Routing
Routing

ACX2100 Policy Based Routing Problem

04.15.15   |  
‎04-15-2015 09:55 AM

Hi all,

 

I hope someone can help me with this issue as I've been look at it for the best part of two days and cannot work it out.

 

I'm trying to implement Policy Based Routing across our network for one of our customers. The majortiy of our network is HP, I have the policy based routing working on them correctly, but we're about to add a Juniper hop in the middle and I really need to work out this PBR stuff before it goes live.

 

What I'm trying to achieve on the ACX2100 is that all traffic coming in on interface ge-1/1/0 with a source address of 172.16.131.0/24, 172.16.161.0/24 or 10.1.1.18/32, to be forwarding out interface ge-1/1/2 to the next-hop of 172.16.255.74. (Default traffic flows in the opposite direction).

 

Please see the network diagram below. Default Routes are represented by green arrows, and what I'm trying to achieve with Policy Based Routing is represented by the blue arrow.

 

network.JPG

 

 

I'm using an ACX 2100. I've setup the Firewall Filter, the Routing-Instance and applied the filter to an interface,

 

firewall {
   filter ssdc-chard {
        term forward-traffic {
            from {
                source-address {
                    172.16.131.0/24;
                    172.16.161.0/24;
                    10.1.1.18/32;
                }
            }
            then {
                count ssdc_count;
                log;
                routing-instance ssdc-routing-table;
            }
        }
        term allow_all {
            then accept;
        }
    }
}

 

routing-instances {
    ssdc-routing-table {
        instance-type forwarding;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 172.16.255.174;
            }
        }
    }
}

 

interfaces {
    ge-1/1/0 {
        description "Uplink - Cardiff Exchange Floor 1 HP";
        flexible-vlan-tagging;
        encapsulation flexible-ethernet-services;
        unit 103 {
            description "OSPF Link";
            vlan-id 103;
            family inet {
                filter {
                    input ssdc-chard;
                }
                address 172.16.255.162/30;
            }
        } 

    ge-1/1/2 {
        description "Uplink - Yeovil";
        vlan-tagging;
        unit 104 {
            description "OSPF Link";
            vlan-id 104;
            family inet {
                filter {
                    input remote-ssh;
                }
                address 172.16.255.173/30;
            }
        }
    }

 

  When I commit I get the error:

 

commit
[edit interfaces ge-1/1/0 unit 103 family inet]
  'filter'
    Referenced filter 'ssdc-chard' can not be used as default/physical interface specific with routing-instance action on ingress
error: configuration check-out failed

 

Can anyone shed some light onto this problem I'm having?

 

Many Thanks

Cameron

6 REPLIES
Routing

Re: ACX2100 Policy Based Routing Problem

04.15.15   |  
‎04-15-2015 12:01 PM

Hi,

 

I had this problem once on a SRX device, the fix at that moment was to change the flexible-vlan-tagging on the interface

to vlan-tagging. ( It is some time ago)

 

You can try if that resolves your problem.

 

ge-1/1/0 {
        description "Uplink - Cardiff Exchange Floor 1 HP";
        vlan-tagging;

Marc



-----------------------------------------------------------------
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too
-----------------------------------------------------------------
Routing

Re: ACX2100 Policy Based Routing Problem

04.16.15   |  
‎04-16-2015 02:30 AM
Thanks for the tip, I'll give that a try once i get back to the office.

I used the flexible-vlan-tagging as I was also using a bridge-domain to span customers vlans across the interfaces. Hopefully it will still worth with the change.
Highlighted
Routing

Re: ACX2100 Policy Based Routing Problem

[ Edited ]
04.17.15   |  
‎04-17-2015 03:39 AM

Hi cameroncoles,

 

Family inet is missing from filter configuration which might be the reason of commit error.

One more thing ,Have you configured rib-group to exchange interface-routes between vrf ssdc-routing-table  and inet.0 to avail rechability through the vrf ?

I'm not able to see the rib-group configuration in the configuration you have provided.

 

 

Regards,
Nupur Kanoi
Juniper Ambassador
JNCIE-ENT#520, JNCIP-SP, JNCDS-DC
Routing

Re: ACX2100 Policy Based Routing Problem

[ Edited ]
06.09.15   |  
‎06-09-2015 10:20 AM

Thanks for the advice both, but I've tried completely removing all vlan configuration from my router and I still the same error, so I don't believe its that.

 

I've changed the firewall filter to have inet configuration:

 

show firewall
family inet {
    filter ssdc-chard {
        term forward-traffic {
            from {
                source-address {
                    172.16.131.0/24;
                    172.16.161.0/24;
                    10.1.1.18/32;
                }
            }
            then {
                count ssdc_count;
                log;
                routing-instance ssdc;
            }
        }
        term allow_all {
            then accept;
        }
    }
}

 

Also, I've included my full routing-options setup, see below:

 

show routing-options
interface-routes {
    rib-group inet ssdc;
}
static {
    route 0.0.0.0/0 {
        next-hop 172.16.255.161;
        preference 200;
    }
}
rib-groups {
    ssdc {
        import-rib [ inet.0 ssdc.inet.0 ];
    }
}

Still the same issue Smiley Sad

 

 

 

Thanks

Cameron

Routing

Re: ACX2100 Policy Based Routing Problem

06.10.15   |  
‎06-10-2015 03:50 AM

I've just found this on the Juniper website

 

http://www.juniper.net/techpubs/en_US/junos13.2/topics/concept/filter-based-forwarding-acx-series.ht...

 

Which says...

 

You cannot attach a filter that is either default or physical interface-specific. 

So, it looks like that it just isn't possible to do what I'm trying (filter-based forwarding) on an ACX device.

 

Although I'm still a bit confused about what this actually means? Does it just mean ona  physical port, or does it mean an interface with a default route attached.

 

--

 

Either way, it looks like its not going to work. Does anyone know of any alternative to filter-based forwarding that I could use to force traffic out a different interface?

 

Thanks

Cameron

 

 

Routing

Re: ACX2100 Policy Based Routing Problem

01.03.16   |  
‎01-03-2016 10:41 PM

Hi cameroncoles,

 

You can try using input-list instead of input under filter.