Switching

I have 3 vlans:

vLan1 - 192.168.1.0/24

vLan2 - 192.168.2.0/24

vLan3 - 192.168.3.0/24

+ MPLS - 192.168.10.0/24

+ SRX as default GW - 192.168.1.100; 192.168.2.100; 192.168.3.100

Users from vLan1 can connect with MPLS using MPLS router address 192.168.1.5 but users from vLan2 and vLan3 must be first send to SRX (to translate adress).

Idea:

User from vLan1 to Internet:

User -> Access Switch -> VC EX3300 -> SRX -> Internet

User from vLan1 to MPLS:

User -> Access Switch -> VC EX3300 -> MPLS

User from vLan2 and 3 to Internet:

User -> Access Switch -> VC EX3300 -> SRX -> internet

User from vLan2 and 3 to MPLS:

User -> Access Switch -> VC EX3300 (FBF) -> SRX (NAT) -> VC EX3300 -> MPLS

Problem is with vLan2 and 3 and MPLS access. Filter Based Forwarding on VC EX3300 doesn't work at all with my configuration, all user from all vlan's use default routing from inet.0 (not from MPLS_from_net2 and MPLS_from_net3 routing-instance). Where I made a mistake?

root@EXCORE# show routing-options static

route 0.0.0.0/0 next-hop 192.168.1.100

route 192.168.10.0/24 next-hop 192.168.1.5

root@EXCORE# show interfaces vlan

unit 1 {
   family inet {
      address 192.168.1.1/24;
   }
}

unit 2 {
   family inet {
      filter {
         input MPLS_from_net2;
      }
      address 192.168.2.1/24;
   }
}

unit 3 {
   family inet {
      filter {
         input MPLS_from_net3;
      }
      address 192.168.3.1/24;
   }
}

root@EXCORE# show firewall

family inet {
   filter MPLS_from_net2 {
      term 1 {
         from {
            source-address {
               192.168.2.0/24;
            }
         }
         then {
            routing-instance MPLS_from_net2;
         }
      }
      term 2 {
         then accept;
      }
   }
}

family inet {
   filter MPLS_from_net3 {
      term 1 {
         from {
            source-address {
               192.168.3.0/24;
            }
         }
         then {
            routing-instance MPLS_from_net3;
         }
      }
      term 2 {
         then accept;
      }
   }
}

root@EXCORE# show routing-instances

MPLS_from_net2 {
   instance-type forwarding;
      routing-options {
         static {
            route 0.0.0.0/0 next-hop 192.168.2.100;

         }

      }

   }

MPLS_from_net3 {
   instance-type forwarding;
      routing-options {
         static {
            route 0.0.0.0/0 next-hop 192.168.3.100;

         }

      }

   }

Provided that the users have their default gateway pointed at the switch (.1 address) in vlan 2 and vlan 3, I do not see anything wrong with this configuration.  You might want to double check your configuration on the SRX as well to be sure that the problem is not there.  Also, you might want to make sure you are running something fairly new in terms of JunOS version.  I know that some of the more advanced routing-functions (virtual routers for instance) were added fairly recently in the code for the EX3300.  I would probably run 12.3R5 or 12.3R6.

Ron

Scratch my earlier comment...  your problem just hit me.  In order to get to the next-hop you specified, you would need to import your interface routes into the two MPLS routing-instances.  Basically, the instance you created has no way to get to the next-hop address you specified because it does not have a route to it.  Probably the easiest way would be to use a rib-group with your filtering routing-instances.  Otherwise, you could change your routing-instances to type "virtual-router" and then add your vlan.2 and vlan.3 interfaces to those routing-instances directly.

Ron

To use the rib-group, you would basically only need to change your routing-options to look like this:

routing-options {
   interface-routes {
      rib-group inet interface-routes;
   }
   static {
      route 0.0.0.0/0 next-hop 192.168.1.100;
      route 192.168.10.0/24 next-hop 192.168.1.5
   }
   rib-groups {
      interface-routes {
         import-rib [ inet.0 MPLS_from_net2.inet.0 MPLS_from_net3.inet.0 ];
      }
   }
}

Then to verify you could check the output of show route to ensure that the other two routing-instances inet.0 tables had the necessary /24 interface (direct) routes.

Ron

ronf of course - you're right!

 I was added rib-group to my configuration  and FBF work properly now  🙂

Sorry to dig up an old thread, but I'm currently trying to implement source routing on my ex3300 and am unable to do so.  OP, how did you get your routing-instance to work in the config?  According to this document, routing-instance is not a supported action in the ex3300 series - http://www.juniper.net/techpubs/en_US/junos15.1/topics/reference/general/firewall-filter-ex-series-match-conditions-support.html

I get this error when I try to config it

term match-DCVOIP {
from {
source-address {
10.2.100.0/24;
}
}
then {
##
## Warning: statement ignored: unsupported platform (ex3300-48p)
##
routing-instance balt-collab;
}
}

Now I'm researching an alternative when I thought I nailed it.  Any advice would help.  Thanks.  Relevant config, minus the input filter on each vlan interface, is copied below.

firewall {
family inet {
filter collab-dcptp {
term match-DCVOIP {
from {
source-address {
10.2.100.0/24;
}
}
then {
routing-instance balt-collab;
}
}
term match-Phones {
from {
source-address {
10.2.55.0/24;
}
}
then {
routing-instance balt-collab;
}
}
term match-Video {
from {
source-address {
10.2.11.0/24;
}
}
then {
routing-instance balt-collab;
}
}
term default {
then accept;
}
}
}
}
routing-instances {
balt-collab {
instance-type forwarding;
routing-options {
static {
route 10.1.0.0/16 next-hop 10.2.100.10;
qualified-next-hop 10.2.0.4 {
preference 25;
}
}
}
}
}