SRX

last person joined: 2 hours ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.

  • 1.  Source based roting with Filter based Forwarding

    Posted 06-14-2011 11:26

    Hi folks;

     

    I want to configure SBR. I read kb and found that I can do it with Filter based Forwarding.

     

    I want to da a simple SBR

     

    Route will:

     

    192.168.1.1/32 interface pp0.0

    192.168.1.2/32 interface pp0.0

    192.168.1.0/24 interface pp0.1

     

    It was so simple with SSG. Can you give me sample config for this?



  • 2.  RE: Source based roting with Filter based Forwarding
    Best Answer

    Posted 06-14-2011 12:54

    Hi

    I'll give you an idea of how it is usually configured. I assume that you have
    static addressing so you use static routes to forward traffic.

    1) Add a static route to first ISP (corresponding to interface pp0.0),
    set routing-options static route 0/0 next-hop <ISP1-ip>

    2) Create a routing-instance of type forwarding - will use it to direct traffic
    to alternate path.

    set routing-instances fbf instance-type forwarding

    3) Create a static route in that instance

    set routing-instances fbf routing-options static route 0.0.0.0/0 next-hop <ISP2-ip>

    4) For this route to be resolved correctly, you need to copy interface routes
    from main table (inet.0) to table fbf.inet.0. This is done by 2 commands,

    set routing-options interface-routes rib-group inet fbf-group
    set routing-options rib-groups fbf-group import-rib [ inet.0 fbf.inet.0]

    5) Use a firewall filter on incoming (internal) interface to direct particular
    traffic to second ISP (= to instance fbf). The interface config example is

        fe-0/0/0 {
            unit 0 {
                family inet {
                    filter {
                        input filt-in-fbf;
                    }
                    address 192.168.0.1/24;
                }
            }

    And firewall filter example is (write terms that reflect your needs)

    firewall {
        family inet {
            filter filt-in-fbf {
                term 10 {
                    from {
                        source-address {
                            192.168.0.0/24;
                        }
                        destination-address {
                            1.1.1.1/32;
                        }
                    }
                    then {
                        routing-instance fbf;
                    }
                }
                term 20 {
                    then {
                        accept;
                    }
                }

    I'm not completely sure that this standard solution will work for you because of pppoe interfaces.

    If it does not, then another way to do the same would be:

    1) Create routing-instance of type virtual-router, and put interface pp0.1 it it;

    create routes you need in both instances.

    2) In the firewall filter (similar to above) use "then next-table" to forward traffic to different VR.



  • 3.  RE: Source based roting with Filter based Forwarding

    Posted 06-14-2011 14:29

     

    Hi pk - This will work even with pp0 interface without any issues.

     

    in the static route, the next hop can be pp0.0 or pp0.1 in case IP is dynamically assigned. I dynamic default route will be instered in the route table based on the default route assigned by the ISP.

     

     

    Regards,

     



  • 4.  RE: Source based roting with Filter based Forwarding

    Posted 06-15-2011 02:07

    I get this errror now. If I bind filter to vlan interface, I can not reach SRX and my internet connection goes down

     

    root@FW# show interfaces fe-0/0/3   
    unit 0 {
        family inet {
            filter {
                input filter-fbf;
            }
        }
        family ethernet-switching {
            vlan {
                members vlan-trust;
            }
        }
    }

    [edit]
    root@FW# commit check
    [edit interfaces fe-0/0/3 unit 0]
      'family'
        When ethernet-switching family is configured on an interface, no other family type can be configured on the same interface.
    error: configuration check-out failed

     

    root@FW# show firewall family inet filter filter-fbf
    term 10 {
        from {
            source-address {
                192.194.196.200/32;
                192.194.196.201/32;
            }
        }
        then {
            routing-instance fbf;
        }
    }

     

     

     

    set routing-options static route 0.0.00/0 next-hop pp0.0

    set routing-instances fbf instance-type forwarding

    set routing-instances fbf routing-options static route 0.0.0.0/0 next-hop pp0.1

     

    set routing-options interface-routes rib-group inet fbf-group
    set routing-options rib-groups fbf-group import-rib [ inet.0 fbf.inet.0]

     

     



  • 5.  RE: Source based roting with Filter based Forwarding

    Posted 06-15-2011 02:11

    Hi

    1) In your case you should apply filter to interface vlan.N, where N is vlan
    id you are using, not to fe- interface;

    2) Firewall filters drop all traffic by default, so add term 20 then accept,
    as in my example above.



  • 6.  RE: Source based roting with Filter based Forwarding

    Posted 06-15-2011 02:20

    I forgot to add term 20

    It worked now

     

    Thanks