Junos OS

Hi all. I have problem with Juniper FBF.

I made FBF under this article: https://www.juniper.net/documentation/en_US/junos14.2/topics/example/logical-systems-filter-based-forwarding.html and this work fine. I can replace next-hop from subnet 10.2.1.0/24 very well.

But, I want next: package which comes from external servers I replace next-hop on router P1.

I created other routing-instance, firewall rule, and attach his on external input interface. I see the packets arrive at the external interface, but they do not fall into the routing-instance.

term 100 {
    from {
        source-address {
            8.8.8.8/32;
        }
    }
    then {
        routing-instance sp1-route-table;
    }
}
term default {
    then accept;
}

I don't understand, why it happens?

If I do this:

term 100 {
    from {
        source-address {
            8.8.8.8/32;
        }
    }
    then {
        discard;
    }
}
term default {
    then accept;
}

packets drop correctly.

I don't have between P1 and PE1 ospf, only full bgp table.

If I see show route table sp1-route-table I see route to next-hop router. 

Model: mx5-t
JUNOS Base OS boot [12.1R1.9]
JUNOS Base OS Software Suite [12.1R1.9]
JUNOS Kernel Software Suite [12.1R1.9]
JUNOS Crypto Software Suite [12.1R1.9]
JUNOS Packet Forwarding Engine Support (MX80) [12.1R1.9]
JUNOS Online Documentation [12.1R1.9]
JUNOS Routing Software Suite [12.1R1.9]

I don't understand: why it doesn't work with external source address which route cames on bgp session.

Hello,

If You follow these simple guidelines http://forums.juniper.net/t5/Junos/Please-include-configurations-and-topologies-when-you-re-having/td-p/81310

- then I am sure You will get more qualified answers.

HTH

Thx

Alex

thanks for your answer.

I prepared topology sheme and attached it. I moved my virtual test network to real hardware: 2 ex3300, 1 mx10i and 2 servers.

SW1

## Last commit: 2016-02-11 13:42:58 EET by nc
version 12.3R6.6;
system {
    host-name SW-3R81-CORE-DC;
    time-zone Europe/Kiev;
    root-authentication {
    }
    services {
        ssh {
            rate-limit 15;
        }
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
chassis {
    aggregated-devices {
        ethernet {
            device-count 1;
        }
    }
    auto-image-upgrade;
}
interfaces {                                                                                                                                                                                                                        [13/1852]
    ge-0/0/0 {
        ether-options {
            802.3ad ae0;
        }
    }
    ge-0/0/1 {
        ether-options {
            802.3ad ae0;
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {               
                address 192.168.101.254/24;
            }
        }
    }
    ae0 {
        aggregated-ether-options {
            no-flow-control;
            minimum-links 1;
            link-speed 1g;
            lacp {
                active;
                periodic fast;
            }
        }
        unit 0 {
            family inet {
                address 192.168.20.1/30;
            }
        }
    }
    vlan {
        unit 0 {
            family inet {
                dhcp {                  
                    vendor-id Juniper-ex3300-24t;
                }
            }
        }
    }
}
routing-options {
    router-id 192.168.20.1;
    autonomous-system 64513;
}
protocols {
    bgp {
        group downlinks {
            neighbor 192.168.20.2 {
                local-address 192.168.20.1;
                hold-time 20;
                import bgp_import_from_192.168.20.2;
                export bgp_export_to_192.168.20.2;
                peer-as 64515;
            }
        }
    }
    igmp-snooping {
        vlan all;
    }
    rstp;
    lldp {
        interface all;
    }
    lldp-med {
        interface all;
    }
}
policy-options {
    policy-statement bgp_export_to_192.168.20.2 {
        term 200 {
            from {
                route-filter 0.0.0.0/0 exact;
            }
            then reject;
        }
        term 100 {
            from protocol [ direct static ];
            then accept;
        }
        term default {
            then reject;
        }
    }
    policy-statement bgp_import_from_192.168.20.2 {
        term 100 {
            from protocol bgp;
            then accept;
        }                               
        term default {
            then reject;
        }
    }
}
ethernet-switching-options {
    storm-control {
        interface all;
    }
}
vlans {
    default {
        l3-interface vlan.0;
    }
    vid26 {
        vlan-id 26;
    }
}

