Junos OS

Hello all,

I am trying to configure a route-map in order to influence some traffic and I can't seem to find a good config example on how to do it. I have 2 QFX5100s switches in virtual-chassis that act as my core. The stack connects to a VPLS cloud,  two edge routers/firewalls and a management switch that further connects to a management firewall. I would like to force some of the traffic that comes from the VPLS towards the Mgmt. firewall when the destination is a specific IP. I have iBGP running between the core and edge devices and the default is received from the edge units.  Can I create a route-map using a filter and next-hop IP as I would in Cisco IOS and apply it on the VPLS interface? Would it make more sense to enable iBGP towards mgmt. firewall and influnce the routing utilizing BGP metrics instead?

Thanks in advace,

-AT 

Hi AdrianT04,

Howdy, If I am understanding correctly and getting the whole picture right, both options should work, for the BGP option you will need configuration on both ends and then a routing policy to modify the attributes as you mentioned, regarding the road-map feature which is the IOS policy-based routing solution, in JunOS there is an equivalent feature called Filter-based forwarding. Please check the following link: https://forums.juniper.net/t5/IOS-to-Junos-I2J-Tips/Policy-Based-Routing-Filter-Based-Forwarding/td-p/129851

If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \:)/

Regards,

Lil Dexx
JNCIE-ENT#863, 3X JNCIP-[SP-ENT-DC], 4X JNCIA [cloud-DevOps-Junos-Design], Champions Ingenius, SSYB

Hi Lil Dexx,

Thank you for the helpful link! Can the filter-based forwarding be enabled without the use of routing-instances (VRFs)?

-AT

AdrianT04

Well, I don't think so my friend, I have never seen an FBF without a routing instance. If we think about it, the reason why we created the RI, is because we need a routing table to do the route lookup, without this everything would be managed on the main instance ( business as usual) and the filter is to classify packets based on header information, such as IP source address, IP destination address, IP protocol field, and source and destination TCP/UDP port numbers. If a packet matches the conditions of the filter, then traditional destination-based forwarding occurs using the routing table that is specified in the accept action of the filter definition language.

Note: the instance type you need is forwarding not a vrf

If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \:)/

Regards,

Lil Dexx
JNCIE-ENT#863, 3X JNCIP-[SP-ENT-DC], 4X JNCIA [cloud-DevOps-Junos-Design], Champions Ingenius, SSYB

Lil Dexx,

That makes a lot more sense now since I've been confusing the Junos FBF with IOS VRFs when they're actually PBRs. I am now trying to decide if the FBF implementation will be more efficient than BGP metrics. I would like to share the high-level diagram of my core to paint a better picture of what I am trying to accomplish. I am building a community-based WISP in Cleveland OH and the diagram illustrates our core and two actvice buildings. The Powercode cloud from the diagram represents our CRM and I have all the integration done through my mgmt firewall (not shown in diagram) instead of the Edge routers. I basically want to forward the traffic from the CPEs (10.x.x.x) towards the mgmt firewall and not the edge routers if the traffic is destined for 149.28.x.x. 

VPLS Interface -

ae0 {
description "40G LACP to Everstream VPLS";
aggregated-ether-options {
lacp {
active;
}
}
unit 0 {
family inet {
address 172.20.101.1/30;
address 172.20.102.1/30;
address 172.20.103.1/30;
address 172.20.105.1/30;
address 172.20.106.1/30;
address 172.20.107.1/30;

At the moment I have a static default pointing to Edge-01 but I will be enabling the iBGP soon between the Core and both edges. Once I have the iBGP running with separate weighed defaults coming from Edge-01 (primary) and Edge-02 (secondary), how will the FBF impact the routing since "FBF-Default" will have a next-hop set for one of the edge routers?  

-AT

Diagram attached

Hi AdrianT04

Greeting, In my humble opinion, what you are trying to do is very granular and overpowered for BGP attributes, you based on what you just explained you need some specific subnet's CPEs (10.x.x.x) to be forwarded to a specific next-hop (firewall) if the traffic is going to a specific destination 149.28.x.x.  

I will definitely do FBF, you don't need to worry about the default routing instance route lookup even after enabling iBGPs with the edge routers, why you might say? well the firewall filter you are going to configure is way ahead in the processing pipeline, the firewall filter will be applied to the incoming interface(s) itself and once the traffic hits the matching criteria you specify on the filter it will send that traffic to the routing instance you specify for further processing. then the rest of the traffic that is not matching the firewall filter will be processed on the default routing instance 🙂

If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \:)/

Regards,

Lil Dexx
JNCIE-ENT#863, 3X JNCIP-[SP-ENT-DC], 4X JNCIA [cloud-DevOps-Junos-Design], Champions Ingenius, SSYB

Hi Lil Dexx,

Do you mind going over my FBF config and provide some input if it will work together with my actual qfx config? I attached the fbf-config I would like to add and segments of my running config.

Thanks,

-AT

set routing-instances Powercode-RM instance-type forwarding
set routing-instances Powercode-RM routing-options static route 149.28.116.2/32 next-hop 10.10.100.254

set routing-instances Default-RM instance-type forwarding
set routing-instances Default-RM routing-options static route 0.0.0.0/0 next-hop 10.0.99.41

set firewall filter PBR term Powercode from source-address 10.0.0.0/8
set firewall filter PBR term Powercode then routing-instance Powercode-RM
set firewall filter PBR term Powercode from source-address 0.0.0.0/0
set firewall filter PBR term Powercode then routing-instance Default-RM
set firewall filter PBR term Accept-All then accept

set routing-options interface-routes rib-group inet FBF-Powercode
set routing-options rib-groups FBF_Powercode import-rib inet.0
set routing-options rib-groups FBF_Powercode import-rib Powercode-RM.inet.0
set routing-options rib-groups FBF_Powercode import-rib Default-RM.inet.0

set interfaces ae0 unit 0 family inet filter input PBR

*********************************************************************************************

}
ge-0/0/47 {
unit 0 {
description "Management Link to EMP-CLE.MGMT.EX3300";
family inet {
address 10.10.100.55/24;
}
}
ae0 {
description "40G LACP to Everstream VPLS";
aggregated-ether-options {
lacp {
active;
}
}
unit 0 {
family inet {
address 172.20.101.1/30;
address 172.20.102.1/30;
address 172.20.103.1/30;
address 172.20.105.1/30;
address 172.20.106.1/30;
address 172.20.107.1/30;
}
}
}
ae1 {
description "20G LACP to EMP-CLE.EDGE-FW01.CCR1072";
aggregated-ether-options {
lacp {
active;
}
}
unit 0 {
family inet {
address 10.0.99.42/30;
}
}
}
routing-options {
nonstop-routing;
static {
route 0.0.0.0/0 {
next-hop 10.0.99.41;
preference 225;
}
route 192.168.99.0/24 next-hop 10.10.100.254;
route 192.168.104.0/24 next-hop 10.10.100.254;
route 192.168.105.0/24 next-hop 10.10.100.254;
}
autonomous-system 25814;
}
protocols {
bgp {
group eBGP-Everstream {
type external;
export BGP-Everstream-Announce;
peer-as 19009;
local-as 25814;
neighbor 64.85.x.x;
}
group iBGP-Edge-01-CCR1072 {
type internal;
export ibgp-edge01-ccr1072-announce;
peer-as 25814;
local-as 25814;
neighbor 64.85.x.x;
}
group iBGP-Edge-02-CCR1072 {
type internal;
export ibgp-edge02-ccr1072-announce;
peer-as 25814;
local-as 25814;
neighbor 64.85.x.x;
}
group eBGP-JJC-CCR1036 {
type external;
export ebgp-tower-vpls-announce;
peer-as 65101;
local-as 25814;
neighbor 172.20.101.2;
}
group eBGP-Clarke-Tower-CCR1036 {
type external;
export ebgp-tower-vpls-announce;
peer-as 65102;
local-as 25814;
neighbor 172.20.102.2;
}
group eBGP-Metro-CCR1036 {
type external;
export ebgp-tower-vpls-announce;
peer-as 65103;
local-as 25814;
neighbor 172.20.103.2;

firewall {
family inet {
filter RA-FILTER {
term SSH {
from {
source-address {
69.54.49.182/32;
69.54.49.178/32;
192.168.99.0/24;
10.10.100.0/24;
172.20.0.0/16;
192.168.105.0/24;
}
protocol tcp;
destination-port ssh;
}
then accept;
}
term SSH-Block {
from {
protocol tcp;
destination-port ssh;
}
then {
discard;
}
}
term DEFAULT-Allow {
then accept;
}
}

atetu@emp-cle.core-01.qfx5100> show route table inet.0

inet.0: 33 destinations, 34 routes (32 active, 0 holddown, 1 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/225] 11w1d 01:35:22
> to 10.0.99.41 via ae1.0
10.0.99.40/30 *[Direct/0] 11w1d 01:35:22
> via ae1.0
10.0.99.42/32 *[Local/0] 11w2d 00:11:46
Local via ae1.0
10.0.99.46/32 *[Local/0] 11w2d 00:11:26
Reject
10.10.100.0/24 *[Direct/0] 6w0d 12:32:59
> via ge-0/0/47.0
10.10.100.55/32 *[Local/0] 11w1d 01:45:59
Local via ge-0/0/47.0
10.50.104.0/24 *[BGP/170] 01:53:38, localpref 100
AS path: 65103 65104 I, validation-state: unverified
> to 172.20.103.2 via ae0.0
10.50.106.0/24 *[Static/5] 1w1d 01:12:21
> to 172.20.106.2 via ae0.0
10.60.104.0/24 *[BGP/170] 01:53:38, localpref 100
AS path: 65103 65104 I, validation-state: unverified
> to 172.20.103.2 via ae0.0
10.103.0.0/22 *[BGP/170] 2w1d 08:28:56, localpref 100
AS path: 65103 I, validation-state: unverified

Hi AdrianT04,

I was looking at your configuration and it was looking a little odd, so I went back to my first post and I realized that the first link I shared with the FBF configuration was from 2012 when the ELS software was not even around. In other words please disregard the example I previously shared and use the following instead: https://kb.juniper.net/InfoCenter/index?page=content&id=KB34774&actp=METADATA

If you want to know about the route leaking limitations using the conventional methods and some other possible workarounds check this ( highly recommended): 

https://forums.juniper.net/t5/Routing/Filter-Based-Forwarding-in-QFX/td-p/327797

If this solves your problem, please mark this post as "Accepted Solution" so we can help others too \:)/

Regards,

Lil Dexx
JNCIE-ENT#863, 3X JNCIP-[SP-ENT-DC], 4X JNCIA [cloud-DevOps-Junos-Design], Champions Ingenius, SSYB

LilDexx,

Thanks for all your help on this! It's much appreaciated.

-AT