We have 2 EX4300 set up in a virtual chassis.
We would like them to act as default gateway for our servers. The servers can either be on a private subnet 10.30.0.0/16 or have a public IP attached 1.2.3.0/24.
If the source IP is a public IP 1.2.3.0/24 we want it to route to one of our edge routers (1.2.3.1, 1.2.3.2, 1.2.3.3). We use BFD to see which router to choose.
If the source IP is a private IP 10.30.0.0/16 we want to route it to a NAT server (10.30.0.5), which then again routes through the EX4300 to an edge router.
In a test setup this works. In production no such luck.
The firewall filter counters do count up, so it is matching correctly. But it routes all trafic to the NAT server so basically ignoring the routing-instance "rib-public-ip".
We've also noticed that sometimes during configuration we need to remove the filter completely and add it again for the filter to "work" (counters counting).
To me it seems like a bug, but I might be doing something completely wrong here.
Complete config attached.
version 14.1X53-D40.8;
system {
host-name dc2-spine;
auto-snapshot;
root-authentication {
encrypted-password "<pwd>"; ## SECRET-DATA
}
login {
user ansible {
uid 2000;
class super-user;
authentication {
encrypted-password "<pwd>"; ## SECRET-DATA
}
}
}
services {
ssh {
protocol-version v2;
}
netconf {
ssh;
}
}
syslog {
user * {
any emergency;
}
file messages {
any notice;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
commit synchronize;
ntp {
server 10.31.0.23;
}
}
chassis {
redundancy {
graceful-switchover;
}
aggregated-devices {
ethernet {
device-count 6;
}
}
}
interfaces {
ge-0/0/0 {
ether-options {
802.3ad ae4;
}
}
ge-0/0/1 {
ether-options {
802.3ad ae4;
}
}
ge-0/0/2 {
ether-options {
802.3ad ae4;
}
}
ge-0/0/3 {
ether-options {
802.3ad ae4;
}
}
ge-0/0/4 {
ether-options {
802.3ad ae5;
}
}
ge-0/0/5 {
ether-options {
802.3ad ae5;
}
}
ge-0/0/6 {
ether-options {
802.3ad ae5;
}
}
ge-0/0/7 {
ether-options {
802.3ad ae5;
}
}
ge-0/0/20 {
description "lb1 mgmt";
native-vlan-id 300;
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members [ vlan_300 vlan_301 ];
}
}
}
}
ge-0/0/21 {
description "lb2 mgmt";
native-vlan-id 300;
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members [ vlan_300 vlan_301 ];
}
}
}
}
ge-0/0/22 {
description "edge-router1 mgmt";
native-vlan-id 300;
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members [ vlan_300 vlan_301 ];
}
}
}
}
ge-0/0/23 {
description lan2lan;
native-vlan-id 600;
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members all;
}
}
}
}
xe-0/2/0 {
ether-options {
802.3ad ae0;
}
}
xe-0/2/1 {
ether-options {
802.3ad ae1;
}
}
xe-0/2/2 {
ether-options {
802.3ad ae2;
}
}
ge-1/0/0 {
ether-options {
802.3ad ae4;
}
}
ge-1/0/1 {
ether-options {
802.3ad ae4;
}
}
ge-1/0/2 {
ether-options {
802.3ad ae4;
}
}
ge-1/0/3 {
ether-options {
802.3ad ae4;
}
}
ge-1/0/4 {
ether-options {
802.3ad ae5;
}
}
ge-1/0/5 {
ether-options {
802.3ad ae5;
}
}
ge-1/0/6 {
ether-options {
802.3ad ae5;
}
}
ge-1/0/7 {
ether-options {
802.3ad ae5;
}
}
ge-1/0/20 {
description "lb1 mgmt";
native-vlan-id 300;
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members [ vlan_300 vlan_301 ];
}
}
}
}
