Routing

Expand all | Collapse all

PBR without the whole routing table

Jump to Best Answer
  • 1.  PBR without the whole routing table

    Posted 02-17-2019 07:44

    Hi all,

    i configured PBR for traffic from one of our ISPs but the CPU of the router spiked to 100%.

     

    the configurationg:

     

    set interfaces fe-0/0/0 unit 0 family inet filter input webFilter 
    fillter configuration:
    set firewall family inet filter webFilter term 1 from source-port http 
    set firewall family inet filter webFilter term 1 from source-port https
    set firewall family inet filter webFilter term 1 from destination-port 40000-41000
    set firewall family inet filter webFilter term 1 from destination-address 10.0.0.0/24
    set firewall family inet filter webFilter term 1 then routing-instance webtraffic
    set firewall family inet filter webFilter term 2 then accept
    the routing instance:
    set routing-instances webtraffic routing-options static route 0.0.0.0/0 next-hop 192.0.2.2
    set routing-instances webtraffic instance-type forwarding
     
    set routing-options interface-routes rib-group inet FBF-rib 
    set routing-options rib-groups FBF-rib import-rib inet.0
    set routing-options rib-groups FBF-rib import-rib webtraffic.inet.0
     
    my problem now is that the whole IPv4 routing table of the router shared with webtraffic.inet.0. and the CPU increase to 100%
     
    how can i configure only specific prefixes to be shared from the global RT( inet.0)to the webtraffic.inet.0table?


  • 2.  RE: PBR without the whole routing table

     
    Posted 02-17-2019 08:47
    Hi amiri,

    Firstly, please ensure if the CPU spike is for "rpd" process from "show processes extensive | except 0.00". If yes, then you're probably right about the route leaking be the actual cause of the CPU spike.

    With regards to your query about leaking specific routes to inet.0 from routing-instance, please try to apply an import policy. Something like the following:

    set routing-options interface-routes rib-group inet FBF-rib
    set routing-options rib-groups FBF-rib import-rib inet.0
    set routing-options rib-groups FBF-rib import-rib webtraffic.inet.0
    set routing-options rib-groups FBF-rib-import import-policy webtraffic_to_inet

    set policy-options policy-statement webtraffic_to_inet term allow from route-filter 1.1.1.1/32 exact
    set policy-options policy-statement webtraffic_to_inet term allow from route-filter 2.2.2.0/24 exact
    set policy-options policy-statement webtraffic_to_inet term allow then accept
    set policy-options policy-statement webtraffic_to_inet term deny-all then reject

    There are other ways to allow specific protocol routes, for example: https://www.juniper.net/documentation/en_US/junos/topics/example/policy-duplicating-routes.html. However, believe the import-policy above might serve your purpose here.

    Hope this helps. Please let me know.

    Regards,
    -r.

    --------------------------------------------------

    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).


  • 3.  RE: PBR without the whole routing table

    Posted 02-17-2019 23:39

    Hi, ill try your solution but can i also use import policy from the inet.0 for the next hop (that have direct connected intrface) to the routing-instance?

     

    something like:

     

    set  policy-options policy-statement XXX term 20 from protocol dirct connect
    set  policy-options policy-statement XXX term 20 from prefix-list NEXT-HOP
    set  policy-options policy-statement XXX term 20 then accept

    set  policy-options policy-statement XXX then reject

     

    set policy-options prefix-list NEXT-HOP 192.0.2.2/32

     

    set  routing-options rib-groups FBF-rib import-rib inet.0 import-policy XXX

     

    ANOTHER QUESTION HOW CAN I SEE THE ROUTING TABLE OF THE ROUTING INSTANCE ??

    the routing table is under logical-system.



  • 4.  RE: PBR without the whole routing table

     
    Posted 02-18-2019 01:07

    Hi amiri,

     

    The import policy should be applied on the target routing-table.  In your case, since importing "from" inet.0, you'd apply the policy to the routing-instance.  Note that the format of rib-groups config is:

    set  routing-options rib-groups FBF-rib import-rib <source-rib> <destination-rib>

     

    Another way to do this is using "instance-import" and apply a routing-policy.  See example here:

    https://kb.juniper.net/InfoCenter/index?page=content&id=KB19860&cat=EX_SERIES&actp=LIST

     

    "ANOTHER QUESTION HOW CAN I SEE THE ROUTING TABLE OF THE ROUTING INSTANCE ??
    the routing table is under logical-system."

