Hi,

FBF or filter-based forwarding is a confusing concept at first, especially if you are new to concept of rib-groups. Lets see a very simple example

Reference – http://kb.juniper.net/InfoCenter/index?page=content&id=KB17223 and Junos SRX

Topology

Topology

Requirement

METHOD 1 – Via static default route in Instance

Make sure Traffic from  172.25.1.0 takes path to isp-a and 172.25.0.0 takes path to isp-b when they are trying to access 7.7.7.7/32

First let us verify if SRX has the route to 7.7.7.7 and see it preference , looking at the output, srx is preferring isp-a

1_verify_bgp_routing

Let us verify from end-nodes by doing a trace route

2_verify_end_nodes

okay, we have a problem here

-> we can only choose one path in srx , either isp-a or isp-b, sure you can do load balancing but that will not fetch what we want

-> we need to instruct SRX to send traffic from 172.25.0.0 to isp-b and 172.25.1.0 to ispa , again this is a challenge as srx is only preferring isp-a as of now

Let us construct two routing-instance for this requirement, one for forwarding traffic to isp-a and one for forwarding traffic to isp-b and then apply a firewall filter to diver the traffic

3_routing_instances

4_firewall_filter

Apply it to the incoming interface from LAN

4.5_ffinterface

once we are done with this, we now have to make sure routing-instances are forwarding to correct-next hop, static routing makes it lot easier here.

5_static_routing

Remember we have till now have only done the forward-path, we have to make sure the return traffic when hits the  routing-instance ispa it should be properly forwarded as well.

To make it clear, when you issue a show route , do you see routes populated in ispa and ispb instance ?

6_table_verification

Here comes rib-groups

7_Rib_groups_verification

Do not forget the policy for intra-zone traffic on SRX

8_sec_policies

Final Verification

Regards

Rakesh M

Advertisements