Routing

 View Only
last person joined: 2 days ago 

Ask questions and share experiences about ACX Series, CTP Series, MX Series, PTX Series, SSR Series, JRR Series, and all things routing, including portfolios and protocols.
  • 1.  Filter Based Forwarding + ACX2200 Router

    Posted 04-07-2022 05:43
    Hi, 

    I'm having an issue with Filter Based Forwarding using the ACX2200 in a test lab before production.
    Model: acx2200
    Junos: 20.4R3-S2.6

    I've followed a few guides and I understand with this type of configuration you can't put the filter on the physical interface so I've put it on the forwarding options.
    I have a laptop connected to the 172.16.1.1/24 interface and I'm trying to setup a routing-instance so that it goes through the 10.1.1.55 interface and then off to the internet.
    This is so I can do load balancing with two different ISP's based on the source address of my internal network.
    With the configuration below it seems like the filter is working and sending it to the routing-instance but I can't ping out past the router and receive a reply from the interface 172.16.1.1 that the Destination is not reachable.  I also receive error messages which I attached below, but I can't seem to make out why it's occurring but it's clear that why I can't get past the interface.

    Here is the configuration

      interfaces {
    ge-0/0/2 {
    unit 0 {
    family inet {
    address 172.16.1.1/24;
    }
    }
    }
    ge-0/0/3 {
    unit 0 {
    family inet {
    address 10.1.1.55/24;
    }
    }
    }
    }
    forwarding-options {
    family inet {
    filter {
    input wifi-route;
    }
    }
    }
    firewall {
    family inet {
    filter wifi-route {
    term allow {
    from {
    source-address {
    172.16.1.0/24;
    }
    then {
    log;
    routing-instance test;
    }
    }
    term default {
    then accept;
    }
    }
    }
    }
    routing-instances {
    test {
    routing-options {
    static {
    route 0.0.0.0/0 next-hop 10.1.1.1;
    }
    }
    instance-type forwarding;
    }
    }
    routing-options {
    interface-routes {
    rib-group inet fbf-group;
    }
    rib-groups {
    fbf-group {
    import-rib [ inet.0 test.inet.0 ];
    }
    }
    }

    admin@TST.SVR.TST>

    I can see the route in the routing-instance test

    admin@TST.SVR.TST> show route

    inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    10.1.1.0/24 *[Direct/0] 00:06:46
    > via ge-0/0/3.0
    10.1.1.55/32 *[Local/0] 00:06:46
    Local via ge-0/0/3.0
    172.16.1.0/24 *[Direct/0] 00:06:06
    > via ge-0/0/2.0
    172.16.1.1/32 *[Local/0] 00:06:06
    Local via ge-0/0/2.0
    192.168.30.254/32 *[Local/0] 23:56:05
    Reject

    test.inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
    + = Active Route, - = Last Active, * = Both

    0.0.0.0/0 *[Static/5] 00:06:46
    > to 10.1.1.1 via ge-0/0/3.0
    10.1.1.0/24 *[Direct/0] 00:06:46
    > via ge-0/0/3.0
    10.1.1.55/32 *[Local/0] 00:06:46
    Local via ge-0/0/3.0
    172.16.1.0/24 *[Direct/0] 00:06:06
    > via ge-0/0/2.0
    172.16.1.1/32 *[Local/0] 00:06:06
    Local via ge-0/0/2.0
    192.168.30.254/32 *[Local/0] 23:21:57
    Reject

    admin@TST.SVR.TST>

    I can see the log as well is working and allowing it through the filter.

    admin@TST.SVR.TST> show firewall log
    Log :
    Time Filter Action Interface Protocol Src Addr Dest Addr
    15:37:38 pfe A ge-0/0/2.0 UDP 172.16.1.10 8.8.8.8
    15:37:38 pfe A ge-0/0/2.0 ICMP 172.16.1.10 8.8.8.8
    15:37:38 pfe A ge-0/0/2.0 UDP 172.16.1.10 8.8.8.8
    15:37:38 pfe A ge-0/0/2.0 UDP 172.16.1.10 8.8.8.8
    15:37:37 pfe A ge-0/0/2.0 UDP 172.16.1.10 8.8.8.8
    15:37:37 pfe A ge-0/0/2.0 ICMP 172.16.1.10 8.8.8.8
    15:37:37 pfe A ge-0/0/2.0 UDP 172.16.1.10 8.8.8.8
    15:37:36 pfe A ge-0/0/2.0 UDP 172.16.1.10 8.8.8.8


    I did read somewhere that there was a bug in the JUNOS in which you have to restart the PFE but restarting it doesn't help.

    Log messages after a activate the forwarding-options and firewall syntax.

    Apr 7 15:51:31 TST.SVR.TST feb0 ACX Error (dfw):acx_dfw_set_bcm_match :Setting VRFid failed filter 22 rv(-7) "Entry not found"
    Apr 7 15:51:31 TST.SVR.TST feb0 ACX Error (dfw):acx_dfw_rule_create :Could not set match, unit 0, entry 166, group 2
    Apr 7 15:51:31 TST.SVR.TST feb0 ACX Error (dfw):acx_dfw_filter_create_exp :[-1] from acx_dfw_rule_create_exp term(allow)
    Apr 7 15:51:31 TST.SVR.TST feb0 ACX Error (dfw):acx_dfw_create_hw_instance :Status:-1 Could not program dfw(wifi-route) type(DYN_VFP_FF)! [-1]
    Apr 7 15:51:31 TST.SVR.TST feb0 ACX Error (dfw):acx_dfw_bind_shim :[-1] Could not create dfw(wifi-route) type(DYN_VFP_FF)
    Apr 7 15:51:31 TST.SVR.TST feb0 ACX Error (dfw):acx_dfw_ftf_create :[1] bind failed for filter wifi-route
    Apr 7 15:51:31 TST.SVR.TST feb0 ACX Error (dfw):acx_dfw_ftf :status:[1] acx_dfw_ftf_create failed.
    Apr 7 15:51:31 TST.SVR.TST feb0 PFE_ERROR_FAIL_OPERATION: rt_halp_vectors->rt_table_change failed
    Apr 7 15:51:32 TST.SVR.TST feb0 PFE_ERROR_FAIL_OPERATION: route process failed

    Any help to figure out these errors would be great as there isn't much on Google.

    Thanks

    J




    ------------------------------
    JASON WILLIAMS
    ------------------------------


  • 2.  RE: Filter Based Forwarding + ACX2200 Router

    Posted 04-08-2022 09:50

    Hi Jason, 

    i know that the ACX is a bit limited regarding how routing and firewalls work, my suggestion is that you open a ticket with JTAC, those pfe errors don't look good.

    also if you check FBF in the feature explorer you will find that there is no ACX listed there:

    https://apps.juniper.net/feature-explorer/feature-info.html?fKey=1062&fn=Filter-based+forwarding+%28FBF%29

    Thanks, 
    Gabriel FV



    ------------------------------
    GABRIEL FLORES
    ------------------------------



  • 3.  RE: Filter Based Forwarding + ACX2200 Router

    Posted 04-11-2022 05:26
    I will raise a case, I was just following the trail of Juniper Documentation.

    https://www.juniper.net/documentation/us/en/software/junos/routing-policy/topics/concept/forwarding-table-filter-acx-series.html

    Agreed about the PFE errors, as I wasn't expected them.

    Hopefully I'll get an answer and update the post.

    Cheers

    J


    ------------------------------
    JASON WILLIAMS
    ------------------------------



  • 4.  RE: Filter Based Forwarding + ACX2200 Router

    Posted 04-12-2022 05:27
    Hello Jason, 

    Please also check the TCAM usage on ACX and if they are okay and still you see these issues. JTAC is the way to go. 

    https://supportportal.juniper.net/s/article/ACX-TCAM-Management-and-Firewall-Filter-Scale-Best-Practices?language=en_US

    Thankyou
    Ruban

    ------------------------------
    RUBAN JOHNSON
    ------------------------------



  • 5.  RE: Filter Based Forwarding + ACX2200 Router

    Posted 08-22-2022 20:01
    Is has been resolved by adding the "interface-specific" command under the firewall filter and removing the log entry.

    set firewall family inet filter wifi-route interface-specific
    set firewall family inet filter wifi-route term allow from source-address 172.16.1.0/24
    set firewall family inet filter wifi-route term allow then routing-instance test
    set firewall family inet filter wifi-route term default then accept

    Hope this helps anyone who had or has issues.

    J

    ------------------------------
    JASON WILLIAMS
    ------------------------------