Add FBF example

2023-09-21 03:19:19 +03:00
parent fcd42048f0
commit fe0a55f97f
1 changed files with 126 additions and 0 deletions
@@ -574,6 +574,132 @@ interfaces {

 ```

+### EX4600, QFX
+
+Fundamental difference between EX4500, EX4550 and EX4600, QFX is that EX4500, EX4550 have "instance-type forwarding" and EX4600, QFX don't have it. So you need to use "instance-type virtual-router" instead.
+
+Here is examples for EX4600, QFX, where we redirect traffic from users to nat, and have local bypass.
+
+
+One of them verified and i tested it works:
+
+```
+routing-instances {
+    route-tonat {
+        instance-type virtual-router;
+        routing-options {
+            static {
+                route 0.0.0.0/0 next-hop 10.0.250.2;
+            }
+        }
+        interface irb.161;
+    }
+}
+interfaces {
+    irb {
+        unit 161 {
+            description VRF-TO-NAT;
+            family inet {
+                address 10.0.250.1/24;
+            }
+        }
+    }
+}
+firewall {
+    family inet {
+        filter mainvlan-in {
+            term bypass {
+                from {
+                    destination-address {
+                        10.0.0.0/8;
+                        192.168.0.0/16;
+                        172.16.0.0/12;
+                    }
+                }
+                then accept;
+            }
+            term tonat {
+                from {
+                    source-address {
+                        172.16.0.0/12;
+                    }
+                }
+                then {
+                    routing-instance route-tonat;
+                }
+            }
+            term default {
+                then accept;
+            }
+        }
+    }
+}
+```
+Note: interface irb.161 can be used only one-way, to send traffic to NAT, but not to receive it back. Receive back will be handled automatically, as NAT will decode back to fake ips and fake ips routes are present in default routing instance, so nothing special need to be done.
+Also after that you need to assign filter to interface where traffic from users is coming.
+
+
+Second one is not verified, i adapted it from from article, but it should work and looks more elegant (doesnt need to lose interface for VRF)
+
+```
+FBF-test {
+    instance-type virtual-router;
+    routing-options {
+        static {
+            route 0.0.0.0/0 next-hop 12.12.12.2;
+        }
+        instance-import FBF-export;
+    }
+}
+policy-statement FBF-export {
+    term 1 {
+        from {
+            instance master;
+            route-filter 12.12.12.0/30 exact;
+        }
+        then accept;
+    }
+    term 2 {
+        then reject;
+    }
+}
+firewall {
+    family inet {
+        filter FBF-test {
+            term 1 {
+                from {
+                    destination-address {
+                        10.0.0.0/8;
+                        192.168.0.0/16;
+                        172.16.0.0/12;
+                    }
+                }
+                then accept;
+            }
+            term tonat {
+                from {
+                    source-address {
+                        172.16.0.0/12;
+                    }
+                }
+                then {
+                    count FBF-count;
+                    routing-instance FBF-test;
+                }
+            }
+            term 2 {
+                then accept;
+            }
+        }
+    }
+}
+```
+
+
+Articles:
+
+- https://supportportal.juniper.net/s/article/EX-QFX-Performing-filter-based-forwarding-in-ELS-devices?language=en_US
+
 ## Diagnostics

 ### SFP signal monitoring