One stumbling block I had transition from IOS to JunOS was the way juniper does policy based routing, or PBR. Juniper refers to this as “Filter Based Forwarding”, and it’s a bit more involved to setup than a basic PBR on IOS.
I’ve come across plenty of documentation referencing /how/ to get this working, but I have yet to see a clear explanation of the rib-group import, even from JTAC. I’ve never seen much more than “you need to do this for FBF to work”.
Maybe I’ve just missed it, maybe I’m ignorant, but a coworker and I finally realized /why/ you need to do this for FBF to function properly.
First lets start with a very basic FBF setup. I’ll use a recent example where I’ve had to forward all web traffic to a web filter appliance. Only relevant config is included.
routing-options {
interface-routes {
rib-group inet webfilter;
}
rib-groups {
webfilter {
import-rib [ inet.0 webfilter.inet.0 ];
}
}
}
routing-instances {
webfilter {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 next-hop 192.168.1.10;
}
}
}
}
firewall {
family inet {
filter webfilter {
term 1 {
from {
destination-port [ http https ];
}
then {
routing-instance webfilter;
}
term 2 {
then {
accept;
}
}
}
}
}
interfaces {
fe-0/0/0 {
unit 0 {
family inet {
filter {
input webfilter;
}
address 192.168.1.1/24;
}
}
}
}
So, let’s see what we’ve done here…
- We’ve created a routing instance “webfilter” of type forwarding with a route for 0/0 pointing to our webfilter.
- We’ve written a firewall filter to match http and https traffic and put the traffic into our “webfilter” forwarding instance.
- We’ve attached that filter to an interface so any web traffic passing that interface gets re-routed to our web filter.
So far pretty basic, but we’ve also created a “rib-group” and imported some stuff into it. This is the part I’ve never found a clear explanation on. But here’s what we’ve done and why:
- The routing instance we’re using for our FBF setup is type “forwarding”. This means its’ sole purpose is to forward traffic where we tell it to. It does not, and can not, have any interfaces assigned to it. If there’s no interfaces in the routing instance, there’s no directly attached networks. There’s no path to any next-hop we might define in the routing instance. This is why we need to create the rib group and the imports.
- First we create the new rib-group and set it to import the default inet.0 routing table as well as the webfilter.inet.0 routing table from our forwarding instance. (My understanding is that this happens automatically without rib-groups defined, but as soon as you define a rib group to import interface-routes to, you also have to tell the rib-group to import inet.0 and the parent routing-instance’s inet.0 instance as well.)
rib-groups {
webfilter {
import-rib [ inet.0 webfilter.inet.0 ];
}
}
-
Once the rib-group exists, we pump interface routes into it so it knows how to get to the next-hop we define for forwarding.
routing-options {
interface-routes {
rib-group inet webfilter;
}
}
And THAT is the key – the forwarding instance has no interfaces, and therefore also lacks any local or directly connected networks. The rib-group is configured to import the interface-routes so the forwarding instance knows how to send traffic to the next-hop we define.
As always, comments, corrections, etc always appreciated !
~pf
What a fantastic post. Really insightful and useful. I find the ‘why’ extremely valuable for learning. Thanks!
Thanks for article, one piece at a time PBR or FBF is coming together for me.
I’m still having trouble committing the above config… (Have you seen the below error before?
—
commit
[edit interfaces ge-1/0/0 unit 101 family inet]
‘filter’
Referenced filter ‘ssdc-chard’ can not be used as default/physical interface specific with routing-instance action on ingress
error: configuration check-out failed
—
Hi
Great post.
I like to understand where to declare this following lines:
”
routing-options {
interface-routes {
rib-group inet webfilter;
}”
Do you confirm theses lines goes under the global config or a specific routing instance ? (of inet.0 or webfilter for example) ?
Thanks
You rock! still useful info after all these years.
This right here got me out of jail. Still useful after all these years…