FBF or filter-based forwarding is a confusing concept at first, especially if you are new to concept of rib-groups. Lets see a very simple example

Reference – http://kb.juniper.net/InfoCenter/index?page=content&id=KB17223 and Junos SRX




METHOD 1 – Via static default route in Instance

Make sure Traffic from takes path to isp-a and takes path to isp-b when they are trying to access

First let us verify if SRX has the route to and see it preference , looking at the output, srx is preferring isp-a


Let us verify from end-nodes by doing a trace route


okay, we have a problem here

-> we can only choose one path in srx , either isp-a or isp-b, sure you can do load balancing but that will not fetch what we want

-> we need to instruct SRX to send traffic from to isp-b and to ispa , again this is a challenge as srx is only preferring isp-a as of now

Let us construct two routing-instance for this requirement, one for forwarding traffic to isp-a and one for forwarding traffic to isp-b and then apply a firewall filter to diver the traffic



Apply it to the incoming interface from LAN


once we are done with this, we now have to make sure routing-instances are forwarding to correct-next hop, static routing makes it lot easier here.


Remember we have till now have only done the forward-path, we have to make sure the return traffic when hits the  routing-instance ispa it should be properly forwarded as well.

To make it clear, when you issue a show route , do you see routes populated in ispa and ispb instance ?


Here comes rib-groups


Do not forget the policy for intra-zone traffic on SRX


Final Verification


Rakesh M