JunOS SRX Source Routing, PBR, FBF - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Sunday, February 12, 2012

JunOS SRX Source Routing, PBR, FBF

Enabling Source Routing

Starting in Junos OS Release 8.2 for IPv6 and Junos OS Release 8.5 for IPv4, source routing is disabled by default on J Series Services Routers , M Series Multiservice Edge Routers, MX Series Ethernet Services Routers, T Series Core Routers, and on EX Series switches. To enable source routing, include the source-routing statement:

source-routing {(ip | ipv6);}

On Netscreen:

set source-routing enable
set route source interface ethernet0/3 gateway x.x.x.x(公网IP) preference 20


PBR is called filter-based forwarding (FBF) in Junos

Note:  When searching the Technical Documentation for Policy Based Routing (PBR) configuration, search for:  filter-based forwarding


Configuring Filter-Based Forwarding

You can configure filters to classify packets based on source address and specify the forwarding path the packets take within the router by configuring a filter on the ingress interface. For example, you can use this filter for applications to differentiate traffic from two clients that have a common access layer (for example, a Layer 2 switch) but are connected to different Internet service providers (ISPs). When the filter is applied, the router can differentiate the two traffic streams and direct each to the appropriate network. Depending on the media type the client is using, the filter can use the source IP address to forward the traffic to the corresponding network through a tunnel. You can also configure filters to classify packets based on IP protocol type or IP precedence bits.
Note: Source-class usage filter matching and unicast reverse-path forwarding checks are not supported on an interface configured with filter-based forwarding (FBF).
You can also forward packets based on output filters by configuring a filter on the egress interfaces. In the case of port mirroring, it is useful for port-mirrored packets to be distributed to multiple monitoring PICs and collection PICs based on patterns in packet headers. FBF on the port-mirroring egress interface must be configured.
Packets forwarded to the output filter have been through at least one route lookup when an FBF filter is configured on the egress interface. After the packet is classified at the egress interface by the FBF filter, it is redirected to another routing table for further route lookup.
Filter-based forwarding is supported for IPv4 and IPv6.
To direct traffic meeting defined match conditions to a specific routing instance, include the routing-instance filter action:
routing-instance routing-instance;
For IPv4 traffic, include the action at the [edit firewall family inet filter filter-name term term-name then] hierarchy level. For IPv6 traffic, include the action at the [edit firewall family inet6 filter filter-name term term-name then] hierarchy level. For MPLS traffic, configure the filter terms at the [edit firewall family mpls filter filter-name term term-name then] hierarchy level.
The routing-instance filter action accepts the traffic meeting the match conditions and directs it to the routing instance named in routing-instance. For information about forwarding instances and routing instances, see the Junos OS Routing Protocols Configuration Guide.
Note: In Junos OS Release 9.0 and later, you can no longer specify a routing-instance name of default or include special characters within the name of a routing instance.
To complete the configuration, you must also create a routing table group that adds interface routes to the following routing instances:
  • Routing instance named in the action
  • Default routing table inet.0
You create a routing table group to resolve the routes installed in the routing instance to directly connected next hops on that interface. For more information on routing table groups and interface routes, see the Junos OS Routing Protocols Configuration Guide.

Examples: Configuring Filter-Based Forwarding

Configure a filter to direct traffic to ISP1 or ISP2 based on source address matching:
[edit firewall]family inet {filter classify-customers {term isp1-customers {from {source-address;source-address;}then {routing-instance isp1-route-table;}}term isp2-customers {from {source-address;source-address;}then {routing-instance isp2-route-table;}}term default {then {accept;}}}}
Configure a filter-based forwarding (FBF) filter for family inet6:
[edit]firewall {family inet6 {filter ftf_fbf {term 0 {from {source-address {::;}}then {count ce1;log;routing-instance ce1;}}term 1 {from {source-address {::;}}then {count ce2;log;routing-instance ce2;}}term default {then {count default;accept;}}}}}

No comments:

Post a Comment