M10i

## Last commit: 2016-02-11 13:32:33 EET by root
version 12.3R6.6;
system {
    host-name M10I;
    time-zone Europe/Kiev;
    root-authentication {
    }
    services {
        ssh;
    }
    syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
chassis {
    aggregated-devices {
        ethernet {
            device-count 2;
        }
    }
}
interfaces {
    ge-0/0/0 {
        gigether-options {
            802.3ad ae0;
        }
    }
    ge-0/0/1 {
        gigether-options {
            802.3ad ae0;
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 192.168.20.6/30;
            }
        }
    }
    ge-0/0/3 {
        unit 0 {                        
            family inet {
                filter {
                    inactive: input classify-customers;
                }
                address 192.168.201.254/24;
            }
        }
    }
    ae0 {
        description TO_EX3300-1;
        traceoptions {
            flag all;
        }
        aggregated-ether-options {
            no-flow-control;
            link-speed 1g;
            lacp {
                active;
                periodic fast;
            }
        }
        unit 0 {
            family inet {
                filter {
                    input classify-customers-WAN;
                }
                address 192.168.20.2/30;
            }
        }
    }
}
forwarding-options {                    
    hash-key {                          
        family inet {                   
            layer-3;                    
        }                               
    }                                   
}                                       
routing-options {                       
    interface-routes {                  
        rib-group inet fbf-group;       
    }                                   
    static {                            
        route 0.0.0.0/0 {               
            discard;                    
            no-install;                 
        }                               
    }                                   
    rib-groups {                        
        fbf-group {                     
            import-rib [ inet.0 sp1-route-table.inet.0 ];
        }                               
    }                                   
    router-id 192.168.20.2;             
    autonomous-system 64515;            
}                                       
protocols {                             
    bgp {                               
        group uplinks {                 
            neighbor 192.168.20.1 {     
                local-address 192.168.20.2;
                hold-time 20;           
                import bgp_import_from_192.168.20.1;
                export bgp_export_to_192.168.20.1;
                peer-as 64513;          
            }                           
        }                               
    }                                   
    ospf {                              
        export ospf-export-to-area0;    
        area 0.0.0.0 {                  
            interface ge-0/0/2.0;       
        }                               
    }                                   
    lacp {                              
        traceoptions {                  
            file lacp.log size 10m files 10;
            flag all;                   
        }                               
    }                                   
}                                       
policy-options {                        
    policy-statement bgp_export_to_192.168.20.1 {
        term 100 {                      
            from protocol [ direct static ];
            then accept;                
        }                               
        term default {                  
            then reject;                
        }                               
    }                                   
    policy-statement bgp_import_from_192.168.20.1 {
        term 100 {                      
            from protocol bgp;          
            then accept;                
        }                               
        term default {                  
            then reject;                
        }                               
    }                                   
    policy-statement ospf-export-to-area0 {
        inactive: term 100 {            
            from protocol [ local direct ];
            then accept;                
        }                               
        inactive: term default {        
            then reject;                
        }                               
        term 200 {                      
            from {                      
                protocol static;        
                route-filter 0.0.0.0/0 exact;
            }                           
            then accept;                
        }                               
    }                                   
}                                       
firewall {                              
    filter classify-customers {         
        term sp1-customers {            
            from {                      
                source-address {        
                    192.168.201.1/32;   
                }                       
            }                           
            then {                      
                log;                    
                routing-instance sp1-route-table;
            }                           
        }                               
        term default {                  
            then accept;                
        }                               
    }                                   
    filter classify-customers-WAN {     
        term sp1-customers {            
            from {                      
                source-address {        
                    192.168.101.1/32;   
                }                       
            }                           
            then {                      
                log;                    
                routing-instance sp1-route-table;
            }                           
        }                               
        term default {                  
            then accept;                
        }                               
    }                                   
}                                       
routing-instances {                     
    sp1-route-table {                   
        instance-type forwarding;       
        routing-options {               
            static {                    
                route 0.0.0.0/0 next-hop 192.168.20.5;
            }                           
        }                               
    }                                   
}

