Routing

Expand all | Collapse all

fbf and DPI

Jump to Best Answer
  • 1.  fbf and DPI

    Posted 12-12-2020 12:00
      |   view attached
    Diagram attached.  With this setting, ping from 10.0.0.9 to 10.0.0.2 does not work, is it necessary to register a static arp on the ge-0/0/0 interface with the address of 0/0/3? what am I doing wrong?  P.S.  switch on the diagram act as DPI 
    vMX1:
     
    set version 14.1R4.8
    set system host-name vMX1
    set system root-authentication encrypted-password "$1$LsD0vFcK$889QeMY2qw2vnPIn2sn9K1"
    set system syslog user * any emergency
    set system syslog file messages any notice
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands any
    set interfaces ge-0/0/0 unit 0 family inet no-redirects
    set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.13/30
    set interfaces ge-0/0/1 unit 0 family inet address 10.0.0.25/30
    set interfaces ge-0/0/2 unit 0 family inet filter input FBF
    set interfaces ge-0/0/2 unit 0 family inet address 10.0.0.10/30
    set interfaces ge-0/0/3 unit 0 family inet no-redirects
    set interfaces ge-0/0/3 unit 0 family inet address 10.0.0.14/30
    set routing-options static route 0.0.0.0/0 next-hop 10.0.0.26
    set firewall family inet filter FBF term 1 from source-address 10.0.0.9/32
    set firewall family inet filter FBF term 1 then next-interface ge-0/0/0.0
    set firewall family inet filter FBF term 2 then accept
    
    ​

    vMX2:
     
    set version 14.1R4.8
    set system root-authentication encrypted-password "$1$yKxqrbDR$KaIRUbM80DUceS50utnTp."
    set system syslog user * any emergency
    set system syslog file messages any notice
    set system syslog file messages authorization info
    set system syslog file interactive-commands interactive-commands any
    set interfaces ge-0/0/1 unit 0 family inet address 10.0.0.26/30
    set interfaces ge-0/0/2 unit 0 family inet address 10.0.0.1/30
    set routing-options static route 10.0.0.8/30 next-hop 10.0.0.13
    set routing-options static route 10.0.0.8/30 next-hop 10.0.0.25
    


  • 2.  RE: fbf and DPI

    Posted 12-12-2020 17:19
    its correct diagram : 



  • 3.  RE: fbf and DPI
    Best Answer

     
    Posted 12-12-2020 23:41
    Try configuring one of these:

    - make ge-0/0/0 interface a point-to-point
    - use then next-ip instead of next-interface in the firewall filter
    - create a forwarding instance, and add interface ge-0/0/0 and use then routing-instance

    Regards, 

    ------------------------------
    Yasmin Lara
    Juniper Ambassador
    JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
    JNCDS-DC, JNCIA-DevOps, JNCIP-CLOUD, CCNP-ENT
    ------------------------------



  • 4.  RE: fbf and DPI

     
    Posted 12-12-2020 23:46
    For the last option, the routing-instance will need a static route.

    ------------------------------
    Yasmin Lara
    Juniper Ambassador
    JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
    JNCDS-DC, JNCIA-DevOps, JNCIP-CLOUD, CCNP-ENT
    ------------------------------



  • 5.  RE: fbf and DPI

    Posted 12-13-2020 12:29
    my  config now  following :

    set interfaces ge-0/0/0 unit 0 family inet no-redirects
    set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.13/30
    set interfaces ge-0/0/1 unit 0 family inet address 10.0.0.25/30
    set interfaces ge-0/0/2 unit 0 family inet filter input FBF
    set interfaces ge-0/0/2 unit 0 family inet address 10.0.0.10/30
    set interfaces ge-0/0/3 unit 0 family inet no-redirects
    set interfaces ge-0/0/3 unit 0 family inet address 10.0.0.14/30
    set routing-options static route 0.0.0.0/0 next-hop 10.0.0.26
    set firewall family inet filter FBF term 1 from source-address 10.0.0.9/32
    set firewall family inet filter FBF term 1 then next-interface ge-0/0/0.0
    set firewall family inet filter FBF term 1 then next-interface routing-instance DPI
    set firewall family inet filter FBF term 2 then accept
    set routing-instances DPI instance-type virtual-router
    set routing-instances DPI interface ge-0/0/0.0
    set routing-instances DPI routing-options static route 0.0.0.0/0 next-hop 10.0.0.14
    
    ​

    it works, is it config correct and best practice ? and how i can make ge-0/0/0 interface a point-to-point ? thank you



  • 6.  RE: fbf and DPI

     
    Posted 12-13-2020 22:24
    Sorry! Changing the interface to point-to-point is actually not an option in this case. 

    Regards,

    ------------------------------
    Yasmin Lara
    Juniper Ambassador
    JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
    JNCDS-DC, JNCIA-DevOps, JNCIP-CLOUD, CCNP-ENT
    ------------------------------