Routing
Highlighted
Routing

Filter Based Forwarding not working on QFX 5120 after Junos upgrade

[ Edited ]
‎05-05-2020 05:48 PM

Hi,

Recently I've got two QFX5120-32C with Junos 19.1R1.6 Flex preinstalled. I have two ISP uplinks, both with static default routes configured, and I've configured filter-based forwarding in order to send traffic based on source IP to a specific ISP.

 

Unfortunatly, I ran into some problems configuring virtual-chassis, so I've upgraded to 19.4R1.10. After the upgrade virtual-chassis works fine, but filter-based forwarding isn't working at all.

 

Could anyone help me with this please?

In my case traffic from 188.72.200.0/24 should be forwarded to ISP1 via main inet.0 table, and traffic from 89.19.36.32/27 should be forwarded to ISP2 via dedicated routing-instance.

 

Configuration for interfaces:

interfaces {
    # interface connected to ISP2
    xe-1/0/32 {
        flexible-vlan-tagging;
        unit 241 {
            vlan-id 241;
            family inet {
                address 89.19.36.65/31;
            }
        }
        unit 243 {
            vlan-id 243;
            family inet {
                address 89.19.36.67/31;
            }
        }
    }
    # l3-interface for internal network
    irb {
        unit 3057 {
            family inet {
                filter {
                    input CLASSIFY-UPLINK;
                }
                address 188.72.200.1/24;
                address 89.19.36.33/27;  << traffic from this subnet should be forwarded to ISP2
            }
        }
    }

 

Policy to leak direct routes to ISP2 from inet.0 to routing-instances

policy-options {
    policy-statement FBF-RETN-UPLINK-export {
        term leak-routes-to-gw {
            from {
                instance master;
                route-filter 89.19.36.64/31 exact;
                route-filter 89.19.36.66/31 exact;
            }
            then accept;
        }
        term default {
            then reject;
        }
    }
}

 

Routing-instances for ISP2:

routing-instances {
    RETN-UPLINK {
        instance-type virtual-router;
        routing-options {
            static {
                route 0.0.0.0/0 {
                    next-hop [ 89.19.36.64 89.19.36.66 ];
                    bfd-liveness-detection {
                        minimum-interval 1000;
                        multiplier 3;
                    }
                }
            }
            instance-import FBF-RETN-UPLINK-export;
        }
    }
}

 

Filter-based forwarding:

policy-options {
    prefix-list RETN-PREFIX-LIST {
        89.19.36.32/27;
    }
}

firewall {
    family inet {
        filter CLASSIFY-UPLINK {
            term forward-to-retn {
                from {
                    source-prefix-list {
                        RETN-PREFIX-LIST;
                    }
                }
                then {
                    routing-instance RETN-UPLINK;
                }
            }
            term default {
                then accept;
            }
        }
    }
}

 

 

6 REPLIES 6
Highlighted
Routing

Re: Filter Based Forwarding not working on QFX 5120 after Junos upgrade

[ Edited ]
‎05-05-2020 05:55 PM

Routing table looks fine:

> show route

inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:30:09
                    >  to 78.140.169.58 via et-0/0/31.0      << ISP1
                       to 78.140.169.60 via et-1/0/31.0      << ISP1
78.140.169.58/31   *[Direct/0] 00:30:09
                    >  via et-0/0/31.0
78.140.169.59/32   *[Local/0] 00:30:09
                       Local via et-0/0/31.0
78.140.169.60/31   *[Direct/0] 00:30:09
                    >  via et-1/0/31.0
78.140.169.61/32   *[Local/0] 00:30:09
                       Local via et-1/0/31.0
89.19.36.32/27     *[Direct/0] 00:34:24
                    >  via irb.3057
89.19.36.33/32     *[Local/0] 00:34:24
                       Local via irb.3057
89.19.36.64/31     *[Direct/0] 00:29:17
                    >  via xe-1/0/32.241
89.19.36.65/32     *[Local/0] 00:29:17
                       Local via xe-1/0/32.241
89.19.36.66/31     *[Direct/0] 00:29:17
                    >  via xe-1/0/32.243
89.19.36.67/32     *[Local/0] 00:29:17
                       Local via xe-1/0/32.243
188.72.200.0/24    *[Direct/0] 00:34:24
                    >  via irb.3057
188.72.200.1/32    *[Local/0] 00:34:24
                       Local via irb.3057

RETN-UPLINK.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:27:58
                    >  to 89.19.36.64 via xe-1/0/32.241     << ISP2 
                       to 89.19.36.66 via xe-1/0/32.243     << ISP2 
89.19.36.64/31     *[Direct/0] 00:28:04
                    >  via xe-1/0/32.241
89.19.36.66/31     *[Direct/0] 00:28:04
                    >  via xe-1/0/32.243

 

However traffic from 89.19.36.32/27 does not reach anywhere.

If I mirror xe-1/0/32 interface and dump egress traffic from it, I can not see any packets from 89.19.36.32/27.

Highlighted
Routing

Re: Filter Based Forwarding not working on QFX 5120 after Junos upgrade

‎05-07-2020 02:04 PM

This configuration looks fine to me, traffic from source should be put into your routing-instance RETN-UPLINK and then do a route look up, the direct route is available. Normally we do rib-group to leak routes, however instance-import should be the same. You can have a try with rib-group to leak direct routes from global to your instance. 

