Routing

Hi, Trying to make a small Lab environment wondering FBF which I intend to use later on, ended up with no end result. Here are my observations, ** Static Routes (including default route) are not visible in associated routing tables (nrt.inet.0 and fbf.inet.0) ** Firewall Filter is not working properly, even I tried to ping with source-add 3.3.0.1, counter (entering_fbf_filter) didn't change Configuration and some printout attached herewith. Thanks, Ash

Configuration and Printouts

 

root@JUNOS> show configuration routing-instances fbf

instance-type forwarding;

routing-options {

static {

route 0.0.0.0/0 next-hop 1.1.0.1;

}

}

root@JUNOS>

root@JUNOS> show configuration routing-instances nrt

instance-type vrf;

interface em0.0;

interface em1.0;

interface lo0.0;

route-distinguisher 65000:91;

vrf-import nrt-import;

vrf-export nrt-export;

routing-options {

interface-routes {

rib-group inet mixed-rib;

}

static {

route 0.0.0.0/0 next-hop 2.2.0.1;

route 58.145.0.0/16 next-hop 1.1.0.1;

}

}

forwarding-options {

family inet {

filter {

input n2f-filter;

}

}

}

 

root@JUNOS> show configuration routing-options

rib-groups {

mixed-rib {

import-rib [ nrt.inet.0 fbf.inet.0 ];

}

}

forwarding-table {

export pplb;

}

root@JUNOS> show configuration policy-options

policy-statement nrt-export {

from protocol [ static direct ];

then {

community add nrt;

accept;

}

}

policy-statement nrt-import {

from {

protocol bgp;

community nrt;

}

then accept;

}

policy-statement pplb {

then {

load-balance per-packet;

}

}

community nrt members target:65000:91;

 

root@JUNOS>

root@JUNOS> show configuration firewall

filter n2f-filter {

term A {

from {

source-address {

3.3.0.0/24;

}

}

then {

count entering_fbf_filter;

routing-instance fbf;

}

}

term B {

then {

count entering_nrt_filter;

accept;

}

}

}

 

root@JUNOS>

root@JUNOS>

root@JUNOS>

root@JUNOS>

root@JUNOS>

root@JUNOS>

root@JUNOS> show route table nrt          /* No Default Route exists */

nrt.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

1.1.0.1/32 *[Direct/0] 01:30:28

> via lo0.0

2.2.0.0/24 *[Direct/0] 01:30:28

> via em1.0

2.2.0.1/32 *[Local/0] 01:30:28

Local via em1.0

3.3.0.0/24 *[Direct/0] 01:30:28

> via em0.0

3.3.0.1/32 *[Local/0] 01:30:28

Local via em0.0

root@JUNOS> show route table fbf       /* No Default Route exists */

fbf.inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden)

+ = Active Route, - = Last Active, * = Both

1.1.0.1/32 *[Direct/0] 01:30:34

> via lo0.0

2.2.0.0/24 *[Direct/0] 01:30:34

> via em1.0

2.2.0.1/32 *[Local/0] 01:02:14

Local via em1.0

3.3.0.0/24 *[Direct/0] 01:30:34

> via em0.0

3.3.0.1/32 *[Local/0] 01:02:14

Local via em0.0

root@JUNOS>

root@JUNOS> show route forwarding-table family inet

Routing table: fbf.inet

Internet:

Destination Type RtRef Next hop Type Index NhRef Netif

default perm 0 rjct 389 1

0.0.0.0/32 perm 0 dscd 387 1

1.1.0.1/32 user 0 rtbl 401 4

2.2.0.0/24 user 0 rtbl 401 4

2.2.0.1/32 user 0 2.2.0.1 locl 432 3

3.3.0.0/24 user 0 rtbl 401 4

3.3.0.1/32 user 0 3.3.0.1 locl 428 3

224.0.0.0/4 perm 0 mdsc 388 1

224.0.0.1/32 perm 0 224.0.0.1 mcst 384 1

255.255.255.255/32 perm 0 bcst 385 1

Routing table: nrt.inet

Internet:

