Junos OS

Hello,

currently we do redirect traffic coming from interface xe-0/0/1 to ae1, on which an traffic analyzer sits.

The analyzer forwards any traffic transparently to ae2, which then forwards any packets to the downstream via default route.

Problem is now, that in traceroute the routing-instance on ae2 is visible with its ip-address (10.10.10.1).

We dont want this hop to be visible, how to achieve this?

I tried to inject a static route to downstream(10.10.10.9) into routing-instance "TO-ANALYZER" with the "next-interface ae0" attribute, but the route is not visible in the table (not getting active), I think because the address is not reachable directly on interface ae1, which belongs to this routing-instance..

I think bridge-protocol is also not right, because it would not force the traffic through the external device(analyzer).

Current config(which is working, but shows additional hop in trace):

show int xe-0/0/1
xe-0/0/1 {
    unit 0 {
        family inet {
            filter {
                input redirect;
            }
        }                               
    }                                   
}
show int ae0
ae1 {
    description TO-DOWNSTREAM;
    unit 0 {
        family inet {
            address 10.10.10.8/31;
        }
    }
}

show int ae1
ae1 {
    description TO-ANALYZER;
    unit 0 {
        family inet {
            address 10.10.10.0/31;
        }
    }
}

show int ae2
ae2 {
    description FROM-ANALYZER;
    unit 0 {
        family inet {
            address 10.10.10.1/31;
        }
    }
} 


show firewall filter redirect
term redirect {
    then {
        routing-instance TO-ANALYZER;
    }
}

show routing-instances
FROM-ANALYZER {
    instance-type virtual-router;
    interface ae2.0;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 10.10.10.9;
        }
    }
}
TO-ANALYZER {
    instance-type virtual-router;
    interface ae1.0;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 10.10.10.1;
        }
    }
}

Thanks alot for your help beforehand!

kind regards

B. Light

Hello,

I guess You actually have MX204, not 205 

And most straightforward way to achieve what You want is to make exception for ICMP Echo (for Windows tracert) and UDP port range 33434 to 33534 (for Linux/UNIX traceroute) in Your "redirect" filter so they are not getting redirected.

Of course, this would work only for clueless users; and clued up ones could change the default UDP port when using Linux/UNIX traceroute, or use TCP traceroute with random port - but then perhaps You can just except low TTL traffic : assuming Your users are known number of hops (1-2 hops) away, You could add this exception:

set firewall family inet filter redirect term except-trace from ttl [ 1 2 ]
set firewall family inet filter redirect term except-trace then accept

Don't forget to put this exception ABOVE Your "then routing-instance" FW filter term!

Anything else would require more complex changes, or redesigning Your analyzer topology.

HTH

Thx

Alex 

thanks, thats a clever idea!

downside is, that the analyzer wouldn't see those packets anymore - is there no other solution?

Hello,

---

@brighty wrote:

 

downside is, that the analyzer wouldn't see those packets anymore 

 

---

Counter question is why do You want to analyze packets which would expire anyway on Your MX204?

---

@brighty wrote:

is there no other solution?

 

---

Plenty. Assuming You actually have analyzer (completely unintrusive/passive) and not a packet filtering/blocking device: 

1/ if Your ask is to "mask" the replies from  10.10.10.8 as * (asterisks) and not actually omit the traceroute line where replies from 10.10.10.9 are going to be, You can block the ICMP TTL exceeded from 10.10.10.9 inbound to MX204 

2/ Buy fiber optic taps and re-plug Your analyzer as tee (between MX204 and upstream router), not hairpin

3/ Use port mirror to copy packets to anaylzer. 

HTH

Thx

Alex