Routing
Highlighted
Routing

Multiple Upstream and 2 private peering FBF not working properly

‎03-28-2018 07:40 PM

Hi Juniper Experts,

        I have a single MX 104 router with 3 uplinks & 2 private peering (like google,amazon,facebook) . I have BGP customer to have some /24 prefixes advertised and routed via ISP 1. I want to specific  customer IP to be out via specific ISP, also my customer using facebook, Google, AWS service routed via Private peering .

 

    We tried FBF using Routing instance, specified IP traffic routed via single ISP even Private peering also.If this is the option that I can apply, please assist me with some config example to cater the requirement above. 

 

Thanks,

Muthu

Attachments

10 REPLIES 10
Highlighted
Routing

Re: Multiple Upstream and 2 private peering FBF not working properly

‎03-29-2018 03:13 AM

yes, FBF can do this for you this is a configuration example.

 

https://www.juniper.net/documentation/en_US/junos/topics/example/firewall-filter-option-filter-based...

 

What was the configuration you had tried?

 

Typically I see missing routing-options when this does not work either the rib group of interface routes.

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Routing

Re: Multiple Upstream and 2 private peering FBF not working properly

‎03-29-2018 11:39 PM

Output for your referrence.

 

root@Core # show firewall

filter v286-download {
term 1 {
from {
destination-address {
192.168.100.72/29;
}
}
then {
policer policer-10mb;
accept;
}
}
term 20 {
from {
destination-address {
0.0.0.0/0;
}
}
then {
policer policer-10mb;
accept;
}
}
}
filter v286-upload {
term 1 {
from {
source-address {
192.168.100.72/29;
}
}
then {
policer policer-10mb;
routing-instance isp-1;
}
}
term 20 {
from {
source-address {
0.0.0.0/0;
}
}
then {
policer policer-10mb;
accept;
}
}
}



root@Wireline-CBE# show routing-options
graceful-restart {
restart-duration 120;
}
interface-routes {
rib-group inet IMPORT-PHY;
}


root@Core# show routing-instances
Peering-1 {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 172.16.16.1;
}
}
}
Peering-2 {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 10.50.50.1;
}
}
}
isp-1 {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 10.0.0.1;
}
}
}
isp-2 {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 10.10.10.1;
}
}
}

isp-3 {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 10.20.20.1;
}
}
}

 

When we applied firewall policy inbound, outbound and peering routed via only one isp,even peering traffic also.

 

 

Highlighted
Routing

Re: Multiple Upstream and 2 private peering FBF not working properly

‎03-30-2018 11:16 AM

Hi ,

You can also configure BGP export policy to control the route advertisement.

 

Configuring Routing Policies to Control BGP Route Advertisements

 

//Regards

AD

Highlighted
Routing

Re: Multiple Upstream and 2 private peering FBF not working properly

‎04-02-2018 02:51 AM

This is not correct for FBF, you are creating a policer here to limit bandwidth not sending a matching filter to a fowarding routing instance.  And for the policer you also seem to be trying to police both upload and download in the same filter.  This is not possible because filters are applied to either the input or the output of an interface so you would need to create two policiers and apply them to the appropriate section of all the desired interfaces.

 

For FBF your filter will use the action of then routing-instance not policer

 

And this filter will need to be applied to the ingress intereface input queue where that source address traffic first enters the SRX facing your customer.  Not the ISP interface.  It detects the ingress of the traffic and uses the forwarding instance table to send it out the desired interface.

 

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Routing

Re: Multiple Upstream and 2 private peering FBF not working properly

‎04-03-2018 11:16 AM

Hi Steve,

 

I have three different uplink provider having connected with BGP and have two private peering also have BGP. This all setup have been configured with failover.All my LAN prefixes advertised all the uplink providers. Now if particular routing object routed (IP Address) through a specific private peering, (google, Amazon and facebook) then both the ingress, egress traffic of that particular Ip address should go through that specific private peering at the same time all normal traffic should go through a uplink provider.

The Same setup will have to work on secondary link when a case if the primary uplink goes down.

 

Can you help with model configuration for above mentioned scenario.

 

 

Attachments

Highlighted
Routing

Re: Multiple Upstream and 2 private peering FBF not working properly

‎04-12-2018 03:41 PM

I am not following what traffic engineering you are trying to achieve.