Destination Type RtRef Next hop Type Index NhRef Netif

default perm 0 rjct 398 1

0.0.0.0/32 perm 0 dscd 396 1

1.1.0.1/32 intf 0 1.1.0.1 locl 434 1

2.2.0.0/24 intf 0 rslv 433 1 em1.0

2.2.0.0/32 dest 0 2.2.0.0 recv 431 1 em1.0

2.2.0.1/32 intf 0 2.2.0.1 locl 432 3

2.2.0.1/32 dest 0 2.2.0.1 locl 432 3

2.2.0.255/32 dest 0 2.2.0.255 bcst 430 1 em1.0

3.3.0.0/24 intf 0 rslv 429 1 em0.0

3.3.0.0/32 dest 0 3.3.0.0 recv 427 1 em0.0

3.3.0.1/32 intf 0 3.3.0.1 locl 428 3

3.3.0.1/32 dest 0 3.3.0.1 locl 428 3

3.3.0.255/32 dest 0 3.3.0.255 bcst 426 1 em0.0

224.0.0.0/4 perm 0 mdsc 397 1

224.0.0.1/32 perm 0 224.0.0.1 mcst 393 1

255.255.255.255/32 perm 0 bcst 394 1

 

root@JUNOS> show firewall filter n2f-filter

Filter: n2f-filter

Counters:

Name Bytes Packets

entering_fbf_filter 0 0

entering_nrt_filter 20684 176

root@JUNOS>

root@JUNOS> ping 1.1.0.1 routing-instance nrt source 3.3.0.1

PING 1.1.0.1 (1.1.0.1): 56 data bytes

64 bytes from 1.1.0.1: icmp_seq=0 ttl=64 time=6.994 ms

64 bytes from 1.1.0.1: icmp_seq=1 ttl=64 time=0.333 ms

^C

--- 1.1.0.1 ping statistics ---

2 packets transmitted, 2 packets received, 0% packet loss

round-trip min/avg/max/stddev = 0.333/3.663/6.994/3.330 ms

root@JUNOS>

root@JUNOS> show firewall filter n2f-filter

Filter: n2f-filter

Counters:

Name Bytes Packets

entering_fbf_filter 0 0

entering_nrt_filter 20684 176

root@JUNOS>

root@JUNOS> ping 1.1.0.1 routing-instance nrt source 2.2.0.1

PING 1.1.0.1 (1.1.0.1): 56 data bytes

64 bytes from 1.1.0.1: icmp_seq=0 ttl=64 time=0.468 ms

64 bytes from 1.1.0.1: icmp_seq=1 ttl=64 time=0.426 ms

^C

--- 1.1.0.1 ping statistics ---

2 packets transmitted, 2 packets received, 0% packet loss

round-trip min/avg/max/stddev = 0.426/0.447/0.468/0.021 ms

root@JUNOS> show firewall filter n2f-filter

Filter: n2f-filter

Counters:

Name Bytes Packets

entering_fbf_filter 0 0

entering_nrt_filter 20684 176

root@JUNOS>

I may be mistaken, but I believe your RIB group should also include the default inet.0 instance.

Hi Robert,

 

A number of VRF are running within the M120 router and the objective is to leak route from specific VRF to a Forwarding instance. In this case, leaking route from nrt (which is a VRF instance) to fbf (which is a Forwarding type instance).

 

So, I delimited the rib importing within nrt.inet.0  and fbf.inet.0

Thanks,

Ash

 

1. You should add the "resolve" statement for all your indirect static routes:

 

2. "mixed-rib" should be applied to the global protocol bgp under proper address family...

Hi Dumitru Papana,

 

Default route is available now but still Forwarding option is not choosing the right path (0.0.0.0/0 -> 10.6.1.2). It's choosing 5.5.0.2 instead.

 

Looking forward to hear from you.

