SRX

Hi,all,

Do the SRX3600 support the FBF in Virtual-Router?

the example,You can see the topology which I uploaded.In topology,there are 2 interfaces:ge-0/0/0 & ge-0/0/2,the ge-0/0/2 include sub-interface(ge-0/0/2.1,ge-0/0/2.2,ge-0/0/2.3),and the 2 interfaces in the virtual-router.and ge-0/0/0 will input the firewall filter which using to FBF.

thank you.

Hi

FBF shold work with vrouters if configured correctly.You can direct traffic to different routing

instance with filter, using "then routing-instance" knob.

In you case, it is not clear for me, what 2 interfaces are in virtual router, and what about

other interfaces? Are they in default instance?

hi,pk,

thank you for your response.ge-0/0/0 ,ge-0/0/2.1,ge-0/0/2.2,ge-0/0/2.3 in instance named VR(type is  Virtual-Router) ,and then,I created two new instance named VPN & VAS(the type is forwarding),in VPN instance & VAS instance,I config some static route,however,I can see any static route in their route table(VPN.inet.0 & VAS.inet.0).At last,I remove the instance VR,the static configed in VPN instance & VAS instance ware display.You can check my log,thank you very much.

Attachment(s)

FBF-R2.txt   135 KB 1 version

FBF-R2-2.txt   30 KB 1 version

I see that you've been copying interface routes to your VPN and TO_VAS tables with a command

set routing-options interface-routes rib-group inet PBR

and the rib group was defined as

import-rib [ inet.0 VPN.inet.0 TO_VAS.inet.0 ]

what was it doing - was copying interface routes from inet.0 to VPN.inet.0 and TO_VAS.inet.0.

Because your actual interfaces were in "VR" instance (VR.inet.0 table), these interface routes were not copied to your other two instances. I think import-rib should have looked something like

import-rib [ VR.inet.0 VPN.inet.0 TO_VAS.inet.0 ]

However this should be tested before putting in production.

hi,pk,

thank you for your response.because ge-0/0/0 and ge-0/0/2 must be in VR(virtual-router) in my topology,however,in Virtual-router VR,I want to do the FBF.which method can solve this problem?thank you.

From what I've seen in your session log, you were doing everything correctly except import-rib statement which, as far as I understand this, should have looked like  [ VR.inet.0 VPN.inet.0 TO_VAS.inet.0 ].

Try this correction and if it does not work then please post your full config and show route output here...

hi,pk,

Thank you for your response.Following your tips,it seem to be not work.And the file is all my config,thank you.

Attachment(s)

FBF-LOG-2011-6-8.txt   8 KB 1 version

Try the following

delete routing-options interface-routes rib-group inet PBR

set routing-instances VR routing-options interface-routes rib-group inet PBR

(just needed to apply rib-group to VR routing instance). Please tell me if it works.

hi,pk,

thank you for your response,the command which you tell me is work.thank you.

Attachment(s)

FBF-2.txt   25 KB 1 version