 

BGP will work fine without modification if all you need to do is route based on the destination prefix.  Your multiple upstreams will create a blended table and spread the load.  You are advertising all the customers to all the peers so the return traffic likewise will be spread.

 

For the private connections typically setting up the desired prefixes with GCP or AWS will also work with standard BGP setups.

 

Likewise failovers will all be fine because as peers are lost due to problems or down links the route tables will automatically adjust.

 

FBF is used when you want to override the normal BGP destination routing with forced routing based on the source address or specific ports of the traffic.

 

Do you have non-standard needs to route based on source address or service port?

If not, then using normal BGP for this is the way to go.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Routing

Re: Multiple Upstream and 2 private peering FBF not working properly

‎04-16-2018 01:15 AM

Hi 

Need suggestion for below policy

 

 

set firewall family inet filter v30-download term 2 from destination-address 202.129.197.0/29
set firewall family inet filter v30-download term 2 then policer policer-10mb
set firewall family inet filter v30-download term 2 then accept
set firewall family inet filter v30-download term 20 from destination-address 0.0.0.0/0
set firewall family inet filter v30-download term 20 then policer policer-10mb
set firewall family inet filter v30-download term 20 then accept
set firewall family inet filter v30-upload term 2 from source-address 202.129.197.0/29
set firewall family inet filter v30-upload term 2 then policer policer-10mb
set firewall family inet filter v30-upload term 2 then routing-instance isp-2
set firewall family inet filter v30-upload term 20 from source-address 0.0.0.0/0
set firewall family inet filter v30-upload term 20 then policer policer-10mb
set firewall family inet filter v30-upload term 20 then accept
set firewall family inet filter v30-upload term 0 from destination-prefix-list GOOGLE     (Google Peering)
set firewall family inet filter v30-upload term 0 then routing-instance google
set firewall family inet filter v30-upload term 1 from destination-prefix-list Mumbai-EX  (Mumbai Internet Exchange)
set firewall family inet filter v30-upload term 1 then routing-instance Mumbai-EX

 

I applied this policy for all the traffic goes via single isp (even google,mumbai internet exchange ).We need all google prefix goes via only google peering routing instance , Mumabi internet exchange prefix traffic goes via mumbai Ex  routing instance and other normal traffic goes via mentained isp, incause if any private peering goes down automatically traffic routed via primary isp. 

 

how to apply a policy for upload and download goes via mentioned routuing instance, it may be google or mumbai Ex . please suggest on this.

 

Thanks,

Marimuthu.N 

Highlighted
Routing

Re: Multiple Upstream and 2 private peering FBF not working properly

‎04-16-2018 03:16 AM

The filter does not make sense to me.  I suspect you peerings are not getting the routes you expect.  There is no need to do FBF for destination routes as this is the normal BGP behavior with not need for special configuration:

 

set firewall family inet filter v30-upload term 0 from destination-prefix-list GOOGLE     (Google Peering)
set firewall family inet filter v30-upload term 0 then routing-instance google
set firewall family inet filter v30-upload term 1 from destination-prefix-list Mumbai-EX  (Mumbai Internet Exchange)
set firewall family inet filter v30-upload term 1 then routing-instance Mumbai-EX

 

What are the recieve and advertise routes on these peers?

Are the prefixes on these list correctly in your table?

Is your peer advertising the expected local prefixes?

 

show route advertising-protocol bgp 1.1.1.1 < google and mumbai peer address

show route receive-protocol bgp 1.1.1.1

 

It seems like you have a basic bgp peer problem here and not anything requiring FBF processing.

 

Also bear in mind that on the first match the packet will no longer be processed by the filter for terminating actions like sending to a forwarding instance.  So the following terms are then never hit.  You need to order the terms most specific to least to insure the packets are processed in your desired order.

 

 

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
Routing

Re: Multiple Upstream and 2 private peering FBF not working properly

‎04-16-2018 03:49 AM

I shared the log for your reference.

Attachments

Highlighted
Routing

Re: Multiple Upstream and 2 private peering FBF not working properly

‎04-17-2018 02:48 AM

So this looks like your mumbai prefix list.  I assume some of the prefixes you recieve here are on your filter list for google correct?

 

and you don't want to use this peer for those prefixes unless the google peer is down correct?

 

If so, for you BGP import policy to mumbai add a term at the top of the policy that when when the prefix list for google is matched you set the local preference to 80 for those routes.  They will be accepted but only used when the google peer is down.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home