SW2

## Last commit: 2016-02-11 12:39:45 EET by root
version 12.3R11.2;
system {
    host-name SW-3R82-CORE-DC;
    time-zone Europe/Kiev;
    root-authentication {
    }
    services {
        ssh;
    }
    inactive: syslog {
        user * {
            any emergency;
        }
        file messages {
            any notice;
            authorization info;
        }
        file interactive-commands {
            interactive-commands any;
        }
    }
}
chassis {
    aggregated-devices {
        ethernet {
            device-count 1;
        }
    }
    alarm {
        management-ethernet {
            link-down ignore;
        }
    }
}
interfaces {
    ge-0/0/0 {
        ether-options {
            802.3ad ae0;
        }
    }
    ge-0/0/1 {
        ether-options {
            802.3ad ae0;
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 192.168.20.5/30;
            }
        }
    }
    ae0 {                               
        mtu 9216;                       
        aggregated-ether-options {      
            no-flow-control;            
            minimum-links 1;            
            link-speed 1g;              
            lacp {                      
                active;                 
                periodic fast;          
            }                           
        }                               
        unit 0 {                        
            family ethernet-switching { 
                port-mode trunk;        
                vlan {                  
                    members [ all ];
                }                       
            }                           
        }                               
    }                                   
}                                       
protocols {                             
    ospf {                              
        area 0.0.0.0 {                  
            interface ge-0/0/2.0;       
        }                               
    }                                   
}                                       
ethernet-switching-options {            
    storm-control {                     
        interface all;                  
    }                                   
}                                       

M10i has to firewall fiter which I attached to interface ge-0/0/3 if I want change next hop from 192.168.201.1.

I do next, from PC2 I traced  PC1:

root@test2:~# traceroute 192.168.101.1
traceroute to 192.168.101.1 (192.168.101.1), 30 hops max, 60 byte packets
 1  192.168.201.254 (192.168.201.254)  0.174 ms  0.148 ms  0.194 ms
 2  192.168.20.1 (192.168.20.1)  1.374 ms  1.454 ms  1.479 ms
 3  192.168.101.1 (192.168.101.1)  0.152 ms  0.178 ms  0.162 ms

ok, next on m10i:

    set interfaces ge-0/0/3 unit 0 family inet filter input classify-customers

and repeated trace:

# traceroute 192.168.101.1
traceroute to 192.168.101.1 (192.168.101.1), 30 hops max, 60 byte packets
 1  192.168.201.254 (192.168.201.254)  0.221 ms  0.219 ms  0.300 ms
 2  192.168.20.5 (192.168.20.5)  1.871 ms  1.959 ms  1.989 ms
 3  192.168.20.6 (192.168.20.6)  0.259 ms  0.309 ms  0.290 ms
 4  192.168.20.1 (192.168.20.1)  1.188 ms  1.280 ms  1.306 ms
 5  192.168.101.1 (192.168.101.1)  0.238 ms  0.222 ms  0.202 ms

ok, it's works fine, but I want change next hop on traffic which arraived to me from bgp uplinks. I did next:

deactivate interfaces ge-0/0/3 unit 0 family inet filter input classify-customers

and applied on external interface:


set interfaces ae0 unit 0 family inet filter input classify-customers-WAN

and tried to diag, how it's work:

root@M10I# run clear firewall log 

    root@PC:~# ping -c 1 192.168.201.1                                                                                                                                                                                                           
    PING 192.168.201.1 (192.168.201.1) 56(84) bytes of data.
    64 bytes from 192.168.201.1: icmp_req=1 ttl=62 time=0.231 ms

