fbf and DPI

View Only

Back to discussions

Expand all | Collapse all

Jump to Best Answer

1. fbf and DPI

0 Recommend
xamza1412
Posted 12-12-2020 12:00
| view attached

Reply Reply Privately

Mark As Inappropriate
Diagram attached. With this setting, ping from 10.0.0.9 to 10.0.0.2 does not work, is it necessary to register a static arp on the ge-0/0/0 interface with the address of 0/0/3? what am I doing wrong? P.S. switch on the diagram act as DPI
vMX1:

set version 14.1R4.8 set system host-name vMX1 set system root-authentication encrypted-password "$1$LsD0vFcK$889QeMY2qw2vnPIn2sn9K1" set system syslog user * any emergency set system syslog file messages any notice set system syslog file messages authorization info set system syslog file interactive-commands interactive-commands any set interfaces ge-0/0/0 unit 0 family inet no-redirects set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.13/30 set interfaces ge-0/0/1 unit 0 family inet address 10.0.0.25/30 set interfaces ge-0/0/2 unit 0 family inet filter input FBF set interfaces ge-0/0/2 unit 0 family inet address 10.0.0.10/30 set interfaces ge-0/0/3 unit 0 family inet no-redirects set interfaces ge-0/0/3 unit 0 family inet address 10.0.0.14/30 set routing-options static route 0.0.0.0/0 next-hop 10.0.0.26 set firewall family inet filter FBF term 1 from source-address 10.0.0.9/32 set firewall family inet filter FBF term 1 then next-interface ge-0/0/0.0 set firewall family inet filter FBF term 2 then accept

vMX2:

set version 14.1R4.8 set system root-authentication encrypted-password "$1$yKxqrbDR$KaIRUbM80DUceS50utnTp." set system syslog user * any emergency set system syslog file messages any notice set system syslog file messages authorization info set system syslog file interactive-commands interactive-commands any set interfaces ge-0/0/1 unit 0 family inet address 10.0.0.26/30 set interfaces ge-0/0/2 unit 0 family inet address 10.0.0.1/30 set routing-options static route 10.0.0.8/30 next-hop 10.0.0.13 set routing-options static route 10.0.0.8/30 next-hop 10.0.0.25
Reason for Moderation

Describe the reason this content should be moderated (required)

NOTE: This post has an associated attachment. Until approval, both the post and the attachment will not be viewable to others.
2. RE: fbf and DPI

0 Recommend
xamza1412
Posted 12-12-2020 17:19

Reply Reply Privately

Mark As Inappropriate
its correct diagram :

Original Message
Reason for Moderation

Describe the reason this content should be moderated (required)
3. RE: fbf and DPI
Best Answer

0 Recommend
ylara
Posted 12-12-2020 23:41

Reply Reply Privately

Mark As Inappropriate
Try configuring one of these:

- make ge-0/0/0 interface a point-to-point
- use then next-ip instead of next-interface in the firewall filter
- create a forwarding instance, and add interface ge-0/0/0 and use then routing-instance.

Regards,

------------------------------
Yasmin Lara
Juniper Ambassador
JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCDS-DC, JNCIA-DevOps, JNCIP-CLOUD, CCNP-ENT
------------------------------

Original Message
Reason for Moderation

Describe the reason this content should be moderated (required)
4. RE: fbf and DPI

0 Recommend
ylara
Posted 12-12-2020 23:46

Reply Reply Privately

Mark As Inappropriate
For the last option, the routing-instance will need a static route.

------------------------------
Yasmin Lara
Juniper Ambassador
JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCDS-DC, JNCIA-DevOps, JNCIP-CLOUD, CCNP-ENT
------------------------------

Original Message
Reason for Moderation

Describe the reason this content should be moderated (required)
5. RE: fbf and DPI

0 Recommend
xamza1412
Posted 12-13-2020 12:29

Reply Reply Privately

Mark As Inappropriate
my config now following :

set interfaces ge-0/0/0 unit 0 family inet no-redirects set interfaces ge-0/0/0 unit 0 family inet address 10.0.0.13/30 set interfaces ge-0/0/1 unit 0 family inet address 10.0.0.25/30 set interfaces ge-0/0/2 unit 0 family inet filter input FBF set interfaces ge-0/0/2 unit 0 family inet address 10.0.0.10/30 set interfaces ge-0/0/3 unit 0 family inet no-redirects set interfaces ge-0/0/3 unit 0 family inet address 10.0.0.14/30 set routing-options static route 0.0.0.0/0 next-hop 10.0.0.26 set firewall family inet filter FBF term 1 from source-address 10.0.0.9/32 set firewall family inet filter FBF term 1 then next-interface ge-0/0/0.0 set firewall family inet filter FBF term 1 then next-interface routing-instance DPI set firewall family inet filter FBF term 2 then accept set routing-instances DPI instance-type virtual-router set routing-instances DPI interface ge-0/0/0.0 set routing-instances DPI routing-options static route 0.0.0.0/0 next-hop 10.0.0.14

it works, is it config correct and best practice ? and how i can make ge-0/0/0 interface a point-to-point ? thank you
Reason for Moderation

Describe the reason this content should be moderated (required)
6. RE: fbf and DPI

0 Recommend
ylara
Posted 12-13-2020 22:24

Reply Reply Privately

Mark As Inappropriate
Sorry! Changing the interface to point-to-point is actually not an option in this case.

Regards,

------------------------------
Yasmin Lara
Juniper Ambassador
JNCIE-SP, JNCIE-ENT, JNCIE-DC, JNCIE-SEC
JNCDS-DC, JNCIA-DevOps, JNCIP-CLOUD, CCNP-ENT
------------------------------

Original Message
Reason for Moderation

Describe the reason this content should be moderated (required)

Routing

fbf and DPI

xamza141212-12-2020 12:00

xamza141212-12-2020 17:19

ylara12-12-2020 23:41Best Answer

ylara12-12-2020 23:46

xamza141212-13-2020 12:29

ylara12-13-2020 22:24

1. fbf and DPI

2. RE: fbf and DPI

3. RE: fbf and DPI Best Answer

4. RE: fbf and DPI

5. RE: fbf and DPI

6. RE: fbf and DPI

3. RE: fbf and DPI
Best Answer