Routing

 View Only
last person joined: yesterday 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.

  • 1.  Default Route Setup With Multiple Internets

    Posted 06-19-2018 07:47

    Hello,

    I need to force a couple of sections of my network to use one firewall instead of the primary. We use the EX series L3 switches as the router at most properties. They handle OSPF routing as well as Statics. The current setup for each has a default static route to firewall B on attached diagram. At property A on the diagram I have set their default route to go to firewall C, however it still is routing out of B. I have used the resolve command for all next hops that are not directly connected. Does anyone have an idea why its won't route to the desired firewall C?

     

     

    Internet Drawing 2.jpg

     

     



  • 2.  RE: Default Route Setup With Multiple Internets
    Best Answer

    Posted 06-19-2018 09:27

    All routing decisions are made locally, so when site A traffic reaches the other switches, it will follow the best routing path at that point.  If all traffic from site A needs to exit the network to Internet C, you'll need to configure filter-based forwarding at the point where the flows split - in this case, the center switch 10.20.30.254.

     

    https://www.juniper.net/documentation/en_US/junos/topics/concept/firewall-filter-option-filter-based-forwarding-overview.html



  • 3.  RE: Default Route Setup With Multiple Internets

    Posted 06-19-2018 10:08

    Thanks Louis,

     

    That makes sense with what I'm seeing. I'll work on applying the Filter-Based Forwarding to my scenario and update results. I gather that will take three main steps; 1. Configure the separate routings instance. 2. Configure the firewall filter that catches the traffic of interest and redirects to the separate routing instance. 3. Apply the filter to the interface carrying the traffic of interest inbound on the 10.20.30.254 switch? 

     

    Sound about right?



  • 4.  RE: Default Route Setup With Multiple Internets

    Posted 06-19-2018 12:40

    All that looks good, but you'll also need to configure a RIB group so that any interface routes (and probably also your OSPF domain) get imported from the default inet.0 table into your FBF routing instance.  That way any traffic from site A destined for somewhere other than Internet C still has reachability.  If you look at the example at  https://www.juniper.net/documentation/en_US/junos/topics/example/firewall-filter-option-filter-based-forwarding-example.html, I believe that device P1 should be very similar to what you're looking for.

     

    And make sure to remember a default 'allow' at the end of your firewall policy, otherwise you'll drop all the other traffic.