    --- 192.168.201.1 ping statistics ---
    1 packets transmitted, 1 received, 0% packet loss, time 0ms
    rtt min/avg/max/mdev = 0.231/0.231/0.231/0.000 ms

root@M10I# run show firewall log                                                 
Log :
Time      Filter    Action Interface     Protocol        Src Addr                         Dest Addr
13:32:38  pfe       A      ae0.0         ICMP            192.168.101.1                    192.168.201.1

root@PC:~# traceroute  192.168.201.1                                                                                                                                                                                                         
traceroute to 192.168.201.1 (192.168.201.1), 30 hops max, 60 byte packets
 1  192.168.101.254 (192.168.101.254)  1.068 ms  1.094 ms  1.108 ms
 2  192.168.20.2 (192.168.20.2)  0.240 ms  0.227 ms  0.218 ms
 3  192.168.201.1 (192.168.201.1)  0.173 ms  0.197 ms  0.181 ms

And nothins changed in traffic who arrived to my as from external subnet.

13:32:48  pfe       A      ae0.0         UDP             192.168.101.1                    192.168.201.1
13:32:48  pfe       A      ae0.0         UDP             192.168.101.1                    192.168.201.1
13:32:48  pfe       A      ae0.0         UDP             192.168.101.1                    192.168.201.1
13:32:48  pfe       A      ae0.0         UDP             192.168.101.1                    192.168.201.1
13:32:48  pfe       A      ae0.0         UDP             192.168.101.1                    192.168.201.1

I saw traffic in firewall log in m10i, but traceroute didn't change.

This situation repeats on all devices whom I  used on my experements. I don't understand what the problem with traffic and how I can fix this.  I want change next-hop router for external traffic who arrive to my subnet.

I attached routing table from devices.

sw1:

# run show route 

inet.0: 9 destinations, 11 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[BGP/170] 01:29:08, localpref 100
                      AS path: 64515 I, validation-state: unverified
                    > to 192.168.20.2 via ae0.0
192.168.20.0/30    *[Direct/0] 16:03:14
                    > via ae0.0
                    [BGP/170] 01:46:44, localpref 100
                      AS path: 64515 I, validation-state: unverified
                    > to 192.168.20.2 via ae0.0
192.168.20.1/32    *[Local/0] 16:03:14
                      Local via ae0.0
192.168.20.4/30    *[BGP/170] 01:46:44, localpref 100
                      AS path: 64515 I, validation-state: unverified
                    > to 192.168.20.2 via ae0.0
192.168.101.0/24   *[Direct/0] 15:45:26
                    > via ge-0/0/2.0
192.168.101.254/32 *[Local/0] 15:45:41
                      Local via ge-0/0/2.0
192.168.201.0/24   *[BGP/170] 01:46:44, localpref 100
                      AS path: 64515 I, validation-state: unverified
                    > to 192.168.20.2 via ae0.0

m10i:

# run show route 

inet.0: 11 destinations, 13 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 01:29:39
                      Discard
192.168.20.0/30    *[Direct/0] 16:04:37
                    > via ae0.0
                    [BGP/170] 01:47:15, localpref 100
                      AS path: 64513 I, validation-state: unverified
                    > to 192.168.20.1 via ae0.0
192.168.20.2/32    *[Local/0] 16:04:40
                      Local via ae0.0
192.168.20.4/30    *[Direct/0] 02:00:49
                    > via ge-0/0/2.0
192.168.20.6/32    *[Local/0] 02:04:14
                      Local via ge-0/0/2.0
192.168.101.0/24   *[BGP/170] 01:47:15, localpref 100
                      AS path: 64513 I, validation-state: unverified
                    > to 192.168.20.1 via ae0.0
192.168.201.0/24   *[Direct/0] 01:56:02
                    > via ge-0/0/3.0
192.168.201.254/32 *[Local/0] 01:56:02
                      Local via ge-0/0/3.0
224.0.0.5/32       *[OSPF/10] 6d 01:59:52, metric 1
                      MultiRecv

sp1-route-table.inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 01:04:31
                    > to 192.168.20.5 via ge-0/0/2.0
192.168.20.0/30    *[Direct/0] 01:04:31
                    > via ae0.0
192.168.20.2/32    *[Local/0] 01:04:31
                      Local via ae0.0
192.168.20.4/30    *[Direct/0] 01:04:31
                    > via ge-0/0/2.0
192.168.20.6/32    *[Local/0] 01:04:31
                      Local via ge-0/0/2.0
192.168.201.0/24   *[Direct/0] 01:04:31
                    > via ge-0/0/3.0
192.168.201.254/32 *[Local/0] 01:04:31
                      Local via ge-0/0/3.0

sw3:

# run show route 

inet.0: 6 destinations, 6 routes (6 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[OSPF/150] 01:30:11, metric 0, tag 0
                    > to 192.168.20.6 via ge-0/0/2.0
192.168.20.4/30    *[Direct/0] 02:00:05
                    > via ge-0/0/2.0
192.168.20.5/32    *[Local/0] 02:00:05
                      Local via ge-0/0/2.0
224.0.0.5/32       *[OSPF/10] 01:39:42, metric 1
                      MultiRecv

Hello,

Thanks for providing the partial information.

The information provided is (a) incomplete and (b) misleading.

Regading (a) - You did not provide the config nor route table from the switch where 192.168.201.1 host is connected to.

Regarding (b) - You posted config from SW2 but route table from SW3.

Nevertheless I will try to make my best educated guess here:

1/ assuming SW2==SW3, Your 0/0 route on SW2/3 points back to M10i:

0.0.0.0/0          *[OSPF/150] 01:30:11, metric 0, tag 0
                    > to 192.168.20.6 via ge-0/0/2.0

2/ the packets FBFed by M10I _from_ ae0 _to_ SW2/3 should be returned back to M10i according to the above information

3/ to make FBF work correctly, please make sure SW2/3 can reach 192.168.201.1 _NOT_ via M10i.

HTH

Thx

Alex

sorry, you have right, I made mistake with name: sw2 == sw3, it's one device.

yes, I changed next-hop at m10i to sw2, after that I want filter traffic and return them to m10i router.

SW2# run traceroute 192.168.201.1    
traceroute to 192.168.201.1 (192.168.201.1), 30 hops max, 40 byte packets
 1  192.168.20.6 (192.168.20.6)  1.682 ms  1.604 ms  1.633 ms
 2  192.168.201.1 (192.168.201.1)  1.558 ms  1.650 ms  2.011 ms

SW2# run traceroute 192.168.101.1    
traceroute to 192.168.101.1 (192.168.101.1), 30 hops max, 40 byte packets
 1  192.168.20.6 (192.168.20.6)  1.622 ms  1.704 ms  1.616 ms
 2  192.168.20.1 (192.168.20.1)  2.560 ms  2.556 ms  2.881 ms
 3  192.168.101.1 (192.168.101.1)  1.841 ms  1.689 ms  1.614 ms

After that, I append ip address on SW2, because he connected to swith where connect PC2 too:

set interfaces ae0 unit 0 family inet address 192.168.201.253/24

And nothing change, after started traceroute from PC1 to PC2 not changed.

traceroute  192.168.201.1
traceroute to 192.168.201.1 (192.168.201.1), 30 hops max, 60 byte packets
 1  192.168.101.254 (192.168.101.254)  1.251 ms  1.352 ms  1.341 ms
 2  192.168.20.2 (192.168.20.2)  0.245 ms  0.248 ms  0.230 ms
 3  192.168.201.1 (192.168.201.1)  0.643 ms  0.638 ms  0.621 ms

I see the packets who never fall at tabe sp1-route-table if I use filters on bgp connection interface.

Hello there,

Thanks for adding extra information.

Your FBF problem has nothing to do with BGP.

