hi. i posted this on juniper-nsp, but thought i'd try my luck here too.
hi. this should be dead simple, but it isn't and my google-fu is sucking.
all i want to do on my ex4500 is punt traffic to a next hop. simple policy-based routing in cisco-speak. apparently you need a routing-instance to do so. fine. we'll try it.
so here we go. i'm basically saying if the destination isn't other fleet machines in 10/8, or the source isn't any of my public ip, throw it at my proxy/nat box that lives at 10.1.0.51, which is learned via bgp (exabgp). for now, i'm testing this only on one machine - 10.1.12.2, as referenced in the firewall filter.
// config //
routing-instances {
nat-vrf {
instance-type forwarding;
routing-options {
static {
}
}
}
}
routing-options {
interface-routes {
rib-group inet fbf-group;
}
rib-groups {
fbf-group {
import-rib [ inet.0 nat-vrf.inet.0 ];
}
}
}
protocols {
bgp {
group NAT-VIP {
family inet {
unicast {
rib-group fbf-group;
}
}
}
interfaces {
vlan {
unit 112 {
family inet {
filter {
input FLEET-NAT;
}
}
firewall {
filter FLEET-NAT {
term pass-1 {
from {
source-address {
<snip>;
}
}
then accept;
}
term pass-2 {
from {
destination-address {
}
}
then accept;
}
term else-nat {
from {
source-address {
}
}
then {
log;
routing-instance nat-vrf;
}
}
}
}
}
// end //
the routing instance nat-vrf sees the route to
10.1.0.51:
# show route table nat-vrf 10.1.0.51
nat-vrf.inet.0: 61 destinations, 62 routes (61 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
AS path: I, validation-state: unverified
> to 10.1.5.11 via vlan.105
and we have a recursed route to the 10.1.5.11 next hop.
# show route table nat-vrf 10.1.5.11
nat-vrf.inet.0: 61 destinations, 62 routes (61 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
> via vlan.105
forwarding table looks ok, i think:
# show route forwarding-table table nat-vrf destination 10.1.0.51
Routing table: nat-vrf.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
10.1.5.11 ucst 1639 4 vlan.105
# show route forwarding-table table nat-vrf destination 10.1.5.11
Routing table: nat-vrf.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
i think the thing missing here is that nat-vrf doesn't have a mac address next-hop for
10.1.5.11/32, much like inet.0 does:
# show route forwarding-table destination 10.1.5.11
Routing table: default.inet
Internet:
Destination Type RtRef Next hop Type Index NhRef Netif
so, when tcpdumping on 10.1.5.11, i see no packets come in from a fleet machine as i'd expect.
the firewall log shows my curl attempts to google, so i know i'm making it into the else-nat term properly.
# show firewall log
Log :
Time Filter Action Interface Protocol Src Addr Dest Addr
23:55:55 pfe A xe-0/0/12.0 TCP 10.1.12.2 74.125.228.230
23:55:54 pfe A xe-0/0/12.0 TCP 10.1.12.2 74.125.228.230
i'm a bit stumped from this point forward. i entirely admit that i don't necessarily understand some of the knobs to turn with this setup. i did at least try changing the routing-instance from "forwarding" to "virtual-router".
not quite sure how to get nat-vrf to actually do the f part. do i have to share arp across instances somehow as well?
appreciate any pointers!
ryan