay—there is no need to post multiple times. If your post is rejected, you'll receive an email outlining the reason(s). We've implemented full moderation to control spam. Thank you for your patience and participation.



Expand all | Collapse all

Getting traffic out from VR to inet.0 coming from forwarding-based filter

Jump to Best Answer
  • 1.  Getting traffic out from VR to inet.0 coming from forwarding-based filter

    Posted 08-26-2017 11:45

    Hello Everyone

     

    I was hoping someone can shed a light on the setup that I have, I'm trying to force a traffic going out from a routing instance (Dirty VRF) with a static default next-table to inet.0 on higher metric as a mean of backup if it stopped receiving default routes towards another OSPF neighbor (Clean VRF)

     

    This is the diagram depicting the network

     

     

    +----------+
     | ISP      |
     |          |                          
     +----------+
         |
         |
         | ACL input
         | redirect to Dirty VRF
     +--------------------------+
     |                          |
     |            +----------+  |
     |            |          |  |                               
     |            |          |  |                               
     |            |   Dirty  |  |          +--------------+     
     |            |   VRF    |  |       in |              |     
     |            |          +-------------+              |     
     |   INET.0   |          |  |          |   Layer 2    |
     |            |          |  |          |   DDOS       |
     |            +----------+  |          |   Scrubber   |
     |                          |          |              |
     |            +----------+  |          |              |
     |            |          |  |          |              |
     |            |          +-------------+              |
     |            |   Clean  |  |       out|              |
     |            |   VRF    |  |          +--------------+
     |            |          |  |
     |            |          |  |
     |            +----------+  |
     +--------------------------+

     

    I could get the routing to work from ISP to Dirty -> Scrubber -> Clean -> inet.0, but whenever links between Dirty-Clean fails, I can't seem to get the traffic goes out from Dirty to inet.0 this way, any help is appreciated.

     

    Here is the relevant configuration that I have.

     

    firewall family inet filter on the ISP facing interface

     

    firewall {
        family inet {
            filter redirect-to-dirty {
                term bypass-bgp-traffic-from-isp {
                    from {
                        address {
                            1.1.1.1/32;
                        }
                    }
                    then accept;
                }
                term all-traffic {
                    then {
                        next-interface {
                            ge-0/0/1.0;
                            routing-instance dirty-vrf;
                        }
                    }
                }
            }
        }
    }

    routing instances configuration

    routing-instances {
        clean-vrf {
            instance-type virtual-router;
            interface ge-0/0/3.0;
            routing-options {
                static {
                    route 0.0.0.0/0 {
                        next-table inet.0
                    }
                }
            }
            protocols {
                ospf {
                    export default-originate;
                    area 0.0.0.0 {
                        interface ge-0/0/3.0;
                    }
                }
            }
        }
        dirty-vrf {
            instance-type virtual-router;
            interface ge-0/0/1.0;
            routing-options {
                static {
                    route 0.0.0.0/0 {
                        next-table inet.0;
                        preference 200;
                    }
                }
            }
            protocols {
                ospf {
                    area 0.0.0.0 {
                        interface ge-0/0/1.0;
                    }
                }
            }
        }
    }

     

     

    Thank you,

    Diyan


    #routinginstances
    #VirtualRouter
    #fbf
    #vrf


  • 2.  RE: Getting traffic out from VR to inet.0 coming from forwarding-based filter
    Best Answer

    Posted 08-26-2017 15:19

    Found the answer, I'm updating this post in case someone find it useful.

     

    Changing the forwarding-based filter from using next-interface to next-ip.

     

    firewall {
        family inet {
            filter redirect-to-dirty {
                term bypass-bgp-traffic-from-isp {
                    from {
                        address {
                            1.1.1.1/32;
                        }
                    }
                    then accept;
                }
                term all-traffic {
                    then {
                        next-ip 3.3.3.3/32 routing-instance dirty-vrf;
                        }
                    }
                }
            }
        }
    }

     

    The 3.3.3.3 IP is the Clean VRF ge-0/0/3.0 facing Dirty VRF.

     

    Also changing the next-table into qualified-next-hop 2.2.2.2 (to a logical-tunnel interface with global)

     

        dirty-vrf {
            instance-type virtual-router;
            interface ge-0/0/1.0;
    interface lt-0/0/10.1; routing-options { static { route 0.0.0.0/0 { qualified-next-hop 2.2.2.2; metric 200; } } } protocols { ospf { area 0.0.0.0 { interface ge-0/0/1.0; } } } }

     

     

    Reference: 

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/filter-based-forwarding-policy-based-routing.html#jd0e784