    You can check routing table as follows:
    show route logical-system <logical-system-name> table <routing_instance_name.inet (or inet6.0)>

     

    Hope this helps.

     

    Regards,
    -r.

    --------------------------------------------------

    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).



  • 5.  RE: PBR without the whole routing table

    Posted 02-18-2019 03:08

    Hi,

    sorry if i miss undrestand you,

    i tried to configure the routing instance like the link that you attached:

     

    fillter configuration:

    set firewall family inet filter webFilter term 1 from source-port http 
    set firewall family inet filter webFilter term 1 from source-port https
    set firewall family inet filter webFilter term 1 from destination-port 40000-41000
    set firewall family inet filter webFilter term 1 from destination-address 10.0.0.0/24
    set firewall family inet filter webFilter term 1 then routing-instance webtraffic
    set firewall family inet filter webFilter term 2 then accept


    the routing instance:
    set routing-instances webtraffic routing-options static route 0.0.0.0/0 next-hop 192.0.2.2
    set routing-instances webtraffic instance-type forwarding

    set routing-instances webtraffic routing-options instance-import webtraffic-Policy

     

    policy:

    set  policy-options policy-statement webtraffic-Policy term 20 from protocol direct
    set  policy-options policy-statement webtraffic-Policy term 20 from route-filter 192.0.2.0/29 exact
    set  policy-options policy-statement webtraffic-Policy term 20 then accept
    set  policy-options policy-statement webtraffic-Policy then reject

     

    and i still dont see anything on the routing table of the instance:

     

    >show route table webtraffic.inet

    nothing

     

    and still the rpd is is up to 90%.

     

    just to be clear again, my goal is that the packet that arrive to the "routing-instances webtraffic" will know how to arrive the next hop 192.0.2.2 (the 192.0.2.2 has direct interface on the router with the ip of 192.0.2.1/29).

     

    sorry if im not getting you right.

     

     

     

     



  • 6.  RE: PBR without the whole routing table

     
    Posted 02-18-2019 03:26

    Hi amiri,

     

    In the config you shared, could you please try to add this line: 
    set  policy-options policy-statement webtraffic-Policy term 20 from instance master

    before

    set  policy-options policy-statement webtraffic-Policy term 20 from protocol direct

     

    This should get direct rout and default route to resolve and show up in the routing instance.   

     

    Hope this helps.

     

    Regards,
    -r.

    --------------------------------------------------

    If this solves your problem, please mark this post as "Accepted Solution."
    Kudos are always appreciated :).



  • 7.  RE: PBR without the whole routing table
    Best Answer

    Posted 02-18-2019 03:59

    Hi 

     

     

    set interfaces fe-0/0/0 unit 0 family inet filter input webFilter 
     
    set firewall family inet filter webFilter term 1 from source-port http 
    set firewall family inet filter webFilter term 1 from source-port https
    set firewall family inet filter webFilter term 1 from destination-port 40000-41000
    set firewall family inet filter webFilter term 1 from destination-address 10.0.0.0/24
    set firewall family inet filter webFilter term 1 then routing-instance webtraffic
    set firewall family inet filter webFilter term 2 then accept
     
    set routing-instances webtraffic routing-options static route 0.0.0.0/0 next-hop 192.0.2.2
    set routing-instances webtraffic instance-type forwarding
     
    set routing-options interface-routes rib-group inet FBF-rib 
    set routing-options rib-groups FBF-rib import-rib inet.0
    set routing-options rib-groups FBF-rib import-rib webtraffic.inet.0 
    set routing-options rib-groups FBF-rib import-policy WEB
     
    set policy-options policy-statement WEB term 20 from route-filter 192.0.2.0/29 exact
    set policy-options policy-statement WEB term 20 then accept
    set policy-options policy-statement WEB term 40 then reject