SRX Services Gateway
Reply
BB
Contributor
BB
Posts: 28
Registered: ‎12-14-2007
0
Accepted Solution

SRX PBR or FBF

Hi,

I'm just learning srx and having trouble with filter based forwarding. I found a dozen of article here, but cannot solve my problem.

 

I'm testing a srx-100 (like to replace an ssg-5. I have two untrust interfaces (one of them fixed, one of them is PPPoE - but in my test environment I use one fix IP and a DHCP client). So main config is the following:

fe-0/0/0.0 192.168.11.1/24 - trust

fe-0/0/1.0 dhcp client - untrust

fe-0/0/2.0 89.133.214.27/28 - untrust gateway: 89.133.214.30

 

I'd like to route http/https traffic to fe-0/0/2.0 if

Please help! I also attache the full config.

 

My routing config:

routing-options {
    interface-routes {
        rib-group inet default;
    }
    static {
        rib-group default;
        route 0.0.0.0/0 {
            next-hop 192.168.7.1;                                     I filled this up but this address is provided by dhcp I can't use if as next-hop
            metric 5;
        }
    }
    rib-groups {
        default {
            import-rib [ inet.0 upc.inet.0 ];
        }
    }
}

firewall {
    family inet {
        filter iroda-input {
            term web-traffic {
                from {
                    source-address {
                        192.168.11.0/24;
                    }
                    destination-port [ http https ];
                }
                then {
                    routing-instance upc;
                }
            }
            term default {
                then accept;
            }
        }
    }
}
routing-instances {
    upc {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 89.133.214.30;
            }
        }
    }
}

 

BB
Contributor
BB
Posts: 28
Registered: ‎12-14-2007
0

Re: SRX PBR or FBF

please help me!

Trusted Expert
SSHSSH
Posts: 601
Registered: ‎11-21-2009

Re: SRX PBR or FBF

 

You should apply the filter to the interface ( at your case the trust interface )

 

set interfaces  fe-0/0/0 unit 0 family inet  filter    ( your filter name )

 

BB
Contributor
BB
Posts: 28
Registered: ‎12-14-2007
0

Re: SRX PBR or FBF

Thank you SSHSSH!

I forget it.

Now it works.

My next problem is if I cut the route (unplug the cable) defined by the FBF the packets will be dropped. How can I provide fault tolerance?

 

 

Trusted Contributor
michael.saw
Posts: 1,048
Registered: ‎09-26-2011
0

Re: SRX PBR or FBF

I found this link:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB15694

Which topic link does SRX FBF belongs to?

Thanks in advance!
Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.