Routing

Hi all,

i configured PBR for traffic from one of our ISPs but the CPU of the router spiked to 100%.

 

the configurationg:

 

Hi amiri,

Firstly, please ensure if the CPU spike is for "rpd" process from "show processes extensive | except 0.00". If yes, then you're probably right about the route leaking be the actual cause of the CPU spike.

With regards to your query about leaking specific routes to inet.0 from routing-instance, please try to apply an import policy. Something like the following:

set routing-options interface-routes rib-group inet FBF-rib
set routing-options rib-groups FBF-rib import-rib inet.0
set routing-options rib-groups FBF-rib import-rib webtraffic.inet.0
set routing-options rib-groups FBF-rib-import import-policy webtraffic_to_inet

set policy-options policy-statement webtraffic_to_inet term allow from route-filter 1.1.1.1/32 exact
set policy-options policy-statement webtraffic_to_inet term allow from route-filter 2.2.2.0/24 exact
set policy-options policy-statement webtraffic_to_inet term allow then accept
set policy-options policy-statement webtraffic_to_inet term deny-all then reject

There are other ways to allow specific protocol routes, for example: https://www.juniper.net/documentation/en_US/junos/topics/example/policy-duplicating-routes.html. However, believe the import-policy above might serve your purpose here.

Hope this helps. Please let me know.

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated :).

Hi, ill try your solution but can i also use import policy from the inet.0 for the next hop (that have direct connected intrface) to the routing-instance?

 

something like:

 

set  policy-options policy-statement XXX term 20 from protocol dirct connect
set  policy-options policy-statement XXX term 20 from prefix-list NEXT-HOP
set  policy-options policy-statement XXX term 20 then accept

set  policy-options policy-statement XXX then reject

 

set policy-options prefix-list NEXT-HOP 192.0.2.2/32

 

set  routing-options rib-groups FBF-rib import-rib inet.0 import-policy XXX

 

ANOTHER QUESTION HOW CAN I SEE THE ROUTING TABLE OF THE ROUTING INSTANCE ??

the routing table is under logical-system.

Hi amiri,

 

The import policy should be applied on the target routing-table.  In your case, since importing "from" inet.0, you'd apply the policy to the routing-instance.  Note that the format of rib-groups config is:

set  routing-options rib-groups FBF-rib import-rib <source-rib> <destination-rib>

 

Another way to do this is using "instance-import" and apply a routing-policy.  See example here:

https://kb.juniper.net/InfoCenter/index?page=content&id=KB19860&cat=EX_SERIES&actp=LIST

 

"ANOTHER QUESTION HOW CAN I SEE THE ROUTING TABLE OF THE ROUTING INSTANCE ??
the routing table is under logical-system."

You can check routing table as follows:
show route logical-system <logical-system-name> table <routing_instance_name.inet (or inet6.0)>

 

Hope this helps.

 

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated :).

Hi,

sorry if i miss undrestand you,

i tried to configure the routing instance like the link that you attached:

 

fillter configuration:

set firewall family inet filter webFilter term 1 from source-port http 
set firewall family inet filter webFilter term 1 from source-port https
set firewall family inet filter webFilter term 1 from destination-port 40000-41000
set firewall family inet filter webFilter term 1 from destination-address 10.0.0.0/24
set firewall family inet filter webFilter term 1 then routing-instance webtraffic
set firewall family inet filter webFilter term 2 then accept

the routing instance:
set routing-instances webtraffic routing-options static route 0.0.0.0/0 next-hop 192.0.2.2
set routing-instances webtraffic instance-type forwarding

set routing-instances webtraffic routing-options instance-import webtraffic-Policy

 

policy:

set  policy-options policy-statement webtraffic-Policy term 20 from protocol direct
set  policy-options policy-statement webtraffic-Policy term 20 from route-filter 192.0.2.0/29 exact
set  policy-options policy-statement webtraffic-Policy term 20 then accept
set  policy-options policy-statement webtraffic-Policy then reject

 

and i still dont see anything on the routing table of the instance:

 

>show route table webtraffic.inet

nothing

 

and still the rpd is is up to 90%.

 

just to be clear again, my goal is that the packet that arrive to the "routing-instances webtraffic" will know how to arrive the next hop 192.0.2.2 (the 192.0.2.2 has direct interface on the router with the ip of 192.0.2.1/29).

 

sorry if im not getting you right.

 

 

 

 

Hi amiri,

 

In the config you shared, could you please try to add this line: 
set  policy-options policy-statement webtraffic-Policy term 20 from instance master

before

set  policy-options policy-statement webtraffic-Policy term 20 from protocol direct

 

This should get direct rout and default route to resolve and show up in the routing instance.   

 

Hope this helps.

 

Regards,
-r.

--------------------------------------------------

If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated :).

Hi mriyaz,

tahnk you very much for your help ...the working configuration is almost like i configured at the begining.

 

the final configuration is: