SRX FILTERBASED FORWARDING – USING STATIC DEFAULT ROUTE and RIB-Groups
Sep 12
jncie-security juniper vsrx fbf filter firewall jncip 1 Comment
Hi,
FBF or filter-based forwarding is a confusing concept at first, especially if you are new to concept of rib-groups. Lets see a very simple example
Reference – http://kb.juniper.net/InfoCenter/index?page=content&id=KB17223 and Junos SRX
Topology
Requirement
METHOD 1 – Via static default route in Instance
Make sure Traffic from 172.25.1.0 takes path to isp-a and 172.25.0.0 takes path to isp-b when they are trying to access 7.7.7.7/32
First let us verify if SRX has the route to 7.7.7.7 and see it preference , looking at the output, srx is preferring isp-a
Let us verify from end-nodes by doing a trace route
okay, we have a problem here
-> we can only choose one path in srx , either isp-a or isp-b, sure you can do load balancing but that will not fetch what we want
-> we need to instruct SRX to send traffic from 172.25.0.0 to isp-b and 172.25.1.0 to ispa , again this is a challenge as srx is only preferring isp-a as of now
Let us construct two routing-instance for this requirement, one for forwarding traffic to isp-a and one for forwarding traffic to isp-b and then apply a firewall filter to diver the traffic
Apply it to the incoming interface from LAN
once we are done with this, we now have to make sure routing-instances are forwarding to correct-next hop, static routing makes it lot easier here.
Remember we have till now have only done the forward-path, we have to make sure the return traffic when hits the routing-instance ispa it should be properly forwarded as well.
To make it clear, when you issue a show route , do you see routes populated in ispa and ispb instance ?
Here comes rib-groups
Do not forget the policy for intra-zone traffic on SRX
Final Verification
Regards
Rakesh M