ge-1/0/21 {
description "lb2 mgmt";
native-vlan-id 300;
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members [ vlan_300 vlan_301 ];
}
}
}
}
ge-1/0/22 {
description "edge-router1 mgmt";
native-vlan-id 300;
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members [ vlan_300 vlan_301 ];
}
}
}
}
ge-1/0/23 {
description lan2lan;
native-vlan-id 600;
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members all;
}
}
}
}
xe-1/2/0 {
ether-options {
802.3ad ae0;
}
}
xe-1/2/1 {
ether-options {
802.3ad ae1;
}
}
xe-1/2/2 {
ether-options {
802.3ad ae2;
}
}
ae0 {
description edge-router1;
native-vlan-id 600;
aggregated-ether-options {
local-bias;
lacp {
active;
periodic fast;
}
}
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members vlan_600;
}
}
}
}
ae1 {
description lb1;
aggregated-ether-options {
local-bias;
lacp {
active;
periodic fast;
}
}
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members vlan_300;
}
}
}
}
ae2 {
description lb2;
aggregated-ether-options {
local-bias;
lacp {
active;
periodic fast;
}
}
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members vlan_300;
}
}
}
}
ae4 {
description dc2-servers1;
native-vlan-id 300;
aggregated-ether-options {
local-bias;
lacp {
active;
periodic fast;
}
}
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members all;
}
}
}
}
ae5 {
description dc2-servers2;
native-vlan-id 300;
aggregated-ether-options {
local-bias;
lacp {
active;
periodic fast;
}
}
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
members all;
}
}
}
}
irb {
unit 300 {
family inet {
filter {
input filter-public-ip;
}
address 10.30.0.1/16;
address 1.2.3.65/27;
}
}
unit 301 {
family inet {
address 10.31.0.54/16;
}
}
unit 600 {
family inet {
address 1.2.3.4/29;
}
}
}
vme {
unit 0 {
family inet {
address 192.168.1.2/24;
}
}
}
}
snmp {
contact "NOC <noc@company.com>";
community public {
authorization read-only;
}
trap-options {
source-address 10.31.0.54;
}
trap-group public {
version v2;
targets {
10.31.0.23;
}
}
}
routing-options {
nonstop-routing;
interface-routes {
rib-group inet rib-group-ipv4;
}
static {
route 0.0.0.0/0 {
next-hop 10.30.0.5;
preference 1;
}
route 10.20.0.0/16 {
qualified-next-hop 1.2.3.1 {
preference 1;
bfd-liveness-detection {
minimum-interval 300;
}
}
qualified-next-hop 1.2.3.2 {
preference 2;
bfd-liveness-detection {
minimum-interval 300;
}
}
}
route 1.2.3.18/32 {
qualified-next-hop 10.30.10.12 {
preference 1;
bfd-liveness-detection {
minimum-interval 300;
}
}
qualified-next-hop 10.30.10.13 {
preference 1;
bfd-liveness-detection {
minimum-interval 300;
}
}
qualified-next-hop 1.2.3.1 {
preference 2;
bfd-liveness-detection {
minimum-interval 300;
}
}
qualified-next-hop 1.2.3.2 {
preference 3;
bfd-liveness-detection {
minimum-interval 300;
}
}
}
route 1.2.3.19/32 {
qualified-next-hop 10.30.10.12 {
preference 1;
bfd-liveness-detection {
minimum-interval 300;
}
}
qualified-next-hop 10.30.10.13 {
preference 1;
bfd-liveness-detection {
minimum-interval 300;
}
}
qualified-next-hop 1.2.3.1 {
preference 2;
bfd-liveness-detection {
minimum-interval 300;
}
}
qualified-next-hop 1.2.3.2 {
preference 3;
bfd-liveness-detection {
minimum-interval 300;
}
}
}
route 1.2.3.20/32 {
qualified-next-hop 10.30.10.12 {
preference 1;
bfd-liveness-detection {
minimum-interval 300;
}
}
qualified-next-hop 10.30.10.13 {
preference 1;
bfd-liveness-detection {
minimum-interval 300;
}
}
qualified-next-hop 1.2.3.1 {
preference 2;
bfd-liveness-detection {
minimum-interval 300;
}
}
qualified-next-hop 1.2.3.2 {
preference 3;
bfd-liveness-detection {
minimum-interval 300;
}
}
}
route 1.2.3.21/32 {
qualified-next-hop 1.2.3.1 {
preference 1;
bfd-liveness-detection {
minimum-interval 300;
}
}
qualified-next-hop 1.2.3.2 {
preference 2;
bfd-liveness-detection {
minimum-interval 300;
}
}
}
route 1.2.3.22/32 {
next-hop 1.2.3.2;
qualified-next-hop 1.2.3.1 {
preference 1;
bfd-liveness-detection {
minimum-interval 300;
}
}
qualified-next-hop 1.2.3.2 {
preference 2;
bfd-liveness-detection {
minimum-interval 300;
}
}
preference 1;
}
route 1.2.3.23/32 {
qualified-next-hop 1.2.3.1 {
preference 1;
bfd-liveness-detection {
minimum-interval 300;
}
}
qualified-next-hop 1.2.3.2 {
preference 2;
bfd-liveness-detection {
minimum-interval 300;
}
}
}
route 1.2.3.32/27 {
qualified-next-hop 1.2.3.1 {
preference 1;
bfd-liveness-detection {
minimum-interval 300;
}
}
qualified-next-hop 1.2.3.2 {
preference 2;
bfd-liveness-detection {
minimum-interval 300;
}
}
}
route 1.2.3.96/27 {
qualified-next-hop 1.2.3.1 {
preference 1;
bfd-liveness-detection {
minimum-interval 300;
}
}
qualified-next-hop 1.2.3.2 {
preference 2;
bfd-liveness-detection {
minimum-interval 300;
}
}
}
route 1.2.3.128/28 {
qualified-next-hop 1.2.3.5 {
preference 1;
bfd-liveness-detection {
minimum-interval 300;
}
}
qualified-next-hop 1.2.3.6 {
preference 2;
bfd-liveness-detection {
minimum-interval 300;
}
}
}
route 1.2.3.144/28 {
qualified-next-hop 1.2.3.1 {
preference 1;
bfd-liveness-detection {
minimum-interval 300;
}
}
qualified-next-hop 1.2.3.2 {
preference 2;
bfd-liveness-detection {
minimum-interval 300;
}
}
}
}
rib-groups {
rib-group-ipv4 {
import-rib [ rib-public-ip.inet.0 inet.0 ];
}
}
}
protocols {
pim {
interface all {
mode dense;
}
}
bfd {
traceoptions {
flag issu;
}
}
lldp {
interface all;
}
lldp-med {
interface all;
}
igmp-snooping {
vlan default;
}
layer2-control {
nonstop-bridging;
}
}
firewall {
family inet {
filter filter-public-ip {
term 0 {
from {
source-address {
1.2.3.0/24;
}
}
then {
count match_public;
routing-instance rib-public-ip;
}
}
term 1 {
then {
count match_default;
accept;
}
}
}
}
}
routing-instances {
rib-public-ip {
instance-type forwarding;
routing-options {
static {
route 0.0.0.0/0 {
qualified-next-hop 1.2.3.3 {
preference 1;
bfd-liveness-detection {
minimum-interval 300;
}
}
qualified-next-hop 1.2.3.1 {
preference 2;
bfd-liveness-detection {
minimum-interval 300;
}
}
qualified-next-hop 1.2.3.2 {
preference 3;
bfd-liveness-detection {
minimum-interval 300;
}
}
}
}
}
}
}
virtual-chassis {
preprovisioned;
no-split-detection;
member 0 {
role routing-engine;
serial-number <serial>;
}
member 1 {
role routing-engine;
serial-number <serial>;
}
}
vlans {
vlan_300 {
description Default;
vlan-id 300;
l3-interface irb.300;
}
vlan_301 {
description "DC2 Mgmt";
vlan-id 301;
l3-interface irb.301;
}
vlan_600 {
description Routing;
vlan-id 600;
l3-interface irb.600;
}
}