Hello,
@MFB wrote:
Hi, Is it possible to send a specific application port to a LSP/MPLS services.
Yes, it is possible in JUNOS. What is your HW/product model and JUNOS version?
@MFB wrote:
So is it possible to match destination port 443 incoming on R1 and send that down a LSP/MPS service, use TE to steer SSL traffic over the 600Mbps Fibre line back to R3, then return source 443 back the same TE route to R1, for all other ports/ traffic is can just use the current shortest patch down/up the 300Mbps link.
The "canonic" and most compatible way is to use JUNOS Filter Based Forwarding feature with dedicated VRF routing instance and RSVP-TE LSP.
The high-level algorithm is as follows:
1/ create a dedicated RSVP LSP that goes the way You want from R1 to R3
2/ create a MPLS VRF on R1 and R3, let's call it VRF443 for example. Do NOT put any interfaces into it.
3/ on R1, map this VRF443 to dedicated RSVP-TE LSP You created in step 1 and map all other traffic to other RSVP-TE LSPs https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/install-nexthop-edit-policy-options.html
4/ on R1, create a FW filter which matches on Your access interfaces, say, ge-0/0/0.0 and ge-0/0/2.0; and TCP/dst.port 443 like below
set firewall family inet filter FBF443 term t1 from destination-port 443
set firewall family inet filter FBF443 term t1 from protocol tcp
set firewall family inet filter FBF443 term t1 from interface ge-0/0/0.0
set firewall family inet filter FBF443 term t1 from interface ge-0/0/0.2.0
set firewall family inet filter FBF443 term t1 then routing-instance VRF443
set firewall family inet filter FBF443 term t1 then accept
set firewall family inet filter FBF443 term else then accept
5/ assign this filter to the R1 forwarding-table
set forwarding-options family inet filter input FBF443
6/ on R1, leak the return routes from inet.0 to VRF443, advertise these return routes via MP-BGP to R3
7/ repeat the steps1-3 for R3
8/ on R3, create a static 0/0 route inside VRF443 pointing to inet.0:
set routing-instances VRF433 routing-options static route 0/0 next-table inet.0
9/ on R3, advertise this 0/0 route via MP-BGP from R3 to R1
10/ on R3, create a FW filter that matches on TCP/src.port 443 and access interfaces , similar to step 4, and assign it to forwarding table
11/ You should be good to go - in case of any issues ask Your Juniper Account team for help from Juniper Professional Services!
One more thing - do not waste Your time with another flavor of JUNOS FBF where "then next-ip" filter action is used, it does not work with "next-ip" IP that is NOT directly connected. People usually get excited when this discover this option, thinking it saves them time and effort, but it is not the case.
Finally, if You are really brave and Your HW supports it, You can explore colored Segment Routing Traffic Engineering (colored SRTE) instead of RSVP-TE - it will save You a few lines of code and will make future FBF efforts more scalable 😀
HTH
Thx
Alex