Re: [j-nsp] different default for different vlans
Hi, A simple example for FBF would look like this: l...@cs-m10i show configuration groups tdb-fbf logical-routers manhattan routing-instances manhattan-alternate { instance-type forwarding; } l...@cs-m10i show configuration groups tdb-fbf logical-routers manhattan routing-options interface-routes { rib-group inet if-route; family inet { import local-comm; } } rib-groups { if-route { import-rib [ inet.0 manhattan-alternate.inet.0 ]; } And then a filter that puts the traffic into the correct routing instance: l...@cs-m10i show configuration groups tdb-fbf firewall filter manhattan-fbf { term 1 { from { source-address { 1.1.1.1/32; } } then { logical-router manhattan routing-instance manhattan- alternate; } } term 2 { then accept; } } You can configure a different 0/0 static route inside the routing- instance ... Cheers, Truman On 24/03/2009, at 5:06 AM, Nilesh Khambal wrote: Hi, Sorry, but I am not familiar with EX CLI. I presumed it would be same as any other M/T/MX CLI. Please feel free to check with JTAC on this. However, I still think you can achieve what you want using policy based routing. In ingress filter (Layer3) on your LAN interface will forward all the traffic from local VLAN to a routing-instance (OR LR or VR) which hosts interface to your proxy server. This routing- instance will also have other Layer3 interfaces on this EX (protocol direct) via route redistribution using rib-groups. This way if the traffic is for one of the locally attached subnet, it will be routed locally using the redistributed direct routes, else it will be routed out using the default route via proxy. Thanks, Nilesh. Cord MacLeod wrote: I wish it were. This is all traffic except for local traffic. Any explanation for why the ex4200 doesn't have the except keyword? On Mar 20, 2009, at 6:55 PM, Nilesh Khambal wrote: Are using proxy just for http and https? Is so, then can you be specific in the filters with protocol and ports. You can add a default accept at the end of the filter to accept all other traffic that does not match http or https. Traffic accepted by default accept will get routed using inet.0 routing table. This way you don't have to use except in filter terms. Thanks, Nilesh Cord MacLeod wrote: That would be great, and I thought of it just after I sent the email. There's one big thing I'm missing though... except. From an m7: Possible completions: [Enter]Execute this command except Match address not in this prefix From an ex4200: [Enter]Execute this command In other words, all of my traffic would hit this proxy and it would break routing between the vlans if I use policy based routing and can't use except. On Mar 20, 2009, at 6:37 PM, Nilesh Khambal wrote: Can you try policy based routing using input firewall filter on EX? This was you can redirect the traffic to another forwarding- instance where your proxy resides. You will also have to take care of reverse routing from the proxy forwarding instance back to inet.0 on EX so that return traffic can go back to client VLANs. Thanks, Nilesh. Cord MacLeod wrote: I feel silly for asking this, but apparently my brain isn't working today. I've got some machines in a public vlan, 100 and some RFC 1918machines on another vlan, 120. I redistribute 0.0.0.0 in ospf through my network down to these EX4200's that the machines are hanging off of. Is there a way for my RFC 1918 machines to default to different next hop (proxy machine) when not attempting to route between vlans so they can hit outside. The way we do it now is changing the default gateway on the machines. I'd like to perform this automatically on the ex4200s if possible. Any ideas? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp . . ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] different default for different vlans
Can you try policy based routing using input firewall filter on EX? This was you can redirect the traffic to another forwarding-instance where your proxy resides. You will also have to take care of reverse routing from the proxy forwarding instance back to inet.0 on EX so that return traffic can go back to client VLANs. Thanks, Nilesh. Cord MacLeod wrote: I feel silly for asking this, but apparently my brain isn't working today. I've got some machines in a public vlan, 100 and some RFC 1918 machines on another vlan, 120. I redistribute 0.0.0.0 in ospf through my network down to these EX4200's that the machines are hanging off of. Is there a way for my RFC 1918 machines to default to different next hop (proxy machine) when not attempting to route between vlans so they can hit outside. The way we do it now is changing the default gateway on the machines. I'd like to perform this automatically on the ex4200s if possible. Any ideas? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] different default for different vlans
Are using proxy just for http and https? Is so, then can you be specific in the filters with protocol and ports. You can add a default accept at the end of the filter to accept all other traffic that does not match http or https. Traffic accepted by default accept will get routed using inet.0 routing table. This way you don't have to use except in filter terms. Thanks, Nilesh Cord MacLeod wrote: That would be great, and I thought of it just after I sent the email. There's one big thing I'm missing though... except. From an m7: Possible completions: [Enter]Execute this command except Match address not in this prefix From an ex4200: [Enter]Execute this command In other words, all of my traffic would hit this proxy and it would break routing between the vlans if I use policy based routing and can't use except. On Mar 20, 2009, at 6:37 PM, Nilesh Khambal wrote: Can you try policy based routing using input firewall filter on EX? This was you can redirect the traffic to another forwarding-instance where your proxy resides. You will also have to take care of reverse routing from the proxy forwarding instance back to inet.0 on EX so that return traffic can go back to client VLANs. Thanks, Nilesh. Cord MacLeod wrote: I feel silly for asking this, but apparently my brain isn't working today. I've got some machines in a public vlan, 100 and some RFC 1918 machines on another vlan, 120. I redistribute 0.0.0.0 in ospf through my network down to these EX4200's that the machines are hanging off of. Is there a way for my RFC 1918 machines to default to different next hop (proxy machine) when not attempting to route between vlans so they can hit outside. The way we do it now is changing the default gateway on the machines. I'd like to perform this automatically on the ex4200s if possible. Any ideas? ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp . ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] different default for different vlans
Or this can be a good opportunity for the EX or proxy to send back an icmp redirect (sometimes they are useful) back to the hosts in order to find the correct gateway for a given destination. my suggestion is having the proxy be the gateway and provide the proxy with a next hop of the EX for inter-vlan traffic. if your proxy is a *nix variant you can check if redirects are enabled with sysctl -a | grep -i redirect I think most are by default. I wish it were. This is all traffic except for local traffic. Any explanation for why the ex4200 doesn't have the except keyword? On Mar 20, 2009, at 6:55 PM, Nilesh Khambal wrote: * Are using proxy just for http and https? Is so, then can you be ** specific in the filters with protocol and ports. You can add a ** default accept at the end of the filter to accept all other traffic ** that does not match http or https. Traffic accepted by default ** accept will get routed using inet.0 routing table. ** ** This way you don't have to use except in filter terms. ** ** Thanks, ** Nilesh ** ** Cord MacLeod wrote: ** That would be great, and I thought of it just after I sent the ** email. There's one big thing I'm missing though... except. ** From an m7: ** Possible completions: ** [Enter]Execute this command ** except Match address not in this prefix ** From an ex4200: ** [Enter]Execute this command ** In other words, all of my traffic would hit this proxy and it ** would break routing between the vlans if I use policy based ** routing and can't use except. ** On Mar 20, 2009, at 6:37 PM, Nilesh Khambal wrote: ** Can you try policy based routing using input firewall filter on ** EX? This was you can redirect the traffic to another forwarding- ** instance where your proxy resides. You will also have to take ** care of reverse routing from the proxy forwarding instance back ** to inet.0 on EX so that return traffic can go back to client VLANs. ** ** Thanks, ** Nilesh. ** ** Cord MacLeod wrote: ** I feel silly for asking this, but apparently my brain isn't ** working today. ** I've got some machines in a public vlan, 100 and some RFC 1918 ** machines on another vlan, 120. I redistribute 0.0.0.0 in ospf ** through my network down to these EX4200's that the machines are ** hanging off of. Is there a way for my RFC 1918 machines to ** default to different next hop (proxy machine) when not ** attempting to route between vlans so they can hit outside. The ** way we do it now is changing the default gateway on the ** machines. I'd like to perform this automatically on the ** ex4200s if possible. ** Any ideas? ** ___ ** juniper-nsp mailing list juniper-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ** https://puck.nether.net/mailman/listinfo/juniper-nsp ** . * -- Sergio Danelli ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp