SRX

Hi,

 

i have just configured PBR on a srx210 using Firewall filter.

The goal was to redirect FTP traffic to isp1 and other traffic to isp2.

 

Now what i just want to achieve is resiliency : when isp1 is down ftp traffic will still transit using isp2 and the same for the other traffic when isp2 is down.

 

Other question : How to implement Source based routing ?

 

Many thanks 

All that you need is a way to make the routes to isp1 inactives when it is not ready to handle traffic. The same for isp2

 

The PBR won't send any traffic through inactive routes.

 

There are some references on how to achieve this with event-scripts & RPM  (track-ip behavior)

 

Xavi

ok 

 

i will look at that as i am not very "fluent" on junos or maybe do you have a set of commands to do that....:)

 

any suugestion for source based routing? i see that i can enable source routing on the routing instance then what must i do?

 

many thanks

Take a look at the thread at http://forums.juniper.net/jnet/board/message?board.id=JUNOS&message.id=222&query.id=532507#M222

I'll try to find an example for you. Do you have any email account where I could send some attachements?

thank you for the link that i will check right now.

 

i think my email is visble in my profile but here it is :

 

farid.bouzemarene

 

_at_

 

magirus.com

 

many thanks

Hi All I;m also struggling abit with the Srx Gateways , is there any documentation or examples for a PBR setup.

 

I'm trying to create a filter with destinations port 80 to go to a diffrent next hop but there is no next hop option on the filter actions.

How would I do that ?

Hi,

 

you have to create a forwarding type Routing Instance ( where you will add a static route for 0.0.0.0/0 and the next-hop for your router ) and the action filter have to be routing-instance where you will specify the routing instance name that you created early.

 

let me know if it helps ....

Ah ok thats perfect , so for my setup I'll have three routing instanaces.
 
Local LAN

Main Mpls Router

Backup ADSL Link

 

But then which way is the best way to failover between the routing instances bfd or periodic events ?

Becuase I want to push al web traffic ovewr the adsl and rest via the main link with qos and the nfailover vice versa between both.

 

But I see I get route loop errors when I try to route between the instances  , so then what instance-type did you use ?

forwarding instance

there is an example described in here :

http://forums.juniper.net/t5/SRX-Services-Gateway/filter-based-forwarding-question/m-p/27786

 

hope this'll help.

Another example:

 

 

# English:
# Two routing instances to rewrite the default route. The routing
# instance changes the route of filtered packets.
#
# German:
# Zwei Routing Instanzen, um Pakete auf Basis von Filtern eine
# neue Default-Route zu geben. Die Forwarding Instanzen schreiben
# die Routen Informationen für das aktuelle, gefiltertet Paket um.

[edit]
lab@srx# show routing-instances
pbr_ge-7 {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 next-hop 10.10.7.1;
        }
    }
}
pbr_pp0 {
    instance-type forwarding;
    routing-options {
        static {
            route 0.0.0.0/0 {
                qualified-next-hop pp0.0;
            }
        }
    }
}




[edit]
lab@srx# show routing-options
# English:
# All "normal" interface routes are imported via RIB group from route-table
# inet.0 to routing instance pbr_ge-7 and pbr_pp0. 
#
# German:
# Die anliegenden Interface-Routen werden durch die RIB-Group aus der
# inet.0 Routing Tabelle in die Routing Instanzen pbr_ge-7 und pbr_pp0
# importiert.

interface-routes {
    rib-group inet rg-pbr;
}

# different metrics for fallback and testing purpose
# All of this interfaces are "external" in this lab.
#
# Verschiedene Metriken zu Testzwecke und Fallback

static {
    route 0.0.0.0/0 {
        qualified-next-hop 10.10.6.1 {
            metric 2;
            interface fe-0/0/6.0;
        }
        qualified-next-hop 10.10.7.1 {
            metric 3;
            interface fe-0/0/7.0;
        }
        qualified-next-hop pp0.0 {
            metric 4;
        }
    }
    route 192.168.200.0/24 {
        next-hop st0.0;
        qualified-next-hop st0.1 {
            metric 2;
        }
    }
}
# import statement for the "forwarding instances" (why is this import
# not export?)
rib-groups {
    rg-pbr {
        import-rib [ inet.0 pbr_ge-7.inet.0 pbr_pp0.inet.0 ];
    }
}

# English
# The interface in trust security-zone. Here a filter for incoming
# packtes is applied.
# 
# German
# Das Interface in der Trust Zone. Hier wird ein Filter auf
# ankommende Pakete angesetzt.

[edit]
lab@srx# show interfaces ge-0/0/0
unit 0 {
    family inet {
        filter {
            input trust-untrust;
        }
        address 192.168.100.1/24;
    }
}
#English
# A filter that captures pakets from trusted network with HTTP as dst-port.
# Packets are forwarded to routing instance pbr_pp0 to rewrite the default
# route an leave via the DSL interface. All other packets pass the filter
# without a change in routing.

# German
# Ein Filter, der auf Pakte aus dem Trust Netzwerk filtert, die
# als Zielport HTTP haben. Die Pakete werden an die Routing Instanz
# pbr_pp0 weitergeleitet und dort die Default Route umgeschrieben,
# so dass die Pakete über die DSL-Leitung geschickt werden. Alle anderen
# Pakete passieren den Filter unverändert.

[edit firewall family inet]
lab@srx# show
filter trust-untrust {
    term from-trust {
        from {
            source-address {
                192.168.100.0/24;
            }
            destination-port 80;
        }
        then {
            routing-instance pbr_pp0;
        }
    }
    term allow-any {
        then accept;
    }
}