vMX

 View Only
last person joined: 22 days ago 

Ask questions and share experiences about vMX.
  • 1.  FBF questions

    Posted 09-26-2023 22:21

    I have the following topology


    What I need is when the traffic sourcing from 172.16.2.X, the next hop is 10.50.1.25,  otherwise, the next hop is via the default route,

    set firewall family inet filter NAT-PBR term 1 from source-prefix-list net-172.16.2.0/24
    set firewall family inet filter NAT-PBR term 1 then count nat-Traffic
    set firewall family inet filter NAT-PBR term 1 then next-ip 10.50.1.25/32
    set firewall family inet filter NAT-PBR term 1 then accept
    set firewall family inet filter NAT-PBR term 2 then accept

    set  interfaces ge-0/0/6 family inet filter input  NAT-PBR

    When the traffic sources from 172.16.2.X, I can see the count increasing, but traffic still goes to the default.

    Any ideas ? 

    thanks !!



  • 2.  RE: FBF questions

    Posted 11-30-2023 08:36

    Hi mate,

    I checked the documentation and found this article:

    https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/topic-map/filter-based-forwarding-policy-based-routing.html

    In their example, R2 has a similar configuration as yours but they include a routing-instance where the traffic should go. I rebuild your setup with your configuration and experienced the same problem as you. Also please notice, that the "then accept" in your term 1 overrides the "next-ip" statement.

    I then created a routing-instance of type forwarding, imported only the interface route for my next-hop interface and added the routing-instance statement after the next-ip statement as described in the article. Then, my traffic went the way it should have taken in the first place.

    Here is some configuration for you to follow along:

    interfaces {
        xe-0/0/0 {
            unit 0 {
                family inet {
                    address 10.0.0.11/31;
                }
            }
        }
        xe-0/0/0 {
            unit 0 {
                family inet {
                    address 10.0.0.12/31;
                }
            }
        }
        xe-0/0/2 {
            unit 0 {
                family inet {
                    filter {
                        input NAT;
                    }
                    address 2.0.0.9/30;
                }
            }
        }
    }
    policy-options {
        policy-statement copy-interface {
            term 1 {
                from {
                    route-filter 10.0.0.10/31 exact;
                }
                to rib fbf.inet.0;
                then accept;
            }
            term 2 {
                then reject;
            }
        }
    }
    firewall {
        family inet {
            filter NAT {
                term 1 {
                    from {
                        source-address {
                            2.0.0.10/32;
                        }
                    }
                    then {
                        count nat-traffic;
                        next-ip 10.0.0.10/32 routing-instance fbf;
                    }
                }
                term 2 {
                    then accept;
                }
            }
        }
    }
    routing-instances {
        net {
            instance-type vrf;
            interface xe-0/0/1.10;
            interface xe-0/0/1.20;
            route-distinguisher 172.16.0.6:100;
            vrf-target target:64512:100;
            vrf-table-label;
        }
    }
    routing-options {
        interface-routes {
            rib-group inet to-fbf-instance;
        }
        static {
            route 0.0.0.0/0 next-hop 10.0.0.13;
        }
        rib-groups {
            to-fbf-instance {
                import-rib [ inet.0 fbf.inet.0 ];
                import-policy copy-interface;
            }
        }
    }
    routing-instances {
        fbf {
            instance-type forwarding;
        }
    }

    I hope this helps you. If you encounter any additional questions, please don't mind asking!

    BR, Johannes



    ------------------------------
    Johannes | Systems Engineer
    A computer's attention span is only as long as its power cord.
    ------------------------------



  • 3.  RE: FBF questions

    Posted 11-30-2023 12:06

    thanks so much !!  I noticed the version (ver. 14) caused this.  ver.18 works as expected.