SRX

last person joined: yesterday 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Filter-Based-Forwarding issues - SRX

    Posted 04-19-2014 20:48

    Hello,

     

    I've been playing with this for a few hours now, and not having any success on 210s. I've done this before with similar configurations, however nothing I do seems to reroute traffic as required.

     

    Basic requirements: Route any/all traffic inbound on reth0.110 out reth0.150 to next-hop of 10.50.0.254

     

    Configuration:

    root@SRX210A# show interfaces reth0.110
vlan-id 110;
family inet {
    filter {
        input FBF-1;
    }
    address 10.10.0.1/24;
}

{primary:node0}[edit]
root@SRX210A# show interfaces reth0.150
vlan-id 150;
family inet {
    filter {
        input PCAP;
        output PCAP;
    }
    address 10.50.0.1/24;
}

{primary:node0}[edit]
root@SRX210A# show firewall filter FBF-1
term 1 {
    from {
        source-address {
            0.0.0.0/0;
        }
    }
    then {
        routing-instance FBF;
    }
}

{primary:node0}[edit]
root@SRX210A# show routing-options
interface-routes {
    rib-group inet IMPORT_PHY;
}
static {
    route 0.0.0.0/0 next-hop 10.0.0.1;
}
rib-groups {
    IMPORT_PHY {
        import-rib [ inet.0 FBF.inet.0 ];
    }
}
router-id 10.1.1.1;
autonomous-system 65536;

{primary:node0}[edit]
root@SRX210A# show routing-instances
FBF {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 10.50.0.254;
        }
    }
}

     

    Traffic still gets routed out inet.0's default via reth0.100:

    Session ID: 2092, Policy name: PERMIT_ALL/4, State: Active, Timeout: 18, Valid
  In: 10.10.0.100/55670 --> 10.0.0.1/22;tcp, If: reth0.110, Pkts: 2, Bytes: 120
  Out: 10.0.0.1/22 --> 10.10.0.100/55670;tcp, If: reth0.100, Pkts: 0, Bytes: 0

     Any help would be greatly appreciated!



  • 2.  RE: Filter-Based-Forwarding issues - SRX

    Posted 04-19-2014 21:35

    The traffic will be sent out the interface which connects to this next-hop:

    route 0.0.0.0/0 next-hop 10.50.0.254

    There are no interfaces in the routing instance. The next-hops are resolved by importing the routes from inet.0.



  • 3.  RE: Filter-Based-Forwarding issues - SRX

     
    Posted 04-19-2014 22:30

    Config looks correct to me, Could you please check if the routes are properly exported between the instaces

     

    > show route

     

    and see if FBF contains the other interface routes from inet.0

     

    Regards

    Sarab



  • 4.  RE: Filter-Based-Forwarding issues - SRX
    Best Answer

     
    Posted 04-20-2014 00:49

    From the snippet provided, traffic flows from 10.10.0.100/55670 to 10.0.0.1/22;tcp

    To me it appears that you have a direct route for 10.0.0.0 subnet imported into FBF.inet.0 table.

    Hence reth0.150 is not used rather reth0.100 is used based on maximum prefix match.

     

    Regards,

    Raveen



  • 5.  RE: Filter-Based-Forwarding issues - SRX

    Posted 04-20-2014 11:07

    Raveen,

     

    Your assumption was correct. Hitting something other than a directly connected network triggers the FBF, thank you.

     

    Any suggestion on how to avoid this? Would instance-import with a policy-statement of 'from interface x,y,z' be the best bet?