 

BR,

asmash

 

 

[edit]
root@R1# show protocols bgp
hold-time 30;
advertise-inactive;
family inet {
    unicast {
        rib-group sasn2remote;
    }
}
local-as 65000;
group internal {
    type internal;
    local-address 10.0.0.1;
    export direct-static-bgp;
    peer-as 65000;
    neighbor 10.0.1.1;
}

[edit]
root@R1# show routing-options
static {
    route 10.0.1.1/32 next-hop 10.6.1.2;
}
rib-groups {
    sasn2remote {
        import-rib [ inet.0 r_sasn_e.inet.0 ];
    }
}
autonomous-system 65000;

[edit]
root@R1# show routing-instances r_sasn_e
instance-type forwarding;
routing-options {
    static {
        route 0.0.0.0/0 next-hop 6.6.1.2;
    }
}

[edit]
root@R1# show routing-instances sasn_e
instance-type vrf;
interface em2.0;
interface em3.0;
interface em4.0;
interface em5.0;
interface em6.0;
route-distinguisher 65000:91;
vrf-import sasn_e-import;
vrf-export sasn_e-export;
vrf-table-label;
routing-options {
    static {
        route 0.0.0.0/0 next-hop 5.5.0.2;
    }
}
forwarding-options {
    family inet {
        filter {
            input fbf-filter;
        }
    }
}

[edit]
root@R1# show firewall filter fbf-filter
term A {
    from {
        source-address {
            3.3.0.0/24;
        }
    }
    then {
        count FBF_Count;
        routing-instance r_sasn_e;
    }
}
term B {
    then {
        count Master_Count;
        accept;
    }
}

[edit]
root@R1# run show interfaces terse | match em3.0
em3.0                   up    up   inet     3.3.0.1/24     

[edit]
root@R1# run show route table r_sasn_e

r_sasn_e.inet.0: 6 destinations, 6 routes (5 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[BGP/170] 00:04:09, localpref 100, from 10.0.1.1
                      AS path: I
                    > to 10.6.1.2 via em0.0
6.6.1.0/24         *[BGP/170] 00:04:09, localpref 100, from 10.0.1.1
                      AS path: I
                    > to 10.6.1.2 via em0.0
10.0.1.1/32        *[BGP/170] 00:04:09, localpref 100, from 10.0.1.1
                      AS path: I
                    > to 10.6.1.2 via em0.0
10.6.1.0/24        *[BGP/170] 00:04:09, localpref 100, from 10.0.1.1
                      AS path: I
                    > to 10.6.1.2 via em0.0
10.6.2.0/24        *[BGP/170] 00:04:09, localpref 100, from 10.0.1.1
                      AS path: I
                    > to 10.6.1.2 via em0.0

[edit]
root@R1# run show route table sasn_e     

sasn_e.inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 02:07:49
                    > to 5.5.0.2 via em5.0
2.2.0.0/24         *[Direct/0] 02:07:49
                    > via em2.0
2.2.0.1/32         *[Local/0] 02:07:49
                      Local via em2.0
3.3.0.0/24         *[Direct/0] 02:07:49
                    > via em3.0
3.3.0.1/32         *[Local/0] 02:07:49
                      Local via em3.0
4.4.0.0/24         *[Direct/0] 02:07:49
                    > via em4.0
4.4.0.1/32         *[Local/0] 02:07:49
                      Local via em4.0
5.5.0.0/24         *[Direct/0] 02:07:49
                    > via em5.0
5.5.0.1/32         *[Local/0] 02:07:49
                      Local via em5.0
6.6.0.0/24         *[Direct/0] 02:07:49
                    > via em6.0
6.6.0.1/32         *[Local/0] 02:07:49
                      Local via em6.0

[edit]
root@R1# ...routing-instance sasn_e interface em3.0                     
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 40 byte packets
 1  5.5.0.2 (5.5.0.2)  0.833 ms  1.778 ms  2.527 ms
 2  5.5.0.1 (5.5.0.1)  2.973 ms  3.890 ms  3.803 ms
 3  * *^C

Could you do the trace again and show the counters FBF_Count & Master_Count.

 

Hi,

 

Following is the output. Config file attached.

 

 

[edit]
root@R01# run show firewall filter fbf-filter   
Filter: fbf-filter                                            
Counters:
Name                                                Bytes              Packets
FBF_Count                                               0                    0
Master_Count                                            0                    0

[edit]
root@R01# run traceroute 1.1.1.1 routing-instance sasn_e interface em3.0  
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 40 byte packets
 1  5.5.0.2 (5.5.0.2)  2.533 ms  2.861 ms  0.663 ms
 2  5.5.0.1 (5.5.0.1)  1.543 ms  3.089 ms  1.782 ms
^C
[edit]
root@R01#

[edit]
root@R01# run show firewall filter fbf-filter                           
Filter: fbf-filter                                            
Counters:
Name                                                Bytes              Packets
FBF_Count                                             824                   14
Master_Count                                          336                    6

[edit]
root@R01#

As I understand you need the following rib-group:

 

rib-groups {
    sasn2remote {
        import-rib [ sasn_e.inet.0 r_sasn_e.inet.0 ];
    }
}

 

1. You'll have to apply this group to the "protocol direct".(you need direct routes anyway because otherwise the next-hop won't be accessible)

2.The same rib-group should be applied not under "family inet" but "family inet-vpn".

3.Your static route should have the resolve statement as this is an indirect one:

r_sasn_e {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0{
            next-hop 6.6.1.2;
resolve;
  }
    }
}

Could you show the full configuration and a sample topology (if you have any)?

 

Yes, your understanding is similar to my expectation.

 

Please find the topology and configuration attached.

 

BR,

asmash

Hello, I have tested recently a case like yours in the lab and it seems that the only workable way is to create a routing-instance of type VRF and leak the needed routes with RTs. Then you can use the firewall-filter to map traffic to that specific VRF.

It's simple and works.

For your specific case it may look like this(I'll show only the portions that need to be changed):

//This is the routing instance used for FBF

 

r_sasn_e {
        instance-type vrf;
    route-distinguisher 65000:92;
    vrf-target target:65000:91;
        routing-options {
            static {
                route 0.0.0.0/0 {

                next-hop 6.6.1.2;
                resolve;
        }
            }
        }
    }

 

 

sasn_e {
        instance-type vrf;
        interface em2.0;
        interface em3.0;
        interface em4.0;
        interface em5.0;
        interface em6.0;
        route-distinguisher 65000:91;
        vrf-import sasn_e-import;
        vrf-export sasn_e-export;
        vrf-table-label;
        routing-options {
         interface-routes {
        rib-group inet sasn2remote;
            static {
                route 0.0.0.0/0 next-hop 5.5.0.2;
            }
        }
        forwarding-options {
            family inet {
                filter {
                    input fbf-filter;
                }
            }
        }
    }
}

 

 

routing-options {
rib-groups {
        sasn2remote {
            import-rib [ inet.0 r_sasn_e.inet.0 ];
        }
    }

 

 

Thanks Dumitru.

 

Just need to know whether it is necessary to define/refer rib-group even using vrf-target?

 

 

BR,

asmash

 

 

If you'll use rib-group " sasn2remote" applied under routing-instance "r_sasn_e" (interface-routes stanza), then your interfaces that are associated to the sasn_e will be shared also with the r_sasn_e ie in the routing table they'll be shown as direct in both VRFs.

You may alternatively use only the RTs and they'll look originated from BGP...

My last example was a little misleading, here's the right config for your case:

 

r_sasn_e {
        instance-type vrf;
    route-distinguisher 65000:92;
    vrf-target target:65000:91;
        routing-options {

             rib-groups {
               sasn2remote {
                  import-rib [ sasn_e.inet.0 r_sasn_e.inet.0 ];
        }
    }

           interface-routes {
                rib-group inet sasn2remote;

       }
            static {
                route 0.0.0.0/0 {

                next-hop 6.6.1.2;
                resolve;
        }
            }
        }
    }

sasn_e {
        instance-type vrf;
        interface em2.0;
        interface em3.0;
        interface em4.0;
        interface em5.0;
        interface em6.0;
        route-distinguisher 65000:91;
        vrf-import sasn_e-import;
        vrf-export sasn_e-export;
        vrf-table-label;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 5.5.0.2;
            }
        }
        forwarding-options {
            family inet {
                filter {
                    input fbf-filter;
                }
            }
        }
    }

Hi Papana,

 

It's been tested with M series router and works fine!

 

One shortfall is, indirect static route didn't send traffic end-end though it is visible in routing table.

 

Anyway, is it possible to estabilish a BGP communication between the two VRF (I mean the FBF based VRF and the main VRF)?

 

 

Thanks,

asmash