Hi, Mark I have a such configure, it works as I wise, just a month ago! Here is my config: routing-options { interface-routes { rib-group inet CT; } static { route 0.0.0.0/0 next-hop 58.215.51.1; } rib-groups { CNC { import-rib [ inet.0 cnc.inet.0 ]; import-policy test; } CT { import-rib [ inet.0 cnc.inet.0 ]; import-policy test; } } } policy-options { policy-statement test { term 1 { from { route-filter 192.168.2.0/24 orlonger; route-filter 192.168.3.0/24 orlonger; } then accept; } term default { then reject; } } }
Best Regards, Jack Xu Senior Engineer Tel:(86)-13524613903 QQ:838178533 -----邮件原件----- 发件人: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] 代表 Mark Tees 发送时间: 2014年11月16日 6:45 收件人: Chris Woodfield 抄送: juniper-nsp@puck.nether.net 主题: Re: [j-nsp] Filtering rib-group imported direct routes? Hi Chris, In my lab environment (GNS3+Olives) I can apply an import-policy to the rib-group that appears to achieve the effect you are after. I vaguely remember trying this on an SRX a few years ago and it not working though. root> show configuration policy-options policy-statement rib_filter { term 1 { from { protocol direct; route-filter 10.1.2.0/30 exact; } then accept; } term else { then reject; } } root> show configuration routing-options interface-routes { rib-group inet TEST; } rib-groups { TEST { import-rib [ inet.0 test.inet.0 ]; import-policy rib_filter; } } root> show configuration routing-instances test { instance-type forwarding; routing-options { static { route 0.0.0.0/0 next-hop 10.1.2.2; } } } root> show route inet.0: 5 destinations, 5 routes (5 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.1.1.0/30 *[Direct/0] 00:34:34 > via em0.0 10.1.1.1/32 *[Local/0] 00:34:34 Local via em0.0 10.1.2.0/30 *[Direct/0] 00:34:34 > via em1.0 10.1.2.1/32 *[Local/0] 00:34:34 Local via em1.0 10.10.10.1/32 *[Direct/0] 00:34:34 > via lo0.0 test.inet.0: 2 destinations, 2 routes (2 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 0.0.0.0/0 *[Static/5] 00:04:23 > to 10.1.2.2 via em1.0 10.1.2.0/30 *[Direct/0] 00:04:23 > via em1.0 Hope that works for you. Mark On Sun, Nov 16, 2014 at 6:27 AM, Chris Woodfield <rek...@semihuman.com> wrote: > Hi, > > I’m currently managing a setup where we’re at our edge, we're punting packets > to a routing-instance based on firewall matches in order to separate traffic > between outside client traffic (which needs to be routed through the LB on > return) and other internet-facing outbound. We have rib-groups configured for > our routing-instances to import the direct and local routes, like the below > (simplified) config example: > > routing-options { > interface-routes { > rib-group { > inet fbf-groups; > } > } > ... > rib-groups { > fbf-groups { > import-rib [ inet.0 lb1.inet.0 ] > } > } > } > ... > firewall { > family inet { > filter BOUNCE_TO_LB > from { > protocol tcp; > source-port [ 80 443 ]; > } > then { > routing-instance lb1; > } > } > } > } > ... > routing-instances { > lb1 { > instance-type forwarding; > routing-options { > static { > route 0.0.0.0/0 next-hop 1.2.3.4; > } > } > } > } > > The "lb1" routing-instance is simply a default route to the LB's gateway IP > which is a directly connected interface to the router. > > (This design is documented here: > https://www.juniper.net/documentation/en_US/junos12.3/topics/example/l > ogical-systems-filter-based-forwarding.html) > > The problem I'm having is that because this setup imports all direct and > local routes into the routing instance, packets that are punted to the > routing instance that are destined for other directly connected hosts bypass > the default route and get forwarded directly to the end host. For example, if > I have a host hanging off of interface xe-2/0/0 with address 2.2.3.4/24, and > I look in the routing-instance's table, I see: > > edge-rtr> show route table lb1.inet.0 > > lb.inet.0: XXX destinations, XXX routes (XXX active, 0 holddown, X > hidden) > + = Active Route, - = Last Active, * = Both > > 0.0.0.0/0 *[Static/5] 37w1d 15:53:29 > > to 1.2.3.4 via xe-1/0/0 > 2.2.3.4/24 *[Direct/0] 11w3d 10:42:47 > > via xe-2/0/0.0 > 2.2.3.1/32 *[Local/0] 11w3d 10:42:47 > Local via xe-2/0/0.0 > > So a packet with dest IP 2.2.3.4 goes directly to the host instead of going > to the LB, which means it has the real host IP and not the VIP's IP as its > source, which means no worky worky. > > So the question I have is this - is there a way to filter the direct and > local routes that are imported into a routing instance? In this case, I'd > only want the direct route for the subnet containing 1.2.3.4, and no other > direct routes. > > Alternatively, would it be possible to *not* import any direct routes into > the routing-instance (i.e. deleting the rib-groups syntax altogether) and > instead add the direct and/or local route manually to the routing instance, > so I can ensure that only the direct routes I need to resolve the next hop > make it into the routing instance? > > TIA, > > -Chris > > > > > > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp -- Regards, Mark L. Tees _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp