Topic: tech juniper jir prev next
tech juniper jir > 05: Filter-Based Forwarding (FBF)
In traditional routing, the router looks only at the destination address to determine the route. FBF looks at other characteristics.
To enable FBF, a match filter is created and applied to the interface on
which traffic is received. This filter matches traffic with a routing
instance. The routing instance contains unique routing tables to route traffic
to its destination along an associated path. Finally, a RIB group shares
interface routes between instances so that directly connected next hops can be
resolved.
Example match filter;
firewall {
family inet {
filter filter-name {
term term-name {
from {
match-conditions
}
then {
routing-instance instance-name
}
}
}
}
}
match-conditions would be, for example, the source IP address.
The filter must be applied as an input filter on the ingress interface. Note
that the default action on a firewall filter is discard. Therefore, all
traffic should be accounted for in the defined filter.
The then clause directs traffic to another routing instance. Two
possibilities are shown for the 0.0.0.0/0 route. A static route to another
IP address, and a lookup in another routing table;
routing-instances {
instance-name {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop ip-address;
route 0.0.0.0/0 next-table inet.0;
}
}
}
}
A RIB group is created to resolve directly connected next hops;
routing-options {
interface-routes {
rib-group inet group-name;
}
rib-groups {
group-name {
import-rib [ inet.0 instance-name.inet.0 ];
}
}
}
A complete example follows. A router has two local networks and two ISP connections. Connections from each local network should be directed to a different ISP connection.
firewall {
family inet {
filter isp-match-filter {
term match-subnet-a {
from {
source-address {
172.25.0.0/24;
}
}
then {
routing-instance isp-a;
}
}
term match-subnet-b {
from {
source-address {
172.25.1.0/24;
}
}
then {
routing-instance isp-b;
}
}
term else-accept {
then {
accept;
}
}
}
}
}
interfaces {
ge-0/0/1 {
unit 0 {
family inet {
filter {
input isp-match-filter;
}
address 172.25.0.1/24;
address 172.25.1.1/24;
}
}
}
}
routing-instances {
isp-a {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 172.20.0.2;
}
}
}
isp-b {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 172.20.1.2;
}
}
}
}
routing-options {
interface-routes {
rib-group inet isp-redistribute;
}
rib-groups {
isp-redistribute {
import-rib [ inet.0 isp-a.inet.0 isp-b.inet.0 ];
}
}
}
show route table isp-a.inet.0
traceroute -s 172.25.1.1 ...
Without the else-accept term, the above example would not forward traffic
from outside of the two defined local networks to either ISP. This is because
the firewall filter discards any traffic that has not matched. Traffic
matching the else-accept term will be forwarded using the master routing
instance.
Using the instance-import option instead of rib-groups. This example
imports the master routing table into the isp-a table; i.e. it imports routes
from the master inet.0 table into isp-a.inet.0.
policy-options {
policy-statement isp-a-import {
from instance master;
then accept;
}
}
routing-instances {
isp-a {
routing-options {
instance-import isp-a-import;
}
}
}