I am trying to wrap my head around the limitations regarding filter-based
forwarding for egress packets, on the output of a layer3 interface, on
the MX platform.
Early on in Junos, filter-based forwarding (or "policy-based routing" in
the Cisco context) you could only do filter-based forwarding on ingress
into the router. Now, apparently you can do filter-based forwarding on
the output interface:
http://www.juniper.net/techpubs/en_US/junos10.2/information-products/topic-collections/config-guide-network-interfaces/topic-25474.html
Aside from some limitations with source-class usage filter matching and
uRPF checks, I am wondering if there are any gotchas here.
Let's say I have an application where I have a security box for scrubbing
packets hanging off of an MX. I want to redirect some traffic matching a
particular filter term along a single egress path out of the router to go
out instead via a different interface to hit my security box. However,
packets along this single egress path might have multiple points of entry
coming into the router. It would be difficult to scale putting an input
filter on all of those different ingress interfaces. It would be really
handy and simple to just apply an output filter on the single output
interface to redirect my traffic.
But are there crazy things that happen under the covers that could cause
problems? Is the output filter really just an input filter applied to
all other interfaces? What if my ingress packets that follow this path
come into the router via different shapes and sizes; i.e. straight IP, or
having an MPLS header, or maybe even a GRE tunnel terminated on the
router. Would the output filter still work as I expect?
The documentaton regarding filter-based forwarding on output interface
suggest that this can be applied to port-mirror traffic, but would this
also work for my security box redirection application?
Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
_______________________________________________
juniper-nsp mailing list [email protected]
https://puck.nether.net/mailman/listinfo/juniper-nsp
