11.2.3.7. FilterBasedForwarding setting

Operation Confirmed Version:
 vSRX Version15.1X49-D105.1

For vSRX , FBF (FilterBasedForwarding) setting can be made. For normal routing processing, packets are forwarded through reference of the routing table (inet.0) in which packets’ destination network and next hop information have been registered. The FBF setting allows to create another routing table based on the normal routing table and to forward packets which meet filter conditions, based on the created routing table. This setting can be used in the case where only communications from a specific terminal or network are to be forwarded, based on another routing table.

Setting for transmitting to the next hop IP address specified with the FBF function

Make settings for transmitting to the specified next hop IP address, by using packets having a specific source IP address as a condition and making a copied routing table be referred to.

Presumed case for sample setting

  • To enable only virtual server (192.168.2.12) to communicate with destination (192.168.111.0/24)

  • To make route settings with another routing instance, using the FBF function and to communicate using vSRX-01 as the next hop

Note

Assume that rooting settings have been made properly for the shown vSRXs other than vSRX-02 and the virtual server.

Setting flow in a presumed case

1.Create routing instance FBF_TABLE for FBF.
2.Set static route (192.168.111.0/24) whose next hop is vSRX-01, to instance FBF_TABLE.
3.Create RIB_GROUP to add an interface route to routing table FBF_TABLE.inet.0 to be used by FBF_TABLE.
4.Make FirewallFilter settings so that created FBF_TABLE is followed in the case where the source IP is virtual server (192.168.2.12).

Command to be entered with CLI

[vSRX-02]
user01@vSRX-02# set routing-instances FBF_TABLE instance-type forwarding
user01@vSRX-02# set routing-instances FBF_TABLE routing-options static route 192.168.111.0/24 next-hop 192.168.1.101
user01@vSRX-02# set routing-options interface-routes rib-group inet RIB_GROUP
user01@vSRX-02# set routing-options rib-groups RIB_GROUP import-rib inet.0
user01@vSRX-02# set routing-options rib-groups RIB_GROUP import-rib FBF_TABLE.inet.0
user01@vSRX-02# set firewall filter FBF_RULE term 1 from source-address 192.168.2.12/32
user01@vSRX-02# set firewall filter FBF_RULE term 1 then routing-instance FBF_TABLE
user01@vSRX-02# set firewall filter FBF_RULE term 2 then accept
user01@vSRX-02# set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.102/24
user01@vSRX-02# set interfaces ge-0/0/2 unit 0 family inet address 192.168.2.102/24
user01@vSRX-02# set interfaces ge-0/0/2 unit 0 family inet filter input FBF_RULE

The configuration after completion of appropriate settings is as follows.

interfaces {
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 192.168.1.102/24;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                filter {
                    input FBF_RULE;
                }
                address 192.168.2.102/24;
            }
        }
    }
}
routing-options {
    interface-routes {
        rib-group inet RIB_GROUP;
    }
    rib-groups {
        RIB_GROUP {
            import-rib [ inet.0 FBF_TABLE.inet.0 ];
        }
    }
}
firewall {
    filter FBF_RULE {
        term 1 {
            from {
                source-address {
                    192.168.2.12/32;
                }
            }
            then {
                routing-instance FBF_TABLE;
            }
        }
        term 2 {
            then accept;
        }
    }
}
routing-instances {
    FBF_TABLE {
        instance-type forwarding;
        routing-options {
            static {
                route 192.168.111.0/24 next-hop 192.168.1.101;
            }
        }
    }
}

Operation check result

If settings have been made properly, two different routing tables (inet.0 and FBF_TABLE.inet.0) can be confirmed. Also, for FBF_TABLE.inet.0, appropriate addition of the static route to 192.168.111.0/24 can be confirmed. Communications from virtual server (192.168.2.12) were performed through reference to FBF_TABLE.inet.0, based on the FirewallFilter settings, and thus success of communications to the IP address (192.168.111.104) of the destination virtual server was confirmed.