Your FBF does not work because You have a 192.168.201/24 route in Your "sp1-route-table.inet.0" table and when a packet is put through this table, it finds a more specific route with interface ge-0/0/3.0 to exit from:

sp1-route-table.inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 01:04:31
                    > to 192.168.20.5 via ge-0/0/2.0
192.168.20.0/30    *[Direct/0] 01:04:31
                    > via ae0.0
192.168.20.2/32    *[Local/0] 01:04:31
                      Local via ae0.0
192.168.20.4/30    *[Direct/0] 01:04:31
                    > via ge-0/0/2.0
192.168.20.6/32    *[Local/0] 01:04:31
                      Local via ge-0/0/2.0
192.168.201.0/24   *[Direct/0] 01:04:31
                    > via ge-0/0/3.0
192.168.201.254/32 *[Local/0] 01:04:31
                      Local via ge-0/0/3.0

Please add the following to Your M10i config:

set policy-options policy-statement only-ge002 term 1 from protocol direct
set policy-options policy-statement only-ge002 term 1 from route-filter 192.168.20.4/30 exact
set policy-options policy-statement only-ge002 term 1 then accept
set policy-options policy-statement only-ge002 term 2 then reject
set routing-options rib-groups fbf-group import-policy only-ge002

After that please re-test and report back.

HTH

Thx

Alex

thanks, you know, it's work fine.

after applied filters:

root@M10I# run show route                                                                    

inet.0: 11 destinations, 13 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 3d 23:17:08
                      Discard
10.100.0.0/16      *[Direct/0] 1w2d 23:47:19
                    > via fxp0.0
                    [BGP/170] 2d 23:05:05, localpref 100
                      AS path: 64513 I, validation-state: unverified
                    > to 192.168.20.1 via ge-0/0/0.0
10.100.0.10/32     *[Local/0] 1w2d 23:47:19
                      Local via fxp0.0
192.168.20.0/30    *[Direct/0] 2d 23:05:09
                    > via ge-0/0/0.0
                    [BGP/170] 2d 23:05:05, localpref 100
                      AS path: 64513 I, validation-state: unverified
                    > to 192.168.20.1 via ge-0/0/0.0
192.168.20.2/32    *[Local/0] 2d 23:05:13
                      Local via ge-0/0/0.0
192.168.20.4/30    *[Direct/0] 2d 18:51:23
                    > via ge-0/0/2.0
192.168.20.6/32    *[Local/0] 3d 23:51:43
                      Local via ge-0/0/2.0
192.168.101.0/24   *[BGP/170] 2d 23:05:05, localpref 100
                      AS path: 64513 I, validation-state: unverified
                    > to 192.168.20.1 via ge-0/0/0.0
192.168.201.0/24   *[Direct/0] 00:36:08
                    > via ge-0/0/3.0
192.168.201.254/32 *[Local/0] 3d 23:43:31
                      Local via ge-0/0/3.0
224.0.0.5/32       *[OSPF/10] 1w2d 23:47:21, metric 1
                      MultiRecv

sp1-route-table.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 2d 18:51:23
                    > to 192.168.20.5 via ge-0/0/2.0
192.168.20.4/30    *[Direct/0] 2d 18:51:23
                    > via ge-0/0/2.0

And test:

# traceroute  192.168.201.1
traceroute to 192.168.201.1 (192.168.201.1), 30 hops max, 60 byte packets
 1  192.168.101.254 (192.168.101.254)  1.074 ms  1.117 ms  1.121 ms
 2  192.168.20.2 (192.168.20.2)  0.241 ms  0.247 ms  0.228 ms
 3  192.168.20.5 (192.168.20.5)  3.991 ms  4.104 ms  4.123 ms
 4  192.168.201.1 (192.168.201.1)  0.604 ms  0.608 ms  0.580 ms

I don't quite understand, do two routes will be enough?

Hello there,

---

@Melanxolik wrote:

thanks, you know, it's work fine.

 

 

 

---

Glad to help.

---

@Melanxolik wrote:

 

I don't quite understand, do two routes will be enough?

 

 

---

If You want the FBF-ed packet to always follow the 0/0 route, then You have to get rid of all more specific routes in the forwarding instance.

And 0/0 static next-hop has to resolve via an interface, so +1 interface route must be present as well.

If You want a FBF failover with 2 interfaces, then You have to import a second interface route.

If You want a FBF failover with 3 interfaces, then You have to import a third interface route.

And so on

HTH

Thx

Alex