Mailing List Archive: Firewall filter help.

Hello all,

I am new to this List and also the Juniper. I have just installed a
customer that uses about 70M worth of B/W. Since I am running a multi-homed
BGP environment and, I only have B/W to support 70M worth of traffic on one
of my providers, I need to hard code this new customer to that provider.
Not knowing what the best way to do this is, I decided to implement a
firewall filter (not sure what other options I have?). I already had a
firewall set up for another customer (filter AAA below) which seemed to work
just fine so I figured that I could do the same thing but, every time I
apply the filter to my customers interface all of their traffic goes to
zero. I've checked all of my resources for help but to no avail. I am
running Juniper M10 with ver 5.6r1.3. Filter AAA seems to work fine, filter
CCC (what I am trying to implement) does not work. This may be simple to
you guys but I am stumped. I know I must be doing something wrong but I
cannot figure it out, Please help. Thanks in advance.

Juno# show firewall
family inet {
filter AAA {
term main {
from {
source-prefix-list {
AAA;
}
}
then routing-instance BBB;
}
term Default {
then accept;
}
}
filter CCC {
term main {
from {
source-address {
1.1.1.1/32;
}
}
then routing-instance DDD;
}
term Default {
then accept;
}
}
}

Juno# show routing-instances
DDD {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 3.3.3.3;
}
}
}
BBB {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 2.2.2.2;
}
}
}

Thanks,

-Mike
msumrall@ic2net.net

Add a count statement in the 'then' part of the filters to see if it is
catching the source address 1.1.1.1/32

You can use show firewall filter DDD

Add a counter to the default accept term also and you will see what
action is being caught.

If it is being sent to the routing-instance DDD then you need to check
that you can reach the next-hop

try:

ping 3.3.3.3 source 1.1.1.1 routing-instance DDD

Gary

On Nov 21, 2003, at 1:12 PM, Mike Sumrall wrote:

> Hello all,
>
> I am new to this List and also the Juniper. I have just installed a
> customer that uses about 70M worth of B/W. Since I am running a
> multi-homed
> BGP environment and, I only have B/W to support 70M worth of traffic
> on one
> of my providers, I need to hard code this new customer to that
> provider.
> Not knowing what the best way to do this is, I decided to implement a
> firewall filter (not sure what other options I have?). I already had a
> firewall set up for another customer (filter AAA below) which seemed
> to work
> just fine so I figured that I could do the same thing but, every time I
> apply the filter to my customers interface all of their traffic goes to
> zero. I've checked all of my resources for help but to no avail. I am
> running Juniper M10 with ver 5.6r1.3. Filter AAA seems to work fine,
> filter
> CCC (what I am trying to implement) does not work. This may be simple
> to
> you guys but I am stumped. I know I must be doing something wrong but
> I
> cannot figure it out, Please help. Thanks in advance.
>
> Juno# show firewall
> family inet {
> filter AAA {
> term main {
> from {
> source-prefix-list {
> AAA;
> }
> }
> then routing-instance BBB;
> }
> term Default {
> then accept;
> }
> }
> filter CCC {
> term main {
> from {
> source-address {
> 1.1.1.1/32;
> }
> }
> then routing-instance DDD;
> }
> term Default {
> then accept;
> }
> }
> }
>
>
> Juno# show routing-instances
> DDD {
> instance-type forwarding;
> routing-options {
> static {
> route 0.0.0.0/0 next-hop 3.3.3.3;
> }
> }
> }
> BBB {
> instance-type forwarding;
> routing-options {
> static {
> route 0.0.0.0/0 next-hop 2.2.2.2;
> }
> }
> }
>
> Thanks,
>
> -Mike
> msumrall@ic2net.net
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> http://puck.nether.net/mailman/listinfo/juniper-nsp
>