  • For vSRX-02, the static route to 192.168.111.0/24 can be confirmed, in terms of only FBF_TABLE.inet.0.

user01@vSRX-02> show route | no-more

inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

 (中略)

192.168.1.0/24     *[Direct/0] 00:56:48
                    > via ge-0/0/1.0
192.168.1.102/32   *[Local/0] 00:56:48
                      Local via ge-0/0/1.0
192.168.2.0/24     *[Direct/0] 00:56:48
                    > via ge-0/0/2.0
192.168.2.102/32   *[Local/0] 00:56:48
                      Local via ge-0/0/2.0
224.0.0.5/32       *[OSPF/10] 1w3d 05:16:24, metric 1
                      MultiRecv

FBF_TABLE.inet.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

 (中略)

192.168.1.0/24     *[Direct/0] 00:35:30
                    > via ge-0/0/1.0
192.168.1.102/32   *[Local/0] 00:35:30
                      Local via ge-0/0/1.0
192.168.2.0/24     *[Direct/0] 00:35:30
                    > via ge-0/0/2.0
192.168.2.102/32   *[Local/0] 00:35:30
                      Local via ge-0/0/2.0
192.168.111.0/24   *[Static/5] 00:35:29
                    > to 192.168.1.101 via ge-0/0/1.0

As the result of verification of communications from virtual server (192.168.2.12) to virtual server (192.168.111.104), it was confirmed that forwarding is performed in accordance with the route information of FBF_TABLE.inet.0 and Ping communications succeed. The Traceroute result also shows that communications were properly forwarded as expected.

  • Log regarding virtual server (192.168.2.12)

[user01@cents02 ~]$ ping 192.168.111.104 -c 5
PING 192.168.111.104 (192.168.111.104) 56(84) bytes of data.
64 bytes from 192.168.111.104: icmp_seq=1 ttl=62 time=6.29 ms
64 bytes from 192.168.111.104: icmp_seq=2 ttl=62 time=1.43 ms
64 bytes from 192.168.111.104: icmp_seq=3 ttl=62 time=1.57 ms
64 bytes from 192.168.111.104: icmp_seq=4 ttl=62 time=1.42 ms
64 bytes from 192.168.111.104: icmp_seq=5 ttl=62 time=1.47 ms

--- 192.168.111.104 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 1.420/2.437/6.294/1.929 ms
[user01@cents02 ~]$
[user01@cents02 ~]$ traceroute 192.168.111.104
traceroute to 192.168.111.104 (192.168.111.104), 30 hops max, 60 byte packets
 1  gateway (192.168.2.102)  7.730 ms  7.712 ms  7.706 ms
 2  192.168.1.101 (192.168.1.101)  17.209 ms  17.194 ms  17.201 ms
 3  192.168.111.104 (192.168.111.104)  23.284 ms  24.985 ms  25.121 ms
[user01@cents02 ~]$

Verification of Ping communications from virtual server (192.168.2.14) to virtual server (192.168.111.104) was performed. Because this forwarding is performed based on the route information of inet.0, “unknown destination” is returned from vSRX-02 and communications fail: route information of 192.168.111.0/24 which is a destination network is not present. Also, the Traceroute result shows that vSRX-02 cannot be reached first.

  • Log regarding virtual server (192.168.2.14)

[user01@cents04 ~]$ ping 192.168.111.104 -c 5
PING 192.168.111.104 (192.168.111.104) 56(84) bytes of data.
From 192.168.2.102 icmp_seq=1 Destination Net Unreachable
From 192.168.2.102 icmp_seq=2 Destination Net Unreachable
From 192.168.2.102 icmp_seq=3 Destination Net Unreachable
From 192.168.2.102 icmp_seq=4 Destination Net Unreachable
From 192.168.2.102 icmp_seq=5 Destination Net Unreachable

--- 192.168.111.104 ping statistics ---
5 packets transmitted, 0 received, +5 errors, 100% packet loss, time 4001ms

[user01@cents04 ~]$
[user01@cents04 ~]$ traceroute 192.168.111.104
traceroute to 192.168.111.104 (192.168.111.104), 30 hops max, 60 byte packets
 1  gateway (192.168.2.102)  7.296 ms !N  7.261 ms !N  7.245 ms !N