 

Can you add a counter in your FBF input filter, let's confirm if we have received the traffic from irb. Please also write a filter on uplink in output direction and see if anything going out. 

 

Another thing, try to change your routing-instance type to forwarding. I believe this is what we used in our examples. 

 

 


Mengzhe Hu
JNCIE x 3 (SP DC ENT)
Highlighted
Routing

Re: Filter Based Forwarding not working on QFX 5120 after Junos upgrade

[ Edited ]
‎05-07-2020 05:05 PM

As far as I understood instance type forwarding is not supported on ELS switches:

 

# set routing-instances RETN-UPLINK instance-type ?
Possible completions:
  evpn-vpws            EVPN VPWS routing instance
  mpls-internet-multicast  Internet Multicast over MPLS routing instance
  virtual-router       Virtual routing instance
  vrf                  Virtual routing forwarding instance

 

I've added counters:

filter CLASSIFY-UPLINK {
    term forward-to-retn {
        from {
            source-prefix-list {
                RETN-PREFIX-LIST;
            }
        }
        then {
            count forward-to-retn;
            routing-instance RETN-UPLINK;
        }
    }
    term default {
        then accept;
    }
}
filter CATCH-FORWARDED {
    term forwarded-from-irb {
        from {
            source-prefix-list {
                RETN-PREFIX-LIST;
            }
        }
        then {
            count forwarded-from-irb;
            accept;
        }
    }
    term default {
        then accept;
    }
}
xe-1/0/32 {
    description UPLINK-RETN;
    flexible-vlan-tagging;
    unit 241 {
        vlan-id 241;
        family inet {
            filter {
                output CATCH-FORWARDED;
            }
            address 89.19.36.65/31;
        }
    }
    unit 243 {
        vlan-id 243;
        family inet {
            filter {
                output CATCH-FORWARDED;
            }
            address 89.19.36.67/31;
        }
    }
}

 

Traffic is received from irb, but nothing is going out: 

Filter: CLASSIFY-UPLINK
Counters:
Name                                                Bytes              Packets
forward-to-retn                                    208242                 2537

Filter: CATCH-FORWARDED
Counters:
Name                                                Bytes              Packets
forwarded-from-irb                                      0                    0    
Highlighted
Routing

Re: Filter Based Forwarding not working on QFX 5120 after Junos upgrade

[ Edited ]
‎05-07-2020 05:45 PM

I've tried configuring with rib-group:

 

routing-options {
    static {
        route 0.0.0.0/0 next-hop [ 78.140.169.58 78.140.169.60 ];
    }
    interface-routes {
        rib-group inet FBF-rib;
    }
    rib-groups {
        FBF-rib {
            import-rib [ inet.0 RETN-UPLINK.inet.0 ];
        }
    }
}

routing-instances {
    RETN-UPLINK {
        routing-options {
            static {
                route 0.0.0.0/0 {
                    next-hop [ 89.19.36.64 89.19.36.66 ];
                    bfd-liveness-detection {
                        minimum-interval 1000;
                        multiplier 3;
                    }
                }
            }
        }
        instance-type virtual-router;
    }
}

 

Same result, routes exist:

 

> show route table RETN-UPLINK.inet.0

RETN-UPLINK.inet.0: 13 destinations, 13 routes (13 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:09:10
                    >  to 89.19.36.64 via xe-1/0/32.241
                       to 89.19.36.66 via xe-1/0/32.243
78.140.169.58/31   *[Direct/0] 00:11:08
                    >  via et-0/0/31.0
78.140.169.59/32   *[Local/0] 00:11:08
                       Local via et-0/0/31.0
78.140.169.60/31   *[Direct/0] 00:11:08
                    >  via et-1/0/31.0
78.140.169.61/32   *[Local/0] 00:11:08
                       Local via et-1/0/31.0
89.19.36.32/27     *[Direct/0] 00:11:08
                    >  via irb.3057
89.19.36.33/32     *[Local/0] 00:11:08
                       Local via irb.3057
89.19.36.64/31     *[Direct/0] 00:09:16
                    >  via xe-1/0/32.241
89.19.36.65/32     *[Local/0] 00:09:16
                       Local via xe-1/0/32.241
89.19.36.66/31     *[Direct/0] 00:09:16
                    >  via xe-1/0/32.243
89.19.36.67/32     *[Local/0] 00:09:16
                       Local via xe-1/0/32.243
188.72.200.0/24    *[Direct/0] 00:11:08
                    >  via irb.3057
188.72.200.1/32    *[Local/0] 00:11:08
                       Local via irb.3057

 

But traffic isn't going anywhere.

Highlighted
Routing

Re: Filter Based Forwarding not working on QFX 5120 after Junos upgrade

‎05-25-2020 03:17 AM

Upgrading to 19.4R2 seems to resolve this issue.

Highlighted
Routing

Re: Filter Based Forwarding not working on QFX 5120 after Junos upgrade

‎06-10-2020 03:58 PM

Hi Sumkin,

 

it is probably a bug then, if you see the problem on the latest 19.1RX or any other latest release on 19.X or 20.Xyou should report it.

 

Regards,

Benjamin

 

 

Feedback